Analysis
-
max time kernel
1778s -
max time network
1787s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 11:21
Static task
static1
Behavioral task
behavioral1
Sample
ExplorerBlurMica/Release/ExplorerBlurMica.dll
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
ExplorerBlurMica/Release/register.cmd
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
ExplorerBlurMica/Release/uninstall.cmd
Resource
win11-20240611-en
General
-
Target
ExplorerBlurMica/Release/register.cmd
-
Size
247B
-
MD5
e513f1f7f4eb1851973b281b0595f117
-
SHA1
381e79bc136b3297cef997cc4df34538a1688b20
-
SHA256
41f3089fb799635a8aa0ed059d491ca78f143f0f111a9b52a00c168eca9507ac
-
SHA512
6d5d11592d871c52de76a30a9470b3933cd4e4531a7b77c73758fbe9269ac4635926d78d9f5178e26f5e25c4a0318e6cf0145a8c06affafcd626720a88abc27a
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\NoInternetExplorer = "1" regsvr32.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\ = "ExplorerBlurMica BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExplorerBlurMica\\Release\\ExplorerBlurMica.dll" regsvr32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1892 wrote to memory of 4652 1892 cmd.exe fsutil.exe PID 1892 wrote to memory of 4652 1892 cmd.exe fsutil.exe PID 1892 wrote to memory of 1604 1892 cmd.exe regsvr32.exe PID 1892 wrote to memory of 1604 1892 cmd.exe regsvr32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ExplorerBlurMica\Release\register.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fsutil.exefsutil dirty query C:2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 "C:\Users\Admin\AppData\Local\Temp\ExplorerBlurMica\Release\ExplorerBlurMica.dll"2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class