0c4a85431263ae8c6e92df33ad45505af6201ee32a23d71b331b72701ff15144

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:11

Target

$SYSDIR/$SYSDIR/$_8_.dll
Size

164KB
MD5

22c0ab59ddae9b1bb9a905ecf5f16021
SHA1

3e976a5abccb34372633b8d6427dd45a09395718
SHA256

15d4993534c019859c56589d11d3328ef731d94e566798d98322ddd5538115d9
SHA512

c4d075a748bda7e5f7b20c7a28db040f3400f5bbd4073102ad879f36c9cd9d11ffe05ee3fb11171e6a556b1a9e9d8a1621ad23804c8508dde54ff8bf5131cb0e
SSDEEP

3072:i76fbF8fwSshuMG6plp88yVFnuhnGnMzAmyQv5rD:i2bCfwSoG6lpSFmnGnG9

Score

6^/10

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nnqlepaoey = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\$SYSDIR\\$_8_.dll\" EntryPoint"	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

Modify Registry

Browser Extensions

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36e39f83-fea2-9fcd-82bc-b135a864d999}\NoExplorer = "\"\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36e39f83-fea2-9fcd-82bc-b135a864d999}	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36e39f83-fea2-9fcd-82bc-b135a864d999}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36e39f83-fea2-9fcd-82bc-b135a864d999}\ = "bannerstyles15 browser enhancer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36e39f83-fea2-9fcd-82bc-b135a864d999}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36e39f83-fea2-9fcd-82bc-b135a864d999}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\$SYSDIR\\$_8_.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36e39f83-fea2-9fcd-82bc-b135a864d999}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30
PID 2232 wrote to memory of 2264	2232	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_8_.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_8_.dll
  2⤵
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2264