Overview
overview
7Static
static
34cefacc5fe...18.exe
windows7-x64
74cefacc5fe...18.exe
windows10-2004-x64
7screensavers.exe
windows7-x64
7screensavers.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3bin/Starware316.dll
windows7-x64
6bin/Starware316.dll
windows10-2004-x64
6bin/broker.exe
windows7-x64
3bin/broker.exe
windows10-2004-x64
3sinstaller3.exe
windows7-x64
7sinstaller3.exe
windows10-2004-x64
7$0/SSSInstaller.dll
windows7-x64
1$0/SSSInstaller.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PROGRAM_F...xe.exe
windows7-x64
1$PROGRAM_F...xe.exe
windows10-2004-x64
1$TEMP/SSSI...er.dll
windows7-x64
1$TEMP/SSSI...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
4cefacc5fe8acbf49758762dc8868419_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
4cefacc5fe8acbf49758762dc8868419_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
screensavers.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
screensavers.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
bin/Starware316.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
bin/Starware316.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
bin/broker.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
bin/broker.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
sinstaller3.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
sinstaller3.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$0/SSSInstaller.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
$0/SSSInstaller.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PROGRAM_FILES/$_3_/$_4_/ActiveDesktopExe.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
$PROGRAM_FILES/$_3_/$_4_/ActiveDesktopExe.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$TEMP/SSSInstaller.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
$TEMP/SSSInstaller.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
screensavers.exe
-
Size
500KB
-
MD5
0f11fe9c10dfa433c3f61d0495fa1ff9
-
SHA1
f741ce71f51bd87f64fe0e2a8ff8e299b1110c54
-
SHA256
6c761773c1e1ca06d02f65c8c4d89927e7674666e87c8ef0966987e37f388dad
-
SHA512
4a486c491a5503109c9f55e695c653c9a071e9d8ad50f7177ade5e3ff015883ef6123027f964c7aa73042b36f673be7ece1b7769d01e57e48398c471b386a9be
-
SSDEEP
12288:A+EmP70O5pL+puFhc9iZkVMZfis5Sw/YrETyEEmG:A7mgI9FC8kVwisww/YxZmG
Malware Config
Signatures
-
Loads dropped DLL 11 IoCs
pid Process 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe 828 screensavers.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} screensavers.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Starware316\Starware316Config.xml screensavers.exe File created C:\Program Files (x86)\Starware316\Starware316Uninstall.exe screensavers.exe File created C:\Program Files (x86)\Starware316\brand.bmp screensavers.exe File created C:\Program Files (x86)\Starware316\bin\Starware316.dll screensavers.exe File created C:\Program Files (x86)\Starware316\Starware316Config.xml screensavers.exe File created C:\Program Files (x86)\Starware316\icons\star_16.ico screensavers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119167" IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\AppPath = "C:\\Program Files (x86)\\Starware316\\bin" screensavers.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{9FB3908C-6565-4CB0-95F8-E9F85258723C} = "Starware Screensavers Toolbar" screensavers.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a146653fd7da01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119167" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000474a65013f51fa4ea7512bf38b7b793000000000020000000000106600000001000020000000c3d2044657d74faf098b1fb4f3383968d285504ac6463d42c79d40fe2d14ba07000000000e8000000002000020000000d91a9ccc2d21ae291b185156fbf5dedd03ae25f46b7a2af3efcc993a3a81036b20000000a184ca84b760c39a94c8b6afa47cda3a4635186f972950e6a0ba61bca38f360a400000006312033c4ba10ab1b98e08f87523690d74a9f99893cd246aaa65dd340d5065003d249b4e8fac46a6ee493f45026bfde7cd53ffa898b76a30ef86c766a12358b6 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427871951" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1529136366" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1529136366" IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} screensavers.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar screensavers.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{866C8CC2-4332-11EF-96F8-7A5D0894EB59} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1526792948" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00cd4d653fd7da01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000474a65013f51fa4ea7512bf38b7b793000000000020000000000106600000001000020000000019c0f3f800453e09ca82767142a6e83bda59b9de0d578279f8c1bd52d8bd11f000000000e8000000002000020000000281a3600ab95338b4f743fb6c36874eff1d741ee43cf3192f412c90c6e23d1a320000000b774544dc7dcc76bc28b5d93c43c67eb80665692b1738e0469d52143005cc9c94000000008f0a4fbce5cdb664679a12c58b7e950cf5bac182a0ea414688224af7f84cd9472014ed8aca6f591bb4a68ea56ccda4c828a3bdc13eb879a36fe0059c3c5c621 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\AppName = "broker.exe" screensavers.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119167" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\Policy = "3" screensavers.