Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 03:47
Behavioral task
behavioral1
Sample
f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
Resource
win7-20240419-en
General
-
Target
f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
-
Size
504KB
-
MD5
1bd01ed8e6e38e6063b8356039993b47
-
SHA1
1a49cc822a7f4b60b7a90d5b6cbddf36cc297bfa
-
SHA256
f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853
-
SHA512
b8259fd532e4bbd6755c45be0aff5b451c07e5b932b1b8efac7388d700025d798f9e1525b9c5d301c1faee56005aede6ec2376b3b134627798329c0d03cac28a
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 10 IoCs
resource yara_rule behavioral1/memory/3012-0-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/3012-3-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/3012-4-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/3012-25-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/files/0x0037000000015c9b-36.dat UPX behavioral1/memory/2340-38-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2980-37-0x0000000002590000-0x000000000262C000-memory.dmp UPX behavioral1/memory/2340-43-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2340-45-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral1/memory/2340-82-0x0000000000400000-0x000000000049C000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2340 Explorrer.exe 2512 Explorrer.exe 2164 Explorrer.exe -
Loads dropped DLL 4 IoCs
pid Process 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 3060 regsvr32.exe 2848 regsvr32.exe -
resource yara_rule behavioral1/memory/3012-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/3012-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/3012-4-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/3012-25-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/files/0x0037000000015c9b-36.dat upx behavioral1/memory/2340-38-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2340-43-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2340-45-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2340-82-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3012 set thread context of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 2340 set thread context of 2512 2340 Explorrer.exe 30 PID 2340 set thread context of 2164 2340 Explorrer.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 756 ipconfig.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 752 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 2340 Explorrer.exe 2512 Explorrer.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 3012 wrote to memory of 2980 3012 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 28 PID 2980 wrote to memory of 2340 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 29 PID 2980 wrote to memory of 2340 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 29 PID 2980 wrote to memory of 2340 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 29 PID 2980 wrote to memory of 2340 2980 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 29 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2512 2340 Explorrer.exe 30 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2340 wrote to memory of 2164 2340 Explorrer.exe 31 PID 2512 wrote to memory of 756 2512 Explorrer.exe 32 PID 2512 wrote to memory of 756 2512 Explorrer.exe 32 PID 2512 wrote to memory of 756 2512 Explorrer.exe 32 PID 2512 wrote to memory of 756 2512 Explorrer.exe 32 PID 2512 wrote to memory of 756 2512 Explorrer.exe 32 PID 2512 wrote to memory of 756 2512 Explorrer.exe 32 PID 756 wrote to memory of 804 756 ipconfig.exe 34 PID 756 wrote to memory of 804 756 ipconfig.exe 34 PID 756 wrote to memory of 804 756 ipconfig.exe 34 PID 756 wrote to memory of 804 756 ipconfig.exe 34 PID 804 wrote to memory of 752 804 cmd.exe 36 PID 804 wrote to memory of 752 804 cmd.exe 36 PID 804 wrote to memory of 752 804 cmd.exe 36 PID 804 wrote to memory of 752 804 cmd.exe 36 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 3060 2164 Explorrer.exe 39 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40 PID 2164 wrote to memory of 2848 2164 Explorrer.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QTJDBIRH.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:752
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:3060
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2848
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD502cbdd547ced25f8f7dc814d9169d567
SHA1fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f
-
Filesize
504KB
MD598a6adb0cba3a70fec253f835ec0bf5a
SHA1b78e4e33cdf688070c73efa428d886319f0e5264
SHA256e4ba614090f0ec26b05e3aa02551ce330c4195c37ca119644d6bba78348f7eca
SHA51262b1e1b9dfcaeaec89b27e9c20c6bb9a0d6503d16101383c6a568989978f31578cf90a1b07d9fce2587f145d7a519fdf83e92d85eb233ef41dd2b4b133306177
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f