3420c0f497229864adc78c264dc4a8a45160b2a63eecfb93ea28d66c27288402

Analysis

max time kernel
65s
max time network
69s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DSCEIG1983989.exe
Size

56KB
MD5

9fa365ad8d2c49d5ebe2e7c1a75ee527
SHA1

315ce97d28536b21f2a81c82c17b0bd992aa304d
SHA256

91bccb1839a50273c4ae57a5acdeb0d9fd027ca76774b691c8293f970939d7f8
SHA512

0152cc9c27784c6103de193d22209065c1675543d92979198a8c7b8667110500726a9c71cc17ab64029157dcbf14545d80d1b125c0dcef46e69d370302563129
SSDEEP

768:J1geO7wv5LGLjW/hiH7wU08n5mSD95q7wve:J1geOMhAjiA7wZ8Yw9sMve

Score

6^/10

adware discovery stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	DSCEIG1983989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	DSCEIG1983989.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\addins\WindowsLiveMessengerPlus.dll	DSCEIG1983989.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DSCEIG1983989.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REGSVR32.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WindowsLiveMessengerPlus.sampleclass\Clsid	DSCEIG1983989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WindowsLiveMessengerPlus.sampleclass	DSCEIG1983989.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	DSCEIG1983989.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31
PID 2520 wrote to memory of 3048	2520	DSCEIG1983989.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	DSCEIG1983989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ = "1"	DSCEIG1983989.exe

C:\Users\Admin\AppData\Local\Temp\DSCEIG1983989.exe
"C:\Users\Admin\AppData\Local\Temp\DSCEIG1983989.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520
- C:\Windows\SysWOW64\REGSVR32.EXE
  C:\Windows\system32\REGSVR32.EXE /s C:\WINDOWS\addins\WindowsLiveMessengerPlus.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads