40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

Analysis

max time kernel
55s
max time network
43s
platform
windows7_x64
resource
win7v20201028
submitted
15-03-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
Size

818KB
MD5

d8e9c7825c9f7c3828ff4a579a965a8a
SHA1

8db1c5dcd2d583a6644f7e7d613837309b0092a5
SHA256

72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592
SHA512

9379b64c348f3b070cdf0a962ccd22f8ff7111fd0bbc7f242feca32cada3cb5ce46b132be1675705983f96e75146051ed2a84d36fe13bc7ac10fe89105a103b3

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1816	irsetup.exe
2024	WinCtrCon.exe
800	WinCtrProc.exe
1892	WinCtrCon.exe
1648	WinCtrProc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral25/files/0x00040000000130dc-3.dat	upx
behavioral25/files/0x00040000000130dc-4.dat	upx
behavioral25/files/0x00040000000130dc-6.dat	upx
behavioral25/files/0x00040000000130dc-5.dat	upx
behavioral25/files/0x00040000000130dc-8.dat	upx
behavioral25/files/0x00040000000130dc-10.dat	upx

Loads dropped DLL 23 IoCs

pid	Process
1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
1816	irsetup.exe
1816	irsetup.exe
2024	WinCtrCon.exe
2024	WinCtrCon.exe
2024	WinCtrCon.exe
2024	WinCtrCon.exe
2024	WinCtrCon.exe
2024	WinCtrCon.exe
2024	WinCtrCon.exe
800	WinCtrProc.exe
800	WinCtrProc.exe
800	WinCtrProc.exe
800	WinCtrProc.exe
1892	WinCtrCon.exe
1892	WinCtrCon.exe
1892	WinCtrCon.exe
1892	WinCtrCon.exe
1648	WinCtrProc.exe
1648	WinCtrProc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrCon.exe -iDtkyI"	WinCtrProc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrProc.exe -iDtkyI"	WinCtrProc.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	irsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "%ApplicationDataFolder%\\WinCtrView\\Engin\\ProVersion\\WinCtrCon.exe"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrView\\Engin\\ProVersion\\WinCtrProc.exe -RmcTh"	WinCtrCon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrCon.exe -IdTKYiRRE"	WinCtrProc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrProc.exe -IdTKYiRRE"	WinCtrProc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "%ApplicationDataFolder%\\WinCtrView\\Engin\\ProVersion\\WinCtrProc.exe"	irsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrView\\Engin\\ProVersion\\WinCtrCon.exe -RmcTh"	WinCtrCon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrCon.exe -fzqguF"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrProc.exe -fzqguF"	WinCtrCon.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	irsetup.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	irsetup.exe
File opened for modification	C:\Windows\SysWOW64\VB6KO.DLL	irsetup.exe
File created	C:\Windows\SysWOW64\VB6KO.DLL	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	WinCtrProc.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	WinCtrProc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control 6.0 (SP6)"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	WinCtrCon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control 6.0 (SP6)"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control 6.0 (SP6)"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	WinCtrCon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	WinCtrCon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSINET.OCX, 1"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	WinCtrCon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1648	WinCtrProc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1816	irsetup.exe
1816	irsetup.exe
2024	WinCtrCon.exe
800	WinCtrProc.exe
800	WinCtrProc.exe
800	WinCtrProc.exe
1892	WinCtrCon.exe
1648	WinCtrProc.exe
1648	WinCtrProc.exe
1648	WinCtrProc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1748 wrote to memory of 1816	1748	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	26
PID 1816 wrote to memory of 2024	1816	irsetup.exe	27
PID 1816 wrote to memory of 2024	1816	irsetup.exe	27
PID 1816 wrote to memory of 2024	1816	irsetup.exe	27
PID 1816 wrote to memory of 2024	1816	irsetup.exe	27
PID 2024 wrote to memory of 800	2024	WinCtrCon.exe	33
PID 2024 wrote to memory of 800	2024	WinCtrCon.exe	33
PID 2024 wrote to memory of 800	2024	WinCtrCon.exe	33
PID 2024 wrote to memory of 800	2024	WinCtrCon.exe	33
PID 800 wrote to memory of 1892	800	WinCtrProc.exe	35
PID 800 wrote to memory of 1892	800	WinCtrProc.exe	35
PID 800 wrote to memory of 1892	800	WinCtrProc.exe	35
PID 800 wrote to memory of 1892	800	WinCtrProc.exe	35
PID 1892 wrote to memory of 1648	1892	WinCtrCon.exe	37
PID 1892 wrote to memory of 1648	1892	WinCtrCon.exe	37
PID 1892 wrote to memory of 1648	1892	WinCtrCon.exe	37
PID 1892 wrote to memory of 1648	1892	WinCtrCon.exe	37

C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
"C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-293278959-2699126792-324916226-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe
    C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe /f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe
      "C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe
        
        C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe
        
        "C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-25-0x000007FEF7160000-0x000007FEF73DA000-memory.dmp

Filesize
2.5MB

Download
memory/800-48-0x00000000029B0000-0x00000000029B4000-memory.dmp

Filesize
16KB

Download
memory/800-47-0x00000000004E0000-0x00000000004E4000-memory.dmp

Filesize
16KB

Download
memory/1748-2-0x0000000075EB1000-0x0000000075EB3000-memory.dmp

Filesize
8KB

Download
memory/1892-53-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1892-54-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/2024-34-0x0000000002670000-0x0000000002674000-memory.dmp

Filesize
16KB

Download
memory/2024-33-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads