40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

Analysis

max time kernel
140s
max time network
142s
platform
windows10_x64
resource
win10v20201028
submitted
15-03-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
Size

818KB
MD5

d8e9c7825c9f7c3828ff4a579a965a8a
SHA1

8db1c5dcd2d583a6644f7e7d613837309b0092a5
SHA256

72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592
SHA512

9379b64c348f3b070cdf0a962ccd22f8ff7111fd0bbc7f242feca32cada3cb5ce46b132be1675705983f96e75146051ed2a84d36fe13bc7ac10fe89105a103b3

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

irsetup.exeWinCtrCon.exeWinCtrProc.exeWinCtrCon.exeWinCtrProc.exe

pid	Process
2148	irsetup.exe
1196	WinCtrCon.exe
4500	WinCtrProc.exe
904	WinCtrCon.exe
1248	WinCtrProc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral26/files/0x000200000001ab35-3.dat	upx
behavioral26/files/0x000200000001ab35-4.dat	upx

Loads dropped DLL 9 IoCs

Processes:

WinCtrCon.exeWinCtrProc.exeWinCtrCon.exeWinCtrProc.exe

pid	Process
1196	WinCtrCon.exe
1196	WinCtrCon.exe
1196	WinCtrCon.exe
4500	WinCtrProc.exe
4500	WinCtrProc.exe
904	WinCtrCon.exe
904	WinCtrCon.exe
1248	WinCtrProc.exe
1248	WinCtrProc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

irsetup.exeWinCtrCon.exeWinCtrCon.exeWinCtrProc.exeWinCtrProc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "%ApplicationDataFolder%\\WinCtrView\\Engin\\ProVersion\\WinCtrCon.exe"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "%ApplicationDataFolder%\\WinCtrView\\Engin\\ProVersion\\WinCtrProc.exe"	irsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrView\\Engin\\ProVersion\\WinCtrCon.exe -jEulzJ"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrView\\Engin\\ProVersion\\WinCtrProc.exe -jEulzJ"	WinCtrCon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrCon.exe -FaQHVfON"	WinCtrCon.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	irsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrCon.exe -rMCtHRA"	WinCtrProc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrProc.exe -rMCtHRA"	WinCtrProc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrProc.exe -FaQHVfON"	WinCtrCon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinCtrCon = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrCon.exe -mHxoCMv"	WinCtrProc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinCtrProc = "C:\\Users\\Admin\\AppData\\Roaming\\WinCtrViewer\\Engin\\ProVersion\\WinCtrProc.exe -mHxoCMv"	WinCtrProc.exe

Drops file in System32 directory 4 IoCs

Processes:

irsetup.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	irsetup.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	irsetup.exe
File opened for modification	C:\Windows\SysWOW64\VB6KO.DLL	irsetup.exe
File created	C:\Windows\SysWOW64\VB6KO.DLL	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

WinCtrCon.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control 6.0 (SP6)"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR\	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSINET.OCX, 1"	WinCtrCon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	WinCtrCon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control 6.0 (SP6)"	WinCtrCon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment"	WinCtrCon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	WinCtrCon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WinCtrProc.exe

pid	Process
1248	WinCtrProc.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

irsetup.exeWinCtrCon.exeWinCtrProc.exeWinCtrCon.exeWinCtrProc.exe

pid	Process
2148	irsetup.exe
2148	irsetup.exe
2148	irsetup.exe
1196	WinCtrCon.exe
1196	WinCtrCon.exe
4500	WinCtrProc.exe
4500	WinCtrProc.exe
4500	WinCtrProc.exe
4500	WinCtrProc.exe
904	WinCtrCon.exe
904	WinCtrCon.exe
1248	WinCtrProc.exe
1248	WinCtrProc.exe
1248	WinCtrProc.exe
1248	WinCtrProc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exeirsetup.exeWinCtrCon.exeWinCtrProc.exeWinCtrCon.exe

description	pid	Process	procid_target
PID 4724 wrote to memory of 2148	4724	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	74
PID 4724 wrote to memory of 2148	4724	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	74
PID 4724 wrote to memory of 2148	4724	72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe	74
PID 2148 wrote to memory of 1196	2148	irsetup.exe	77
PID 2148 wrote to memory of 1196	2148	irsetup.exe	77
PID 2148 wrote to memory of 1196	2148	irsetup.exe	77
PID 1196 wrote to memory of 4500	1196	WinCtrCon.exe	82
PID 1196 wrote to memory of 4500	1196	WinCtrCon.exe	82
PID 1196 wrote to memory of 4500	1196	WinCtrCon.exe	82
PID 4500 wrote to memory of 904	4500	WinCtrProc.exe	83
PID 4500 wrote to memory of 904	4500	WinCtrProc.exe	83
PID 4500 wrote to memory of 904	4500	WinCtrProc.exe	83
PID 904 wrote to memory of 1248	904	WinCtrCon.exe	84
PID 904 wrote to memory of 1248	904	WinCtrCon.exe	84
PID 904 wrote to memory of 1248	904	WinCtrCon.exe	84

C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
"C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-3341490333-719741536-2920803124-1000"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe
    C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe /f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe
      "C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe
        