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1526792948" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119167" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FB3908C-6565-4CB0-95F8-E9F85258723C}\ = "Starware Screensavers Toolbar" screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FB3908C-6565-4CB0-95F8-E9F85258723C}\InprocServer32\ = "C:\\Program Files (x86)\\Starware316\\bin\\Starware316.dll" screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95} screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95}\Implemented Categories\{00021493-0000-0000-C000-000000000046} screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\ screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FB3908C-6565-4CB0-95F8-E9F85258723C} screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95}\Implemented Categories screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14}\InprocServer32 screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14}\Implemented Categories screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14}\Implemented Categories\{00021494-0000-0000-C000-000000000046} screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\InprocServer32\ = "C:\\Program Files (x86)\\Starware316\\bin\\Starware316.dll" screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95}\ = "Starware316" screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95}\InprocServer32\ThreadingModel = "Apartment" screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14}\ = "Starware316" screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14}\InprocServer32\ = "C:\\Program Files (x86)\\Starware316\\bin\\Starware316.dll" screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE} screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\InprocServer32 screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FB3908C-6565-4CB0-95F8-E9F85258723C}\InprocServer32 screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FB3908C-6565-4CB0-95F8-E9F85258723C}\InprocServer32\ThreadingModel = "Apartment" screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95}\InprocServer32 screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C1CAACF-1788-4613-A840-6BD943D4EE95}\InprocServer32\ = "C:\\Program Files (x86)\\Starware316\\bin\\Starware316.dll" screensavers.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14} screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14}\InprocServer32\ThreadingModel = "Apartment" screensavers.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}\InprocServer32\ThreadingModel = "Apartment" screensavers.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3432 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3432 IEXPLORE.EXE 3432 IEXPLORE.EXE 1320 IEXPLORE.EXE 1320 IEXPLORE.EXE 1320 IEXPLORE.EXE 1320 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 828 wrote to memory of 3432 828 screensavers.exe 86 PID 828 wrote to memory of 3432 828 screensavers.exe 86 PID 3432 wrote to memory of 1320 3432 IEXPLORE.EXE 87 PID 3432 wrote to memory of 1320 3432 IEXPLORE.EXE 87 PID 3432 wrote to memory of 1320 3432 IEXPLORE.EXE 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\screensavers.exe"C:\Users\Admin\AppData\Local\Temp\screensavers.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://try.screensavers.com/landing/screensavers/intro_01.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3432 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD529405c1c64cf0ecf87586d3148dcc15e
SHA11b88acdb69bebd27266da52c073f75a639bd48f0
SHA25603ae2dc90886350a0ec8eb097944c26804481cc6a24cfbb1bb6ec3014de2f940
SHA5120fbec80223f42b7cc444610120881ff242bf057759b0da7dc48d61272c8e37b010e6f514e7dc7b1732cff3f7838df5a892bf4fca47bf3d3d855d0c69d3a98bc8
-
Filesize
784KB
MD532e690f3964320bc19e250d3272a8d06
SHA1e90dd4b963ad1cc98d6d152296d1f5f5d42003f1
SHA25610922e8fbaa40bb7e4a41374a9371e94e7537c87185b16db842cca180d033864
SHA512898092d3e4fe8a98d82f84ab342962ae5e764738d79fc736ce596af3e482401ec91ba55bb035fc4ab857343aef046f3c47ec4c4ebae93bb1ff743ae6e5d211b9
-
Filesize
1KB
MD526a7ef0063b36a6559dba09c0057b8aa
SHA15a929ec4d005ad990897ce9a05d44899d4d28ddf
SHA256c1e4ccb007a4dcfe2578ca10ef0a94db4e4fcee09c32698cfd81686b8705cd6e
SHA51201b4b17a6f27d43f575287ff721b6db2bfa9ba1d5cc796d44aa58873500c4fd2172a7ab6d1e658e8a5908761abc74954213627fe4e69b6c77d8d52152a915295
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
10KB
MD505e52213cfa17dee760186462a9645ed
SHA1f6d5e82080bbba65db7d54e89250c95af833aae3
SHA256d9d3ffa4c7d7a152f435f4777e72aa1b6a6c0555f277e59eedebc587c3b66ba5
SHA512586eea0bec6345b437667ce528bc2396427dd444a396456e38046a8962e92a52e7ee62b9f6c97f41bc1fb4a1b3905a302d6f7055e26b84e60709ba3b416ad172
-
Filesize
4KB
MD5b27f488adb12bef2ccf9b9b900ec090c
SHA14c0049d304e3233246151e1bec1ed770fc226240
SHA25662f30ca60cfc2e2a64c159f28b5caf59c6af96fac64c59ed8d8512d7083e9439
SHA512a4ae24c48e49c11d589430f47c76f4ab5f22521e0a8b5ce9b0f9a3da81417e082ac5a0b9d2960e146c987773bce074883a818ba6d3e45d665ed96ccb945be3cf
-
Filesize
1KB
MD5cd3ed70dd937c7dd738a54c06c6cac56
SHA180e0d8d7d6933f599a064a8a85464c1a8a7dc075
SHA256b74fab0acfa93ace409c063371b9e1d9d6d2bdb7bf08cdc192b50adcf7c66c7c
SHA512972fa80af01a06e8018cae6b5db6e763758078835b6ecc0d4fb625b5159c50e83852e2f47e79c924cc101f584672f19f8cc94379431010109e20abf2c0577bf3
-
Filesize
2KB
MD523f9a746b385dc57e322e92dd97df3b9
SHA13545cf39b92e1623c5109ea48044c7f8c0042e7c
SHA2563f7940d8ae1266369b760625a30a7d7477b2762807de5729b3426a85f6ed60b7
SHA5125949734af89325c7a40b5db95d050f0234c294a6313276d1eccc9173ff2d3cf0dc8f1e1bff5541ce0e7f9a62163143e3ef2c247b23801383dbefc1f0a569e254