Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 20:11
Static task
static1
Behavioral task
behavioral1
Sample
2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe
Resource
win10v2004-20240426-en
General
-
Target
2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe
-
Size
918KB
-
MD5
9d5f8aa24b4dca9740068761959ee505
-
SHA1
ba36a41d7a68d83607ae27e005dec49d200c635e
-
SHA256
2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48
-
SHA512
06270ccc4de906e83a5b5e6bcf15e1fa85d3a0acae497e9f445fece7bd49d83452929e605fb8d7b573de4781235bcd319d8e0254d808043b402055239e702525
-
SSDEEP
24576:S2JjIfX15mV3Y4Hn3gvtmfiBQJZKENlnDUl21qLmYUM6:VjI14V3Y4HgmcQJUENRQlyqLm7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2364 instA.exe -
Loads dropped DLL 3 IoCs
pid Process 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5E4E352-6947-44EE-A420-DB84EFD3FE93} 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\ = "EHelper Class" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\downlo~1\instA.tmp 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe File created C:\Windows\downlo~1\ehelper.dll 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\URLSearchHooks 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{E5E4E352-6947-44EE-A420-DB84EFD3FE93} = "ehelpe" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{E5E4E352-6947-44EE-A420-DB84EFD3FE93} = "AssistantBar" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe -
Modifies registry class 47 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\VersionIndependentProgID 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\VersionIndependentProgID\ = "EasyHelper.EHelper" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\TypeLib\ = "{3177EAAE-96B9-49C8-9831-2D7844A08538}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\ProxyStubClsid32 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\0 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\0\win32 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\ = "IEHelper" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper\CurVer 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper\CurVer\ = "EasyHelper.EHelper.1" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\ = "EasyHelper 1.0 Type Library" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\FLAGS\ = "0" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper\CLSID 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper\CLSID\ = "{E5E4E352-6947-44EE-A420-DB84EFD3FE93}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\0\win32\ = "C:\\Windows\\downlo~1\\ehelper.dll" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\ = "IEHelper" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\TypeLib 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4} 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper.1\CLSID 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\ = "EasyHelper" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\HELPDIR 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4} 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\ProxyStubClsid32 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper\ = "EasyHelper" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\InprocServer32 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\TypeLib\ = "{3177EAAE-96B9-49C8-9831-2D7844A08538}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\FLAGS 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538}\1.0\HELPDIR\ = "C:\\Windows\\downlo~1\\" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\TypeLib\Version = "1.0" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper.1 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\InprocServer32\ThreadingModel = "Apartment" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\TypeLib 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\TypeLib\ = "{3177EAAE-96B9-49C8-9831-2D7844A08538}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\ = "Assistant" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper.1\CLSID\ = "{E5E4E352-6947-44EE-A420-DB84EFD3FE93}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93} 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\ProgID 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3177EAAE-96B9-49C8-9831-2D7844A08538} 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\TypeLib\Version = "1.0" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EasyHelper.EHelper.1\ = "EasyHelper" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\ProgID\ = "EasyHelper.EHelper.1" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\Programmable 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5E4E352-6947-44EE-A420-DB84EFD3FE93}\InprocServer32\ = "C:\\Windows\\downlo~1\\ehelper.dll" 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6253339-53D4-4B8A-A16F-5B5514CE82A4}\TypeLib 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2364 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe 28 PID 2252 wrote to memory of 2364 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe 28 PID 2252 wrote to memory of 2364 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe 28 PID 2252 wrote to memory of 2364 2252 2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe"C:\Users\Admin\AppData\Local\Temp\2933284d93880b0d97911de67304ba13a223e1da75e4c89049d2b24dfc66cb48.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\instA.exeC:\Users\Admin\AppData\Local\Temp\instA.exe2⤵
- Executes dropped EXE
PID:2364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
853KB
MD5d0c3566d43da5b1fc94db94e4a046d73
SHA1b9d33c84b820f6eb363ad9975577630669b53fad
SHA25605478c8fdd3c3fc5d806c7949dced20c7bdf27d92e30b88b7e102c4374d7b5b7
SHA512138a24ee952b09ad8c31ef3dd39d70b265e90d70ad08ca747c9b4a7dd9c11d79568a94aa8459f6f6df36bc8eba5196d588e560a75422ab7a0016b550edbc9af7
-
Filesize
77KB
MD5f55527108daa507c46ea57d5727f5b61
SHA114dbb91efb91e9e8b8fd26086d60698fdb0ced00
SHA2567b84fb02c2c75d9cd1c7de8fc0c1cd9e3658cc1f3bac1e47638d314483a944c7
SHA5122ec6c50a63ee216ff65904f5418c24a6f2cb3d25c4ebba237f669fc3b644eb52e368ff86203d9f84bd7aa8f67626a309578cf38d833e9aa35a599220d4c37415