Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 08:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cobranca2avia.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
cobranca2avia.exe
-
Size
164KB
-
MD5
1e4ba71f5777eb7b795d87662e254229
-
SHA1
78b02858242e42bc6296a2e14d2b71ebb151fbf1
-
SHA256
b062652846f437d6f1f6e76111ab585d0ce86f505044f8bb1b56ccc3f7eddf98
-
SHA512
6656a02285394ca104868e5ff43d7372279c7bc7a60a1cbe235169865cc0cef636730ad2b94bc95e2aac2b3be2469aacac363bfdda9969c530d12e2e310033d6
-
SSDEEP
3072:wunq34X99GHLAHSr63EhwNJ1hglL0i2L35BmpJMFfx0VT5cJR9ruoWxbE:wunqksrAHr3oQHi2qoFfx0VT5cJR9ioW
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
cobranca2avia.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ cobranca2avia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ cobranca2avia.exe -
Drops file in Windows directory 1 IoCs
Processes:
cobranca2avia.exedescription ioc process File opened for modification C:\Windows\bhpk4375.dll cobranca2avia.exe -
Modifies registry class 2 IoCs
Processes:
cobranca2avia.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PerkyNews.clsPerkyNews\Clsid cobranca2avia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PerkyNews.clsPerkyNews cobranca2avia.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cobranca2avia.exepid process 4372 cobranca2avia.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cobranca2avia.execmd.exedescription pid process target process PID 4372 wrote to memory of 1424 4372 cobranca2avia.exe cmd.exe PID 4372 wrote to memory of 1424 4372 cobranca2avia.exe cmd.exe PID 4372 wrote to memory of 1424 4372 cobranca2avia.exe cmd.exe PID 1424 wrote to memory of 5076 1424 cmd.exe reg.exe PID 1424 wrote to memory of 5076 1424 cmd.exe reg.exe PID 1424 wrote to memory of 5076 1424 cmd.exe reg.exe PID 4372 wrote to memory of 1316 4372 cobranca2avia.exe regsvr32.exe PID 4372 wrote to memory of 1316 4372 cobranca2avia.exe regsvr32.exe PID 4372 wrote to memory of 1316 4372 cobranca2avia.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cobranca2avia.exe"C:\Users\Admin\AppData\Local\Temp\cobranca2avia.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Windows\bhpk4375.dll2⤵