Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-05-2022 11:29
Static task
static1
Behavioral task
behavioral1
Sample
a3ae4a0eda4309c7a8316f7a4b229f00.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a3ae4a0eda4309c7a8316f7a4b229f00.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
a3ae4a0eda4309c7a8316f7a4b229f00.exe
-
Size
20KB
-
MD5
a3ae4a0eda4309c7a8316f7a4b229f00
-
SHA1
d620bff1ee0117fddbc6ca3ccc730193d63b5f71
-
SHA256
8db302a49d05002f7e2abd3e8381a57fcd8f73d7580d7e2f1f4f3cd3c600345f
-
SHA512
b2f72a653490a7cfc191bdf99469b709839e944fe43eb0f50ea36d52fb7e83486e5df2b58efa84947d5cb3a6bfd31b1941a740f9efeea69c9fac164e4e86a1fa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
-
Modifies system executable filetype association 2 TTPs 45 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open reg.exe -
Modifies Installed Components in the registry 2 TTPs
-
Sets file execution options in registry 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce reg.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2004 taskkill.exe -
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C63344D8-70D3-4032-9B32-7A3CAD5091A5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C08DF07A-3E49-4E25-9AB0-D3882835F153} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{13FA0C3E-6B1C-4d8b-88CD-6DA8E1CA7653} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{233A9694-667E-11d1-9DFB-006097D50408} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{466d66fa-9616-11d2-9342-0000f875ae17} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A3796166-A03C-418A-AF3A-060115D4E478} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D24D4450-1F01-11D1-8E63-006097D2DF48} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PLAYSOUNDS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0DDF3B5C-E692-11D1-AB06-00AA00BDD685} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{261F6572-578B-40A7-B72E-61B7261D9F0C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27A3D328-D206-4106-8D33-1AA39B13394B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{288F1523-FAC4-11CE-B16F-00AA0060D93D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Plugins\MIME reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00080000-B1BA-11CE-ABC6-F5B2E79D9E3F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5u.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2764BCE5-CC39-11D2-B639-00C04F79498E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{542FB453-5003-11CF-92A2-00AA00B8A733} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SSLUX reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6C68955E-F965-4249-8E18-F0977B1D2899} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F44BB2D0-F070-463E-9433-B0CCF3CFD627} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EDC0F17F-F4B7-47E4-B73E-887FAEB376FA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4z.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableDevTools reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4a.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4b.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5b.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5B4B05EB-1F63-446B-AAD1-E10A34D650E0} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{93441C07-E57E-4086-B912-F323D741A9D8} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\INTRANETFIRST reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A202B231-EF71-4A08-BDB9-4CE5AE8BDE0A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{81361143-FAF9-11D3-B0D3-00C04F612FF1} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE2-3C52-11D0-9200-848C1D000000} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f28d867a-ddb1-11d3-b8e8-00a0c981aeeb} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FE9E48A4-A014-11D1-855C-00A0C944138C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\MIMEAssociations reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A0B9B497-AFBC-45AD-A8A6-9B077C40D4F2} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A80D199B-CFDD-4DA4-8C47-2310D5B8DD97} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ABE40035-27C3-4A2F-8153-6624471608AF} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BA60F742-6F72-11d2-875F-00A0C93C09B3} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\SearchSuggestions reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4FA211A0-FD53-11D2-ACB6-0080C877D9B9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL2.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\DisableFirstRunWizard reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5DFB2651-9668-11D0-B17B-00C04FC2A0CA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3EB1670-84E0-4EDA-B570-0B51AAE81679} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A9-0D85-11D4-9908-00400523E39A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0} reg.exe -
Modifies registry class 64 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A25D12C-FA0E-11D4-BBAE-00010246B3E5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A41F4A95-572A-4E0F-9B09-0F43AD3B5B0A}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\Open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EDCD5812-6A06-43C3-AFAC-46EF5D14E22C}\1.0\0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\Implemented Categories reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000208B1-0000-0000-C000-000000000046}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E2-0000-0000-C000-000000000046}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F5E1C0D-8D49-4440-B122-1038B745FBBA}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-excel.12 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DDD019BF-D182-34DE-9192-95575F7B2A31} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\DataFormats\DelayRenderFormats reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002088B-0000-0000-C000-000000000046}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0341-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B778B82B-3A21-4D19-890E-C8D0B14E6ED4}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00C3CB7A-5418-11D3-9A4B-00500476D23B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Macrosheet\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D75BCD7-5F1E-42A3-B54D-F946DEBE3307}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.12\shell\OpenAsReadOnly\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BB61A81-EDBB-11D3-A3CD-0050DAC36EDE}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cc\PersistentHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00067804-0000-0000-C000-000000000046}\Verb\0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C599241-6926-101B-9992-00000B65C6F9}\Control reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020991-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Extension\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7063F23-7B53-11D3-80C5-00500487878E}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OutlMapiPH.1\ClsID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m3u8\shell\PlayWithVLC\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B923FDE0-F08C-11D3-91B0-00105A0A19FD}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B13329E7-DEC8-37F3-B8ED-135B015213AE}\14.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E3DC8079-43BC-3E70-B291-1591CC9E451D}\4.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630F9-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DCF0AC2-53CC-45E5-B417-01F3DDD387E5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA7BAE70-FB3B-11CD-A903-00AA00510EA3}\TreatAs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{437A2AB1-CA7F-4896-8F61-C76826FB602D}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86E0BA7F-4AF3-434D-A6C2-88DB97A412D8} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.slk reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0006F068-0000-0000-C000-000000000046}\VersionIndependentProgID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BC9E435A-F037-11CD-8701-00AA003F0F07} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C1F9BA1D-F70F-49F8-839E-5E0CAA230306}\NumMethods reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F62CB74A-3F77-419C-9D48-734CB4BDD8C7}\ProxyStubClsid reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.XamlDocument\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02976472-2113-470F-9138-5BD3B463D7BC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FD5B7AF-F160-4447-BA1A-7AE21789D4A3}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Office.awsdc.1 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.evo\shell\PlayWithVLC\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F800B4FC-157E-49F8-80A8-07A524F87C63} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VSTA.vb.8.0\shell\Open\ddeexec\Topic reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B61FD81-DE3E-45AA-914A-0134C9880C27}\ProgID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft Visual Studio 8|Common7|IDE|PublicAssemblies|Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A46D8E2-2072-4AED-8509-BADB844E51F6}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00024518-0000-0000-C000-000000000046}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{226B115D-80AF-48D4-9F9D-189406BF29DD} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\ProgID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E8-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Outlook.OlkTextBox reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.datasource\OpenWithList reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964} reg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2004 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a3ae4a0eda4309c7a8316f7a4b229f00.exepid process 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a3ae4a0eda4309c7a8316f7a4b229f00.execmd.execmd.exedescription pid process target process PID 780 wrote to memory of 896 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 896 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 896 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 896 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 1684 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1684 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1684 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1684 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 996 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 996 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 996 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 996 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1500 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1500 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1500 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 780 wrote to memory of 1500 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe reg.exe PID 896 wrote to memory of 2004 896 cmd.exe taskkill.exe PID 896 wrote to memory of 2004 896 cmd.exe taskkill.exe PID 896 wrote to memory of 2004 896 cmd.exe taskkill.exe PID 896 wrote to memory of 2004 896 cmd.exe taskkill.exe PID 780 wrote to memory of 460 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 460 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 460 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 780 wrote to memory of 460 780 a3ae4a0eda4309c7a8316f7a4b229f00.exe cmd.exe PID 460 wrote to memory of 824 460 cmd.exe mountvol.exe PID 460 wrote to memory of 824 460 cmd.exe mountvol.exe PID 460 wrote to memory of 824 460 cmd.exe mountvol.exe PID 460 wrote to memory of 824 460 cmd.exe mountvol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3ae4a0eda4309c7a8316f7a4b229f00.exe"C:\Users\Admin\AppData\Local\Temp\a3ae4a0eda4309c7a8316f7a4b229f00.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im explorer.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" /f2⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft" /f2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.execmd /c mountvol C: /d2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mountvol.exemountvol C: /d3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/460-61-0x0000000000000000-mapping.dmp
-
memory/824-62-0x0000000000000000-mapping.dmp
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/996-58-0x0000000000000000-mapping.dmp
-
memory/1500-59-0x0000000000000000-mapping.dmp
-
memory/1684-57-0x0000000000000000-mapping.dmp
-
memory/2004-60-0x0000000000000000-mapping.dmp