Overview
overview
7Static
static
3e275e8febf...37.exe
windows7-x64
7e275e8febf...37.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$SYSDIR/CEA_Crypt.dll
windows7-x64
3$SYSDIR/CEA_Crypt.dll
windows10-2004-x64
3$SYSDIR/FT...nk.dll
windows7-x64
3$SYSDIR/FT...nk.dll
windows10-2004-x64
3$SYSDIR/In...11.dll
windows7-x64
3$SYSDIR/In...11.dll
windows10-2004-x64
3$SYSDIR/In..._s.dll
windows7-x64
3$SYSDIR/In..._s.dll
windows10-2004-x64
3$SYSDIR/Pa...rl.dll
windows7-x64
5$SYSDIR/Pa...rl.dll
windows10-2004-x64
5$SYSDIR/Pa...rl.dll
windows7-x64
5$SYSDIR/Pa...rl.dll
windows10-2004-x64
5$SYSDIR/Pa...ns.exe
windows7-x64
3$SYSDIR/Pa...ns.exe
windows10-2004-x64
3$SYSDIR/Pa...64.dll
windows7-x64
7$SYSDIR/Pa...64.dll
windows10-2004-x64
5$SYSDIR/Pa...ns.exe
windows7-x64
3$SYSDIR/Pa...ns.exe
windows10-2004-x64
3$SYSDIR/pa...ns.exe
windows7-x64
3$SYSDIR/pa...ns.exe
windows10-2004-x64
3$SYSDIR/pr...RA.dll
windows7-x64
3$SYSDIR/pr...RA.dll
windows10-2004-x64
3$SYSDIR/stwebdll.dll
windows7-x64
3$SYSDIR/stwebdll.dll
windows10-2004-x64
3$TEMP/EsWe...it.exe
windows7-x64
7$TEMP/EsWe...it.exe
windows10-2004-x64
7Analysis
-
max time kernel
15s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$SYSDIR/CEA_Crypt.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$SYSDIR/CEA_Crypt.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$SYSDIR/FTInitlize_bank.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$SYSDIR/FTInitlize_bank.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$SYSDIR/InterPass2000P11.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$SYSDIR/InterPass2000P11.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$SYSDIR/InterPass2000P11_s.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
$SYSDIR/InterPass2000P11_s.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$SYSDIR/PassGuardCtrl.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
$SYSDIR/PassGuardCtrl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
$SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
$SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
$SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$SYSDIR/passguardwin7ins.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
$SYSDIR/passguardwin7ins.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$SYSDIR/printCtl4RA.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$SYSDIR/printCtl4RA.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$SYSDIR/stwebdll.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
$SYSDIR/stwebdll.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$TEMP/EsWebSocketKit.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
$TEMP/EsWebSocketKit.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
$SYSDIR/printCtl4RA.dll
-
Size
124KB
-
MD5
a89ea3892bfe94be61231dedc9263cd8
-
SHA1
768a8e6a08621f22447567dd96fde590071696ef
-
SHA256
12d5a0d88d72b088face2209427d1d9f116179eb48a90da27902f5712590d86c
-
SHA512
d3bc89d4fdd2de9b6cd2ea11cc3c12f6a524c7f07164590bdc8f12f36cc59432ff0dd8cb63bcbf40fa18cc064ba5646fa2c0c931439c6f8d39579676e0d16761
-
SSDEEP
3072:H5mgucQOCStrFrfaRqUgLRy2J0kGAqb9icB/KLY:xCSrtLZJ0OC5/1
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\PRINTC~1.DLL, 101" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\ = "printCtl4RA 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA.1\ = "ctl4RA Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA\ = "ctl4RA Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\VersionIndependentProgID\ = "PrintCtl4RA.ctl4RA" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA.1\CLSID\ = "{27984DB8-C851-439E-B625-81740482BE7C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\ = "Ictl4RA" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA\CurVer\ = "PrintCtl4RA.ctl4RA.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\printCtl4RA.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ProgID\ = "PrintCtl4RA.ctl4RA.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\ = "Ictl4RA" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib\ = "{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib\ = "{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56B8E9B3-B5A7-4435-B66A-AF624BD92D74}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PrintCtl4RA.ctl4RA\CLSID\ = "{27984DB8-C851-439E-B625-81740482BE7C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ = "ctl4RA Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\PRINTC~1.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27984DB8-C851-439E-B625-81740482BE7C}\TypeLib\ = "{3762ABC3-D228-4CA4-B50D-7E5CD3B24F02}" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30 PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30 PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30 PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30 PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30 PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30 PID 1656 wrote to memory of 2956 1656 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\printCtl4RA.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\printCtl4RA.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2956
-