Overview

overview

8

Static

static

3

ExplorerBl...ca.dll

windows11-21h2-x64

ExplorerBl...er.cmd

windows11-21h2-x64

7

ExplorerBl...ll.cmd

windows11-21h2-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    92s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-06-2024 11:21

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ExplorerBlurMica/Release/ExplorerBlurMica.dll

  • Size

    214KB

  • MD5

    6bbdd800a32fdbca2385e95214dcd4d3

  • SHA1

    93ef5e833904f2a7a2f2fea64671394f6b31c3ae

  • SHA256

    9d6f554604111405e48f7fdf0eba972bdde5e0a275d2e7dd66240681ea595344

  • SHA512

    bdc0558007ae526c7b3fb89d3ef013ca95393336b3d7d52e4b0f20a7e556852d72be3e15e031a5c6d357d1ab04b4faaa137a0ad228d52046b9f65879fc254515

  • SSDEEP

    6144:ySjaVUOYSlu6vaDcUB4Sv75o7Dr1LrYGf:dUUOa4ho5o7DB

Score
7/10
adwarepersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ExplorerBlurMica\Release\ExplorerBlurMica.dll
    1⤵
    • Installs/modifies Browser Helper Object
    • Modifies registry class
    PID:2404
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3a19055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1796
  • C:\Windows\system32\bootim.exe
    bootim.exe /startpage:1
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Browser Extensions

1
T1176

Privilege Escalation

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-423582142-4191893794-1888535462-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg
    Filesize

    62KB

    MD5

    6cb7e9f13c79d1dd975a8aa005ab0256

    SHA1

    eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

    SHA256

    af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

    SHA512

    3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

    Download Submit
  • C:\Windows\System32\Recovery\ReAgent.xml
    Filesize

    1KB

    MD5

    25eb124a25d0c568d2efa223f4d8ab32

    SHA1

    33d8982c67af3cd48888044ee72d7ee6d2a4bd92

    SHA256

    2e6c71e5f83309f13fa06a8d40b4f7d18dd063287b526314f421c21765787aac

    SHA512

    4a6c9b67b174f615f5ed9be36b5be474e409188062f0a55cd5c56d29e132d9a2e95f4ca84c666be38d3c03d3fd5d19c74fa370b32b779491a0a5b26cee596f44

    Download Submit