Overview
overview
10Static
static
3HA_SendLin...re.exe
windows7-x64
7HA_SendLin...re.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/Assi...fy.exe
windows7-x64
8$TEMP/Assi...fy.exe
windows10-2004-x64
8$R0.dll
windows7-x64
8$R0.dll
windows10-2004-x64
8Assist/$R0.dll
windows7-x64
6Assist/$R0.dll
windows10-2004-x64
6$TEMP/DUDU_HH.exe
windows7-x64
10$TEMP/DUDU_HH.exe
windows10-2004-x64
10SendLink.exe
windows7-x64
3SendLink.exe
windows10-2004-x64
3SendLink.url
windows7-x64
6SendLink.url
windows10-2004-x64
3SendLog.html
windows7-x64
3SendLog.html
windows10-2004-x64
3SlideShow.html
windows7-x64
3SlideShow.html
windows10-2004-x64
1Support.url
windows7-x64
5Support.url
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
HA_SendLink191_Fire.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
HA_SendLink191_Fire.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Splash.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Splash.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$TEMP/Assist_hanzify.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
$TEMP/Assist_hanzify.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$R0.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
$R0.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Assist/$R0.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
Assist/$R0.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$TEMP/DUDU_HH.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$TEMP/DUDU_HH.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
SendLink.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
SendLink.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
SendLink.url
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral22
Sample
SendLink.url
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
SendLog.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
SendLog.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
SlideShow.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
SlideShow.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Support.url
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Support.url
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
uninst.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
uninst.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
$TEMP/Assist_hanzify.exe
-
Size
193KB
-
MD5
7e32fa5420daf2bef4833396f4390ab4
-
SHA1
22238aa3e8ad066c525afc62e140937bfd597ca8
-
SHA256
7a9be0f039c30ed7b521619244d5f1b34029f573162b39022948ab472bb65a04
-
SHA512
3b5307f03cd6f74c11440aa36f0222c21850af7f4723e73b261b727b5c03c94fe2fa02e897e8a07c13c4bc0b53819a3b3ca6be0c668328fe0de0de5a9ff56ea1
-
SSDEEP
3072:ck5+bFdkJCaWvV9MDKsxt+Q2ua4m3r8HlimB4PKPRngJY/HkzanhV2HD:x05aoV92xt12N33r8BOU+J6kzanhsHD
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Assist_hanzify.exe -
Loads dropped DLL 9 IoCs
pid Process 1680 Assist_hanzify.exe 1680 Assist_hanzify.exe 1680 Assist_hanzify.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 1680 Assist_hanzify.exe 1680 Assist_hanzify.exe 1680 Assist_hanzify.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" Assist_hanzify.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" Assist_hanzify.exe -
Drops file in Program Files directory 40 IoCs
description ioc Process File created C:\PROGRA~2\3721\i3721res.dat Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\7.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\prodef.ini Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\9.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\profile.ini Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\1.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\10.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\4.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\cns01.dat Assist_hanzify.exe File created C:\PROGRA~2\3721\Helper.dll Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\6.bmp Assist_hanzify.exe File created C:\Program Files (x86)\3721\Assist\assist.dll Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\5.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\profile.ini Assist_hanzify.exe File created C:\Program Files (x86)\3721\Assist\asbar.dll Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\4.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\Logo.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\2.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\3.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\6.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\8.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\3.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\8.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\11.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\prodef.ini Assist_hanzify.exe File created C:\PROGRA~2\3721\3721\Helper.dll Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\11.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\2.bmp Assist_hanzify.exe File opened for modification C:\PROGRA~2\3721\cns01.dat Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\9.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\Logo.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\custom.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\coolbar.cab Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\1.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\10.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\7.bmp Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\Coolbar\custom.bmp Assist_hanzify.exe File created C:\Program Files (x86)\3721\AutoLive.dll Assist_hanzify.exe File created C:\PROGRA~2\3721\3721\cns01.dat Assist_hanzify.exe File created C:\PROGRA~2\3721\Assist\3721\Coolbar\5.bmp Assist_hanzify.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Assist_hanzify.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" Assist_hanzify.exe Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\URLSearchHooks Assist_hanzify.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} Assist_hanzify.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar Assist_hanzify.exe Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" Assist_hanzify.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\URLSearchHooks Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" Assist_hanzify.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" Assist_hanzify.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ = "IEasyAssist" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32 Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32 Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Program Files (x86)\\3721\\Assist\\asbar.dll" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721\\Assist" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\ = "ÉÏÍøÖúÊÖ" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32 Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\CLSID\ = "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CurVer Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\ = "Assist 1.0 Type Library" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID\ = "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\AutoLive.dll" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ThreadingModel = "Apartment" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\3721\\Assist\\" Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj Assist_hanzify.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78} Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" Assist_hanzify.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\assist.dll" Assist_hanzify.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1680 Assist_hanzify.exe Token: SeRestorePrivilege 1680 Assist_hanzify.exe Token: SeBackupPrivilege 1680 Assist_hanzify.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2176 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30 PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30 PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30 PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30 PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30 PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30 PID 1680 wrote to memory of 2176 1680 Assist_hanzify.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll322⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD549ae58008fc003af6f952a82c33aa3dd
SHA1330630c95b6be9b61398d5952be9ee1f45799606
SHA2568036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873
SHA512bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3
-
Filesize
156KB
MD5aaf5a6b61ca11868c31011a68d95a5ef
SHA1d58bb83332af9e56758ff5cb1fcd3173567e6c4c
SHA256a8cd1c0f58135ad104b0d2a3064d3d4b9792be5ff40a721aac7eb37e26708b36
SHA512e6461950958a38089197932f6ba34b578a6d6932e1cf7412a2c93f5841e853468037c0cd2081d3ef5f744ab04df7b8b967113aa255066a1f22ae980dc6ceca3b
-
Filesize
49KB
MD5a3cbf83f654e5cc90422f4cc7a44f339
SHA158d03194e3e7691e30294a19ba798005fe9eba0b
SHA256985815be546603778889135b8057ca9e43494993b21d880e7ad164659fff8060
SHA5125f56d5dd8f4443ebaea493ae56f940fa68c1b384f045c8d01f64c92440cbcc10fc83f6a3cab924d258a90345c51bd5d1c481338a627b521a1384a570e2958d76
-
Filesize
128KB
MD57ff63507a1ea33dc677c1f0a838fadf6
SHA1c35183495c7d90f22ad83970b4a86ca0c4b8b433
SHA25668dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
SHA512cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d
-
Filesize
10KB
MD5b21538d9f049d3e3e8b666744d7ca36d
SHA1b97fc58f9aa238758a7574a2e32dac4e97392f47
SHA2569dbe958fd425903ffc2197a112bec4fa597284f9637fe8fd5685016f32e21334
SHA51205d2c660a43519fd35daa3b4310419b33e61ce8557bde55942315ca59c3b9cb9fdeaea42c403ad78a54fa9923eaa712bcf5a10dea83619a18c4ef0c451e6d533
-
Filesize
44KB
MD567a76be36af407f74a340515312da5f8
SHA1e1bf0b505629ccbbf2e0ec86b30e31ac1f7f835d
SHA256eff43f4fd70798e1ad53302b38f14c8f905eacb404a650f82f61f7a222863571
SHA51235b6821dc440ed8254a1a84c7ed002013d71321327a09e4e2144801651cb47c288fe9eef100fb09ccd43dfa5c562b6a8c3013059f0d46ff9d921585c217c17ac