Analysis

  • max time kernel
    142s
  • max time network
    75s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 23:10

General

  • Target

    77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe

  • Size

    504KB

  • MD5

    54525a4e92f6be8b4d52ccc12d5b5bf6

  • SHA1

    55c5b6a279f3ca32473b9f833d288093c628bff7

  • SHA256

    77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de

  • SHA512

    4cc5aeee452cdd41c27969e2cce760fad6c27c3a2647edfe86cb3a21bdac996e2092a3d8003ec2682ab5d1106160d11a4a4a49fc2533616fd7f9d189d1e918bf

  • SSDEEP

    12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
    "C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
      "C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
        C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
          "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4736
          • C:\Windows\SysWOW64\ipconfig.exe
            "C:\Windows\system32\ipconfig.exe"
            5⤵
            • Gathers network information
            PID:3136
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 272
              6⤵
              • Program crash
              PID:1644
        • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
          "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:3652
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"
            5⤵
            • Loads dropped DLL
            PID:3144
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"
            5⤵
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:4472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136
    1⤵
      PID:4344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

      Filesize

      504KB

      MD5

      673a6c62664b7d786faca5288c6751cf

      SHA1

      cc616ac9f0d5439e00b31042ca4962c5d7d57805

      SHA256

      a33607a103a384d9423640d89920058955cbbd6d993104921592fca9afcbfd9d

      SHA512

      c5899dcf9202040e953d7b30217820047d1c843b73815387347d2caa3e25fc32fc318078b05f3f8373efe2b78d6bdc11f92ab07a3147c366ff1530f8efaf443a

    • C:\Users\Admin\AppData\Roaming\IE\bho.dll

      Filesize

      87KB

      MD5

      49a92a33d1775b45b3bd45f8bec24585

      SHA1

      ea404af50bbdad5cbc9f95f4068bdc30c9fceff6

      SHA256

      976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5

      SHA512

      7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

    • memory/1236-28-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/1236-20-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/1236-51-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/1236-38-0x0000000004370000-0x0000000004371000-memory.dmp

      Filesize

      4KB

    • memory/1236-29-0x00000000056C0000-0x00000000056C1000-memory.dmp

      Filesize

      4KB

    • memory/1236-27-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/3508-8-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/3508-10-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/3508-24-0x0000000000410000-0x00000000004D9000-memory.dmp

      Filesize

      804KB

    • memory/3508-26-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/3652-97-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-75-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-37-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-36-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-171-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-34-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-47-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-52-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-46-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-45-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-44-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-43-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-42-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-41-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-40-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-64-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-67-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-56-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-57-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-87-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-95-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-98-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-68-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-65-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-96-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-94-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-93-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-92-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-91-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-90-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-89-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-88-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-86-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-85-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-84-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-83-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-82-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-81-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-80-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-79-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-78-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-77-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-76-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-66-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-74-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-73-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-72-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-71-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-70-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/3652-69-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/4736-55-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/4864-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

      Filesize

      4KB

    • memory/4864-0-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4864-3-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4864-4-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

    • memory/4864-6-0x0000000002A10000-0x0000000002A11000-memory.dmp

      Filesize

      4KB

    • memory/4864-7-0x00000000056B0000-0x00000000056B1000-memory.dmp

      Filesize

      4KB

    • memory/4864-11-0x00000000056C0000-0x00000000056C1000-memory.dmp

      Filesize

      4KB

    • memory/4864-13-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB