Overview
overview
10Static
static
3HA_DVDIden...re.exe
windows7-x64
7HA_DVDIden...re.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/Assi...fy.exe
windows7-x64
8$TEMP/Assi...fy.exe
windows10-2004-x64
8$R0.dll
windows7-x64
8$R0.dll
windows10-2004-x64
8Assist/$R0.dll
windows7-x64
6Assist/$R0.dll
windows10-2004-x64
6$TEMP/DUDU_HH.exe
windows7-x64
10$TEMP/DUDU_HH.exe
windows10-2004-x64
10DVD Identifier.chm
windows7-x64
1DVD Identifier.chm
windows10-2004-x64
1DVD Identifier.exe
windows7-x64
6DVD Identifier.exe
windows10-2004-x64
6uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
51s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 06:12
Static task
static1
Behavioral task
behavioral1
Sample
HA_DVDIdentifier401_Fire.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
HA_DVDIdentifier401_Fire.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Splash.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Splash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$TEMP/Assist_hanzify.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
$TEMP/Assist_hanzify.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$R0.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
$R0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Assist/$R0.dll
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Assist/$R0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
$TEMP/DUDU_HH.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$TEMP/DUDU_HH.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
DVD Identifier.chm
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
DVD Identifier.chm
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
DVD Identifier.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
DVD Identifier.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
uninst.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
uninst.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240508-en
General
-
Target
$R0.dll
-
Size
128KB
-
MD5
7ff63507a1ea33dc677c1f0a838fadf6
-
SHA1
c35183495c7d90f22ad83970b4a86ca0c4b8b433
-
SHA256
68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
-
SHA512
cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d
-
SSDEEP
1536:RGkDMJFeUvHjc5m9uY2nTP3f3ZOvzyaBnoifEhRfbBRJRZrPatTcu69OA7M6nFNR:gJ8p7JafiBRJRZrNMA7M6nFNend2
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts regsvr32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 2232 regsvr32.exe 2232 regsvr32.exe 1000 rundll32.exe 1000 rundll32.exe 2232 regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" regsvr32.exe -
Drops file in Program Files directory 7 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\PROGRA~2\3721\autolive.dll regsvr32.exe File created C:\PROGRA~2\3721\i3721res.dat regsvr32.exe File created C:\PROGRA~2\3721\3721\Helper.dll regsvr32.exe File created C:\PROGRA~2\3721\3721\cns01.dat regsvr32.exe File created C:\PROGRA~2\3721\cns01.dat regsvr32.exe File opened for modification C:\PROGRA~2\3721\cns01.dat regsvr32.exe File created C:\PROGRA~2\3721\Helper.dll regsvr32.exe -
Modifies registry class 39 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\autolive.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\PROGRA~2\\3721\\autolive.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 1000 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3012 wrote to memory of 2232 3012 regsvr32.exe regsvr32.exe PID 3012 wrote to memory of 2232 3012 regsvr32.exe regsvr32.exe PID 3012 wrote to memory of 2232 3012 regsvr32.exe regsvr32.exe PID 2232 wrote to memory of 1000 2232 regsvr32.exe rundll32.exe PID 2232 wrote to memory of 1000 2232 regsvr32.exe rundll32.exe PID 2232 wrote to memory of 1000 2232 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$R0.dll2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll323⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
730B
MD5af759437bb010b6312207e76a40a8878
SHA139db4bb04d290e80fc231ac9220ba71aac4b4751
SHA256f94ca0f6a520ccfea930feb39e7b02c1c0b70ebd72ade0362a220965ea8eeb0f
SHA5121eac5778935fc6728bdd1fb4d6c96265c75796eff31490246b80cd5b899e081797abd5fd7735c61756498006ac3007cc63805af8f6590b58582ad142c39ff2af
-
Filesize
44KB
MD549ae58008fc003af6f952a82c33aa3dd
SHA1330630c95b6be9b61398d5952be9ee1f45799606
SHA2568036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873
SHA512bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3
-
Filesize
128KB
MD57ff63507a1ea33dc677c1f0a838fadf6
SHA1c35183495c7d90f22ad83970b4a86ca0c4b8b433
SHA25668dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
SHA512cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d