4f0afb62a9fdbb29421dd965640fbe4de1af3ac1206b2165fb3d54fffc1a95a5

Analysis

max time kernel
1778s
max time network
1787s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 11:21

Target

ExplorerBlurMica/Release/register.cmd
Size

247B
MD5

e513f1f7f4eb1851973b281b0595f117
SHA1

381e79bc136b3297cef997cc4df34538a1688b20
SHA256

41f3089fb799635a8aa0ed059d491ca78f143f0f111a9b52a00c168eca9507ac
SHA512

6d5d11592d871c52de76a30a9470b3933cd4e4531a7b77c73758fbe9269ac4635926d78d9f5178e26f5e25c4a0318e6cf0145a8c06affafcd626720a88abc27a

Score

7^/10

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

Modify Registry

Browser Extensions

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\NoInternetExplorer = "1"	regsvr32.exe

Modifies registry class 5 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\ = "ExplorerBlurMica BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExplorerBlurMica\\Release\\ExplorerBlurMica.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1892 wrote to memory of 4652	1892	cmd.exe	fsutil.exe
PID 1892 wrote to memory of 4652	1892	cmd.exe	fsutil.exe
PID 1892 wrote to memory of 1604	1892	cmd.exe	regsvr32.exe
PID 1892 wrote to memory of 1604	1892	cmd.exe	regsvr32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ExplorerBlurMica\Release\register.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892