        C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe
        
        "C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe

MD5
728d3e7e8e7b918bb8d83c5cdb3ed061

SHA1
594cabd994999254c6846cd44fedc5d04a89cc58

SHA256
306b2e980349841e046ba0d7848a8edb61817bcf2bac951f60f43937eaf851d6

SHA512
ccf7e8ed9327b97bddd909505025266e783cbc476a43e51a23c4fccff12c9be84a1ef55b1c364dc3f06dafdc264b63c8052eb57ee0bfb408ef093482a0a48f85

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe

MD5
728d3e7e8e7b918bb8d83c5cdb3ed061

SHA1
594cabd994999254c6846cd44fedc5d04a89cc58

SHA256
306b2e980349841e046ba0d7848a8edb61817bcf2bac951f60f43937eaf851d6

SHA512
ccf7e8ed9327b97bddd909505025266e783cbc476a43e51a23c4fccff12c9be84a1ef55b1c364dc3f06dafdc264b63c8052eb57ee0bfb408ef093482a0a48f85

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe

MD5
20f64feed2eaa16a0a8427c93b0b8b53

SHA1
c9c66705e6327f228d0fd9424a5f00e174920800

SHA256
55313fcdb695884cb1e9eec8b930c6ed24c997008d86964283528f7077d115a9

SHA512
11aab7807e2993bc8074e24898e4973dfd2d9fb5f86ca5e3adf9dcab48d3deef3c14e2c1306df303b6c0e0ea9dbf1189b146edf12db9a7456ddb596f1dc8faa9

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe

MD5
20f64feed2eaa16a0a8427c93b0b8b53

SHA1
c9c66705e6327f228d0fd9424a5f00e174920800

SHA256
55313fcdb695884cb1e9eec8b930c6ed24c997008d86964283528f7077d115a9

SHA512
11aab7807e2993bc8074e24898e4973dfd2d9fb5f86ca5e3adf9dcab48d3deef3c14e2c1306df303b6c0e0ea9dbf1189b146edf12db9a7456ddb596f1dc8faa9

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe

MD5
ac592309ec6a3aa4dd5b7f4ba88d4d30

SHA1
ec17167f3013b5d0a8b9d41e02703265165c479a

SHA256
c0fa7618675972ceeecd2a0e0fc55044806d9b7786429a31414af7b92ffcee7a

SHA512
4c558de17eb6afeb8cde765d0f4a26721d0ea5e2bf55dec2e55d81bd432588665fcd408590271a61ce2bbfca9464d7c09d58b2d582da1120dbb048ed84ce9331

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe

MD5
ac592309ec6a3aa4dd5b7f4ba88d4d30

SHA1
ec17167f3013b5d0a8b9d41e02703265165c479a

SHA256
c0fa7618675972ceeecd2a0e0fc55044806d9b7786429a31414af7b92ffcee7a

SHA512
4c558de17eb6afeb8cde765d0f4a26721d0ea5e2bf55dec2e55d81bd432588665fcd408590271a61ce2bbfca9464d7c09d58b2d582da1120dbb048ed84ce9331

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe

MD5
20f64feed2eaa16a0a8427c93b0b8b53

SHA1
c9c66705e6327f228d0fd9424a5f00e174920800

SHA256
55313fcdb695884cb1e9eec8b930c6ed24c997008d86964283528f7077d115a9

SHA512
11aab7807e2993bc8074e24898e4973dfd2d9fb5f86ca5e3adf9dcab48d3deef3c14e2c1306df303b6c0e0ea9dbf1189b146edf12db9a7456ddb596f1dc8faa9

Download Submit
C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe

MD5
20f64feed2eaa16a0a8427c93b0b8b53

SHA1
c9c66705e6327f228d0fd9424a5f00e174920800

SHA256
55313fcdb695884cb1e9eec8b930c6ed24c997008d86964283528f7077d115a9

SHA512
11aab7807e2993bc8074e24898e4973dfd2d9fb5f86ca5e3adf9dcab48d3deef3c14e2c1306df303b6c0e0ea9dbf1189b146edf12db9a7456ddb596f1dc8faa9

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
C:\Windows\SysWOW64\vb6ko.dll

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
\Windows\SysWOW64\MSINET.OCX

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\MSINET.OCX

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\MSINET.OCX

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\MSINET.OCX

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\MSINET.OCX

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\VB6KO.DLL

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
\Windows\SysWOW64\VB6KO.DLL

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
\Windows\SysWOW64\VB6KO.DLL

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
\Windows\SysWOW64\VB6KO.DLL

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
memory/904-27-0x0000000000000000-mapping.dmp

Download
memory/904-30-0x0000000073D10000-0x0000000073DA3000-memory.dmp

Filesize
588KB

Download
memory/1196-8-0x0000000000000000-mapping.dmp

Download
memory/1196-11-0x0000000073D10000-0x0000000073DA3000-memory.dmp

Filesize
588KB

Download
memory/1248-35-0x0000000000000000-mapping.dmp

Download
memory/1248-38-0x0000000073D10000-0x0000000073DA3000-memory.dmp

Filesize
588KB

Download
memory/2148-2-0x0000000000000000-mapping.dmp

Download
memory/2148-5-0x0000000073D10000-0x0000000073DA3000-memory.dmp

Filesize
588KB

Download
memory/4500-22-0x0000000073D10000-0x0000000073DA3000-memory.dmp

Filesize
588KB

Download
memory/4500-19-0x0000000000000000-mapping.dmp

Download