Analysis
-
max time kernel
142s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 03:47
Behavioral task
behavioral1
Sample
f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
Resource
win7-20240419-en
General
-
Target
f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
-
Size
504KB
-
MD5
1bd01ed8e6e38e6063b8356039993b47
-
SHA1
1a49cc822a7f4b60b7a90d5b6cbddf36cc297bfa
-
SHA256
f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853
-
SHA512
b8259fd532e4bbd6755c45be0aff5b451c07e5b932b1b8efac7388d700025d798f9e1525b9c5d301c1faee56005aede6ec2376b3b134627798329c0d03cac28a
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral2/memory/1920-0-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/1920-3-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/1920-4-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/1920-14-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/files/0x000b000000023bb1-19.dat UPX behavioral2/memory/3812-21-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/3812-25-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/3812-47-0x0000000000400000-0x000000000049C000-memory.dmp UPX behavioral2/memory/3812-26-0x0000000000400000-0x000000000049C000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 3812 Explorrer.exe 4488 Explorrer.exe 4976 Explorrer.exe -
Loads dropped DLL 2 IoCs
pid Process 2516 regsvr32.exe 2248 regsvr32.exe -
resource yara_rule behavioral2/memory/1920-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/1920-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/1920-4-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/1920-14-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/files/0x000b000000023bb1-19.dat upx behavioral2/memory/3812-21-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/3812-25-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/3812-47-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/3812-26-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1920 set thread context of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 3812 set thread context of 4488 3812 Explorrer.exe 91 PID 3812 set thread context of 4976 3812 Explorrer.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4648 2592 WerFault.exe 93 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2592 ipconfig.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 5060 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 3812 Explorrer.exe 4488 Explorrer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 1920 wrote to memory of 5060 1920 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 87 PID 5060 wrote to memory of 3812 5060 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 88 PID 5060 wrote to memory of 3812 5060 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 88 PID 5060 wrote to memory of 3812 5060 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe 88 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4488 3812 Explorrer.exe 91 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 3812 wrote to memory of 4976 3812 Explorrer.exe 92 PID 4488 wrote to memory of 2592 4488 Explorrer.exe 93 PID 4488 wrote to memory of 2592 4488 Explorrer.exe 93 PID 4488 wrote to memory of 2592 4488 Explorrer.exe 93 PID 4488 wrote to memory of 2592 4488 Explorrer.exe 93 PID 4488 wrote to memory of 2592 4488 Explorrer.exe 93 PID 4976 wrote to memory of 2516 4976 Explorrer.exe 103 PID 4976 wrote to memory of 2516 4976 Explorrer.exe 103 PID 4976 wrote to memory of 2516 4976 Explorrer.exe 103 PID 4976 wrote to memory of 2248 4976 Explorrer.exe 104 PID 4976 wrote to memory of 2248 4976 Explorrer.exe 104 PID 4976 wrote to memory of 2248 4976 Explorrer.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 2726⤵
- Program crash
PID:4648
-
-
-
-
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:2516
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2248
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2592 -ip 25921⤵PID:4876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504KB
MD5332fd0be91557639b36f8c438da4cdb5
SHA1a68c9bbe82f09b6874197423a8c47344742da401
SHA2563f9a4e0547000bc5bac4d39c21baa3527572a2cca8986311f2139498642cd875
SHA512c136d5bb504e1e65675cd48437ddec56621615281a93c7a9b8ff6147d77cf21c3e35163eb66fa78e66e6375d08133d2ae69832c6d99379f335776cbef756af8a
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f