5c72f5bf2089611197f6ba92a8e3bc80597f18a691bec537ef9efcd4209f28e4

Analysis

max time kernel
30s
max time network
47s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
01-08-2022 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ngonesuporte.exe
Size

272KB
MD5

c100cd2853800616d64a55046bf5a2d0
SHA1

5097a87282bb966e18d58619abb451548b04605a
SHA256

7e36be29f4a4d5a27663a852e2498337866784f9938ce44d363021a3db705275
SHA512

9c9888ea8f91202f849cfea794cec55b46cac739a8ee6a2a771b8e528e298ffa40a9c0092011caf24917340232bff462a9654cf41b00388e68fea158aa975658

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D36DCC-192B-47B4-AC01-1E161F59A372}\Implemented Categories	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55B2F830-B229-417D-B7AA-840EAB22993C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A29B3E4E-1C2A-408D-BD81-D2CA1731F2D0}\TypeLib	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{140530D7-EE85-4F4C-9AFF-4F0BB0C18B05}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{671A5DF5-31B9-43AE-A5A2-210D6E5D049C}\ProxyStubClsid32	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5720FE6F-2393-4ADA-9EDC-EE6469887762}\ProxyStubClsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NGOneSuporte.clsEvento\Clsid\ = "{82D36DCC-192B-47B4-AC01-1E161F59A372}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}\1.6\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngonesuporte.exe"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{283384B1-2D98-4165-B300-B4A5533E3867}\ = "_clsBarraProgressao"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0EAD34F-A4D9-42C6-85AB-7BBEB989DCA8}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B822A9D-E820-4150-958E-CABEA99BA796}\ = "NGOneSuporte.clsBarraProgressao"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB6224D9-5A48-4353-9919-1C28836D7717}\ = "clsRelFiscalSAP"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15D84DD1-DAB9-4E29-A9F0-4E1E48511FC6}\LocalServer32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7136F0A-8D97-4F16-A2BB-8DC509873F4E}\ = "NGOneSuporte.clsRelFiscalSAP"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DB1AF44-67EC-4F7A-B7B5-A1B18CB6213E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E3CDAC5-DEF6-497D-A9EA-95628BF051BE}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C941D0EC-662F-4996-97FA-919CF328CB89}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF6A90F2-E3CE-4714-B6DD-5D3890F85E07}\TypeLib	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F8A5F80-7A7D-4A7D-B72C-AF3446835D02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{140530D7-EE85-4F4C-9AFF-4F0BB0C18B05}\ = "__clsImportacaoDadosSAP"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4384B3C1-BC73-42F2-A7A4-E680A9749666}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A29B3E4E-1C2A-408D-BD81-D2CA1731F2D0}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{724E1D47-CCDB-40C8-9534-2AA32C3F0EE2}\VERSION	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8332BDEE-A81B-42DC-A28F-B9EC03B85723}\ = "NGOneSuporte.clsTela"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F8A5F80-7A7D-4A7D-B72C-AF3446835D02}\ProxyStubClsid32	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DB1AF44-67EC-4F7A-B7B5-A1B18CB6213E}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\VERSION\ = "1.6"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}\1.6	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A29B3E4E-1C2A-408D-BD81-D2CA1731F2D0}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A29B3E4E-1C2A-408D-BD81-D2CA1731F2D0}\TypeLib\Version = "1.6"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0EAD34F-A4D9-42C6-85AB-7BBEB989DCA8}\Forward\ = "{AF6A90F2-E3CE-4714-B6DD-5D3890F85E07}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF6A90F2-E3CE-4714-B6DD-5D3890F85E07}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15D84DD1-DAB9-4E29-A9F0-4E1E48511FC6}\TypeLib	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E3CDAC5-DEF6-497D-A9EA-95628BF051BE}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA86C911-3256-4AA6-9C06-027395FB1CA8}\TypeLib	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\ = "__clsRelFiscalSAP"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DB1AF44-67EC-4F7A-B7B5-A1B18CB6213E}\ProxyStubClsid	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NGOneSuporte.clsMDFe\Clsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\ = "NGOneSuporte.clsArquivoMagnetico"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6323DFAB-E2FC-47E2-B7AE-6A94BE5F8DAB}	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CBD60D98-75C2-471D-9D98-C67C65B6D57D}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A29B3E4E-1C2A-408D-BD81-D2CA1731F2D0}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\ = "__clsRelFiscalSAP"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77E9B4FF-038E-4F1D-AA51-02B86D29FAB3}\ProxyStubClsid	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D36DCC-192B-47B4-AC01-1E161F59A372}\TypeLib	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{283384B1-2D98-4165-B300-B4A5533E3867}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA86C911-3256-4AA6-9C06-027395FB1CA8}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{656EF81D-6BCF-4F86-84A2-472CF91F194F}\Forward	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A101878E-C91C-4A3C-AAD9-1A9207509C93}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngonesuporte.exe"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96CBFCF0-0D82-4BE4-8CF4-A319995B59BA}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngonesuporte.exe"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5720FE6F-2393-4ADA-9EDC-EE6469887762}\Forward\ = "{15F7B65F-FF29-4280-A967-F5DA2B47AE1B}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\TypeLib	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4384B3C1-BC73-42F2-A7A4-E680A9749666}	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{283384B1-2D98-4165-B300-B4A5533E3867}\TypeLib\Version = "1.6"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7136F0A-8D97-4F16-A2BB-8DC509873F4E}\ProgID\ = "NGOneSuporte.clsRelFiscalSAP"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7136F0A-8D97-4F16-A2BB-8DC509873F4E}\Programmable	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}\1.6\0	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDE9FE71-754B-42EC-B583-340F6CC92990}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C9DE51F-4CD6-4F85-B846-9CA053173BE5}\Forward\ = "{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\ProxyStubClsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F7B65F-FF29-4280-A967-F5DA2B47AE1B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C941D0EC-662F-4996-97FA-919CF328CB89}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
916	ngonesuporte.exe

C:\Users\Admin\AppData\Local\Temp\ngonesuporte.exe
"C:\Users\Admin\AppData\Local\Temp\ngonesuporte.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:916

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads