Analysis
-
max time kernel
142s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 23:10
Behavioral task
behavioral1
Sample
77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
Resource
win7-20240221-en
General
-
Target
77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
-
Size
504KB
-
MD5
54525a4e92f6be8b4d52ccc12d5b5bf6
-
SHA1
55c5b6a279f3ca32473b9f833d288093c628bff7
-
SHA256
77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de
-
SHA512
4cc5aeee452cdd41c27969e2cce760fad6c27c3a2647edfe86cb3a21bdac996e2092a3d8003ec2682ab5d1106160d11a4a4a49fc2533616fd7f9d189d1e918bf
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral2/memory/4864-0-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/4864-3-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/4864-4-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/4864-13-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/files/0x000a000000023bb5-19.dat UPX behavioral2/memory/1236-20-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/1236-27-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/1236-28-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/1236-51-0x0000000000400000-0x000000000049C000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 1236 Explorrer.exe 4736 Explorrer.exe 3652 Explorrer.exe -
Loads dropped DLL 2 IoCs
pid Process 3144 regsvr32.exe 4472 regsvr32.exe -
resource yara_rule behavioral2/memory/4864-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4864-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4864-4-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4864-13-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/files/0x000a000000023bb5-19.dat upx behavioral2/memory/1236-20-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/1236-27-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/1236-28-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/1236-51-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4864 set thread context of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 1236 set thread context of 4736 1236 Explorrer.exe 91 PID 1236 set thread context of 3652 1236 Explorrer.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1644 3136 WerFault.exe 93 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3136 ipconfig.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 3508 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 1236 Explorrer.exe 4736 Explorrer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 4864 wrote to memory of 3508 4864 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 87 PID 3508 wrote to memory of 1236 3508 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 88 PID 3508 wrote to memory of 1236 3508 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 88 PID 3508 wrote to memory of 1236 3508 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe 88 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 4736 1236 Explorrer.exe 91 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 1236 wrote to memory of 3652 1236 Explorrer.exe 92 PID 4736 wrote to memory of 3136 4736 Explorrer.exe 93 PID 4736 wrote to memory of 3136 4736 Explorrer.exe 93 PID 4736 wrote to memory of 3136 4736 Explorrer.exe 93 PID 4736 wrote to memory of 3136 4736 Explorrer.exe 93 PID 4736 wrote to memory of 3136 4736 Explorrer.exe 93 PID 3652 wrote to memory of 3144 3652 Explorrer.exe 103 PID 3652 wrote to memory of 3144 3652 Explorrer.exe 103 PID 3652 wrote to memory of 3144 3652 Explorrer.exe 103 PID 3652 wrote to memory of 4472 3652 Explorrer.exe 104 PID 3652 wrote to memory of 4472 3652 Explorrer.exe 104 PID 3652 wrote to memory of 4472 3652 Explorrer.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:3136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 2726⤵
- Program crash
PID:1644
-
-
-
-
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:3144
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4472
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 31361⤵PID:4344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504KB
MD5673a6c62664b7d786faca5288c6751cf
SHA1cc616ac9f0d5439e00b31042ca4962c5d7d57805
SHA256a33607a103a384d9423640d89920058955cbbd6d993104921592fca9afcbfd9d
SHA512c5899dcf9202040e953d7b30217820047d1c843b73815387347d2caa3e25fc32fc318078b05f3f8373efe2b78d6bdc11f92ab07a3147c366ff1530f8efaf443a
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f