8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe
Size

100KB
MD5

e52c395049d59efaf2515b0ed7f555c4
SHA1

0a765a7b624f6d84909320cdd4f9a083fa117833
SHA256

8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9
SHA512

e517592f85bb400e6f684987726e09d121b1f81fbe3ba42e78c7a1b94bb25d587e0044a7bdff2178f2c2bdce926733d9718c03e39ea9d706bca998c5f465b122
SSDEEP

3072:SBdUWd+EidEJTklav8i4zQsZlTNO6wsB+ovK7WKIRn34N6fvCX:SsWd+NdE4hZxsQB+iK7Ql34sHC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
572	74FA.exe

Loads dropped DLL 6 IoCs

pid	Process
1936	cmd.exe
1936	cmd.exe
572	74FA.exe
572	74FA.exe
572	74FA.exe
572	74FA.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe
File opened for modification	C:\Windows\SysWOW64\74FA.exe	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	74FA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	74FA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	74FA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	74FA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	74FA.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1444	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe
572	74FA.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1936	1444	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe	27
PID 1444 wrote to memory of 1936	1444	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe	27
PID 1444 wrote to memory of 1936	1444	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe	27
PID 1444 wrote to memory of 1936	1444	8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe	27
PID 1936 wrote to memory of 572	1936	cmd.exe	29
PID 1936 wrote to memory of 572	1936	cmd.exe	29
PID 1936 wrote to memory of 572	1936	cmd.exe	29
PID 1936 wrote to memory of 572	1936	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe
"C:\Users\Admin\AppData\Local\Temp\8f70a086699bb604ae5a56a8f7537980e4716071ff5402e8aaf068c7b769e9c9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\74FA.exe eee
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\74FA.exe
    C:\Windows\system32\74FA.exe eee
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\74FA.exe

Filesize
108KB

MD5
8cfd59ac42287fd6ceb2ca03a0eeab23

SHA1
9d4f662f093093acb151dda39e2bcbc5dac8bdc9

SHA256
bbafeae609d14f173e3b11715a32e626d73651c4d193772b19df62dc551f8fcb

SHA512
8433452fb3dd4b87915efd1fffa1643010c786d28bab38ca2ac6e99e66d9f1cf5585ebc0d05aa77549011505aa8e0ad83acfadd954c225aef23da2bed3c19485

Download Submit
C:\Windows\SysWOW64\74FA.exe

Filesize
108KB

MD5
8cfd59ac42287fd6ceb2ca03a0eeab23

SHA1
9d4f662f093093acb151dda39e2bcbc5dac8bdc9

SHA256
bbafeae609d14f173e3b11715a32e626d73651c4d193772b19df62dc551f8fcb

SHA512
8433452fb3dd4b87915efd1fffa1643010c786d28bab38ca2ac6e99e66d9f1cf5585ebc0d05aa77549011505aa8e0ad83acfadd954c225aef23da2bed3c19485

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\74FA.exe

Filesize
108KB

MD5
8cfd59ac42287fd6ceb2ca03a0eeab23

SHA1
9d4f662f093093acb151dda39e2bcbc5dac8bdc9

SHA256
bbafeae609d14f173e3b11715a32e626d73651c4d193772b19df62dc551f8fcb

SHA512
8433452fb3dd4b87915efd1fffa1643010c786d28bab38ca2ac6e99e66d9f1cf5585ebc0d05aa77549011505aa8e0ad83acfadd954c225aef23da2bed3c19485

Download Submit
\Windows\SysWOW64\74FA.exe

Filesize
108KB

MD5
8cfd59ac42287fd6ceb2ca03a0eeab23

SHA1
9d4f662f093093acb151dda39e2bcbc5dac8bdc9

SHA256
bbafeae609d14f173e3b11715a32e626d73651c4d193772b19df62dc551f8fcb

SHA512
8433452fb3dd4b87915efd1fffa1643010c786d28bab38ca2ac6e99e66d9f1cf5585ebc0d05aa77549011505aa8e0ad83acfadd954c225aef23da2bed3c19485

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/572-69-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download