5c72f5bf2089611197f6ba92a8e3bc80597f18a691bec537ef9efcd4209f28e4

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2022 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ngonesuporte.exe
Size

272KB
MD5

c100cd2853800616d64a55046bf5a2d0
SHA1

5097a87282bb966e18d58619abb451548b04605a
SHA256

7e36be29f4a4d5a27663a852e2498337866784f9938ce44d363021a3db705275
SHA512

9c9888ea8f91202f849cfea794cec55b46cac739a8ee6a2a771b8e528e298ffa40a9c0092011caf24917340232bff462a9654cf41b00388e68fea158aa975658

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{671A5DF5-31B9-43AE-A5A2-210D6E5D049C}\ProxyStubClsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A101878E-C91C-4A3C-AAD9-1A9207509C93}\ = "NGOneSuporte.clsImportacaoDadosSAP"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C941D0EC-662F-4996-97FA-919CF328CB89}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF6A90F2-E3CE-4714-B6DD-5D3890F85E07}\TypeLib\Version = "1.6"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB6224D9-5A48-4353-9919-1C28836D7717}\Forward\ = "{AF6A90F2-E3CE-4714-B6DD-5D3890F85E07}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NGOneSuporte.clsBarraProgressao	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F7B65F-FF29-4280-A967-F5DA2B47AE1B}\ = "_clsLicencas"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngonesuporte.exe"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NGOneSuporte.clsArquivoMagnetico\Clsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C941D0EC-662F-4996-97FA-919CF328CB89}\ = "_clsTela"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DB1AF44-67EC-4F7A-B7B5-A1B18CB6213E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{724E1D47-CCDB-40C8-9534-2AA32C3F0EE2}\ = "NGOneSuporte.clsMDFe"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C941D0EC-662F-4996-97FA-919CF328CB89}\ProxyStubClsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4384B3C1-BC73-42F2-A7A4-E680A9749666}\ = "clsBarraProgressao"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77E9B4FF-038E-4F1D-AA51-02B86D29FAB3}\ProxyStubClsid32	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{656EF81D-6BCF-4F86-84A2-472CF91F194F}\ProxyStubClsid	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C9DE51F-4CD6-4F85-B846-9CA053173BE5}\ProxyStubClsid	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDE9FE71-754B-42EC-B583-340F6CC92990}	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E3CDAC5-DEF6-497D-A9EA-95628BF051BE}\TypeLib	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{489ED982-2F89-4BA3-B708-0C2DAC6E38FE}\ProxyStubClsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77E9B4FF-038E-4F1D-AA51-02B86D29FAB3}\TypeLib\Version = "1.6"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{140530D7-EE85-4F4C-9AFF-4F0BB0C18B05}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58088ACF-4B57-46C6-BC5D-714D77BF1897}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{671A5DF5-31B9-43AE-A5A2-210D6E5D049C}\Forward	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBD60D98-75C2-471D-9D98-C67C65B6D57D}\ProxyStubClsid	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA86C911-3256-4AA6-9C06-027395FB1CA8}\ProxyStubClsid	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{656EF81D-6BCF-4F86-84A2-472CF91F194F}\Forward\ = "{AF6A90F2-E3CE-4714-B6DD-5D3890F85E07}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66AAEE0C-5BCA-42E2-AA16-2C28815B1ED1}\Forward	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77E9B4FF-038E-4F1D-AA51-02B86D29FAB3}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55B2F830-B229-417D-B7AA-840EAB22993C}\TypeLib	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F8A5F80-7A7D-4A7D-B72C-AF3446835D02}	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\ProxyStubClsid	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96CBFCF0-0D82-4BE4-8CF4-A319995B59BA}\VERSION	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55B2F830-B229-417D-B7AA-840EAB22993C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55B2F830-B229-417D-B7AA-840EAB22993C}\TypeLib	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A29B3E4E-1C2A-408D-BD81-D2CA1731F2D0}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA86C911-3256-4AA6-9C06-027395FB1CA8}\TypeLib\Version = "1.6"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{140530D7-EE85-4F4C-9AFF-4F0BB0C18B05}\TypeLib\Version = "1.6"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B822A9D-E820-4150-958E-CABEA99BA796}\VERSION	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77E9B4FF-038E-4F1D-AA51-02B86D29FAB3}	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77E9B4FF-038E-4F1D-AA51-02B86D29FAB3}\ProxyStubClsid32	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E3CDAC5-DEF6-497D-A9EA-95628BF051BE}\ProxyStubClsid32	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82D36DCC-192B-47B4-AC01-1E161F59A372}\ = "NGOneSuporte.clsEvento"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NGOneSuporte.clsGlobais\ = "NGOneSuporte.clsGlobais"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15D84DD1-DAB9-4E29-A9F0-4E1E48511FC6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B822A9D-E820-4150-958E-CABEA99BA796}\ProgID	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B822A9D-E820-4150-958E-CABEA99BA796}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngonesuporte.exe"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5720FE6F-2393-4ADA-9EDC-EE6469887762}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\TypeLib	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{489ED982-2F89-4BA3-B708-0C2DAC6E38FE}\ = "clsRelFiscalSAP"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{140530D7-EE85-4F4C-9AFF-4F0BB0C18B05}\ = "clsImportacaoDadosSAP"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\ = "NGOneSuporte.clsArquivoMagnetico"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C39676A-1010-4E5C-860D-3C1C7505A71A}\Implemented Categories	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15D84DD1-DAB9-4E29-A9F0-4E1E48511FC6}\ProgID	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDE9FE71-754B-42EC-B583-340F6CC92990}\TypeLib	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58088ACF-4B57-46C6-BC5D-714D77BF1897}	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58088ACF-4B57-46C6-BC5D-714D77BF1897}\Forward	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15D84DD1-DAB9-4E29-A9F0-4E1E48511FC6}\VERSION\ = "1.6"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C941D0EC-662F-4996-97FA-919CF328CB89}	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{140530D7-EE85-4F4C-9AFF-4F0BB0C18B05}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ngonesuporte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{489ED982-2F89-4BA3-B708-0C2DAC6E38FE}\Forward	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2AD9097-8BB2-446A-9DA6-DEF7F78ABA02}\TypeLib\ = "{BB3EA3EE-CD7E-4BCC-8612-F116A2E122D1}"	ngonesuporte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A101878E-C91C-4A3C-AAD9-1A9207509C93}\VERSION\ = "1.6"	ngonesuporte.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2176	ngonesuporte.exe

C:\Users\Admin\AppData\Local\Temp\ngonesuporte.exe
"C:\Users\Admin\AppData\Local\Temp\ngonesuporte.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2176

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads