7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Size

963KB
MD5

7c744e12d32ba52dfa5e7dd75e2eba80
SHA1

0f77bdd7c1c5e7659028562caae4fa3eab1c2861
SHA256

7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a
SHA512

ca77378f86a9c555a8a718a7d09a9be45c75bf33eb4313d3fb8e5c5793176799b8c9820b10441efecc19f868d40b105f7a35209f5afcf4b529fafff8e5211a6a
SSDEEP

24576:HjTbkVZMybR2wT6aQ7j5YZLJC8xlkRwbT6hY0gaKHO/amj4:iJkwtG5mE8xQ6T6KtZms

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0002000000022de4-146.dat	aspack_v212_v242
behavioral2/files/0x0002000000022de4-148.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4344	1363634M.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KpQLix\Parameters\ServiceDll = "C:\\Program Files\\Windows Multimedia Platform\\sqmapi4297652.dll"	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe

Loads dropped DLL 9 IoCs

pid	Process
3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
4956	svchost.exe
4344	1363634M.exe
4344	1363634M.exe
4956	svchost.exe
4956	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HHaX6yLcg.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Windows\SysWOW64\HHaX6yLcg.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Windows\SysWOW64\HHaX6yLcg.exe	svchost.exe
File created	C:\Windows\SysWOW64\YIntJzoZAJ.exe	svchost.exe
File created	C:\Windows\SysWOW64\CndwjLLQt.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\CndwjLLQt.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\HHaX6yLcg.exe	1363634M.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\7129267P.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File created	C:\Program Files (x86)\Microsoft\5231363H.dll.tmp	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File created	C:\Program Files\Windows Multimedia Platform\sqmapi4297652.dll.tmp	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File created	C:\Program Files (x86)\Internet Explorer\EstYZ.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File created	C:\Program Files\Reference Assemblies\7129267P.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\5231363H.dll	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\sqmapi4297652.dll	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine4297652.dll	svchost.exe
File created	C:\Program Files (x86)\Windows Media Player\AXGfIt.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\AXGfIt.exe	svchost.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\DelA.bat	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Windows\Containers\WindowsDefenderApplicationGuard4297652.dll	1363634M.exe
File created	C:\Windows\Containers\WindowsDefenderApplicationGuard4297652.dll.tmp	1363634M.exe
File created	C:\Windows\security\1363634M.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Windows\security\1363634M.exe	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File created	C:\Windows\OCR\3197737X.dll.tmp	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Windows\OCR\3197737X.dll	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-shortcut_31bf3856ad364e35_10.0.19041.1_none_64c27fc7ed12e401\Windows Media Player.lnk	svchost.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.1_none_440e94288def3f95\Paint.lnk	svchost.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\Notepad.lnk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Outlook\Addins	1363634M.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Outlook\Addins\OffCalc.OffCalcExt\LoadBehavior = "3"	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel\Addins\OffCalc.OffCalcExt	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel	1363634M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel\Addins\OffCalc.OffCalcExt\FriendlyName = "isfYPCl"	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\MicroSoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	1363634M.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word\Addins\OffCalc.OffCalcExt\LoadBehavior = "3"	1363634M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel\Addins\OffCalc.OffCalcExt\Description	1363634M.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel\Addins\OffCalc.OffCalcExt\LoadBehavior = "3"	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word\Addins\OffCalc.OffCalcExt	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Outlook	1363634M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Outlook\Addins\OffCalc.OffCalcExt\FriendlyName = "KLpcDfDjq"	1363634M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word\Addins\OffCalc.OffCalcExt\FriendlyName = "fDWTP"	1363634M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word\Addins\OffCalc.OffCalcExt\Description	1363634M.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000082bbebdf9ad6d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel\Addins	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office	1363634M.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Outlook\Addins\OffCalc.OffCalcExt\Description	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word\Addins	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\MicroSoft\Windows\CurrentVersion\Explorer	1363634M.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Outlook\Addins\OffCalc.OffCalcExt	1363634M.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\open	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\open\command\ = "C:\\Windows\\security\\1363634M.exe \"%1\""	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\InprocServer32\ThreadingModel = "Apartment"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\open\command\ = "C:\\Windows\\security\\1363634M.exe \"%1\""	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\ = "iOffCalc"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\TypeLib\ = "{9B74BBC9-9516-4C06-9A9B-4594386F429D}"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OffCalc.OffCalcExt	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\InprocServer32	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\ = "open"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\TypeLib\Version = "1.0"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\open\command	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\TypeLib	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\TypeLib\Version = "1.0"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OffCalc.OffCalcExt\Clsid\ = "{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\ProgID	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\open	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\open\command	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\ = "MicCalc Library"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\HELPDIR\ = "C:\\Windows\\Containers\\"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\0	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\Version	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\5231363H.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\TypeLib\ = "{9B74BBC9-9516-4C06-9A9B-4594386F429D}"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OffCalc.OffCalcExt\Clsid	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\ProxyStubClsid32	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\5231363H.dll"	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\FLAGS	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\InprocServer32\ = "C:\\Windows\\Containers\\WindowsDefenderApplicationGuard4297652.dll"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\Version\ = "1.0"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OffCalc.OffCalcExt\	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\open\command	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\open\command\ = "C:\\Windows\\security\\1363634M.exe \"%1\""	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\0\win32	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\TypeLib	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ = "open"	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\open\command	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\InprocServer32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\HELPDIR	1363634M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\InprocServer32	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ = "open"	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\ = "open"	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B74BBC9-9516-4C06-9A9B-4594386F429D}\1.0\0\win32\ = "C:\\Windows\\Containers\\WindowsDefenderApplicationGuard4297652.dll"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{75EA2845-EAD5-486E-A339-59FED49289A6}"	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\TypeLib	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\TypeLib\ = "{9B74BBC9-9516-4C06-9A9B-4594386F429D}"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe \"%1\""	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C80F2C34-B4A7-4F23-A99E-D55DB29DC30D}\ProgID\ = "OffCalc.OffCalcExt"	1363634M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EA2845-EAD5-486E-A339-59FED49289A6}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C563030-29AA-496A-85F9-2A91F3A7D203}\ = "iOffCalc"	1363634M.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1544	PING.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe
4956	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4284	3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe	86
PID 3332 wrote to memory of 4284	3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe	86
PID 3332 wrote to memory of 4284	3332	7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe	86
PID 4284 wrote to memory of 1544	4284	cmd.exe	88
PID 4284 wrote to memory of 1544	4284	cmd.exe	88
PID 4284 wrote to memory of 1544	4284	cmd.exe	88
PID 4956 wrote to memory of 4344	4956	svchost.exe	110
PID 4956 wrote to memory of 4344	4956	svchost.exe	110
PID 4956 wrote to memory of 4344	4956	svchost.exe	110

C:\Users\Admin\AppData\Local\Temp\7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe
"C:\Users\Admin\AppData\Local\Temp\7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\DelA.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k QxAeZVLEHc -s KpQLix
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\security\1363634M.exe
  C:\Windows\security\1363634M.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\5231363H.dll

Filesize
946KB

MD5
954e79eff0ce60e942aea0db3afd9a72

SHA1
24a91494848b021bfe5ad1c6a65455ccf3de0c02

SHA256
bf1ed4fc485cfbf7bd469ab94d80b27d8adfecbf72d98e30d31f74c50654f271

SHA512
11c770d812274c702df58cb1501364f04386d5e7cfeb7a8daedaccdc877f22f5d0ef22f614102fd4e300a3a7405e04c01b9bb20c383a4dc4619606267e7d02d2

Download Submit
C:\Program Files (x86)\Microsoft\5231363H.dll

Filesize
946KB

MD5
954e79eff0ce60e942aea0db3afd9a72

SHA1
24a91494848b021bfe5ad1c6a65455ccf3de0c02

SHA256
bf1ed4fc485cfbf7bd469ab94d80b27d8adfecbf72d98e30d31f74c50654f271

SHA512
11c770d812274c702df58cb1501364f04386d5e7cfeb7a8daedaccdc877f22f5d0ef22f614102fd4e300a3a7405e04c01b9bb20c383a4dc4619606267e7d02d2

Download Submit
C:\Program Files (x86)\Microsoft\5231363H.dll

Filesize
946KB

MD5
954e79eff0ce60e942aea0db3afd9a72

SHA1
24a91494848b021bfe5ad1c6a65455ccf3de0c02

SHA256
bf1ed4fc485cfbf7bd469ab94d80b27d8adfecbf72d98e30d31f74c50654f271

SHA512
11c770d812274c702df58cb1501364f04386d5e7cfeb7a8daedaccdc877f22f5d0ef22f614102fd4e300a3a7405e04c01b9bb20c383a4dc4619606267e7d02d2

Download Submit
C:\Program Files (x86)\Microsoft\5231363H.dll

Filesize
946KB

MD5
954e79eff0ce60e942aea0db3afd9a72

SHA1
24a91494848b021bfe5ad1c6a65455ccf3de0c02

SHA256
bf1ed4fc485cfbf7bd469ab94d80b27d8adfecbf72d98e30d31f74c50654f271

SHA512
11c770d812274c702df58cb1501364f04386d5e7cfeb7a8daedaccdc877f22f5d0ef22f614102fd4e300a3a7405e04c01b9bb20c383a4dc4619606267e7d02d2

Download Submit
C:\Program Files (x86)\Microsoft\5231363H.dll

Filesize
946KB

MD5
954e79eff0ce60e942aea0db3afd9a72

SHA1
24a91494848b021bfe5ad1c6a65455ccf3de0c02

SHA256
bf1ed4fc485cfbf7bd469ab94d80b27d8adfecbf72d98e30d31f74c50654f271

SHA512
11c770d812274c702df58cb1501364f04386d5e7cfeb7a8daedaccdc877f22f5d0ef22f614102fd4e300a3a7405e04c01b9bb20c383a4dc4619606267e7d02d2

Download Submit
C:\Program Files\Windows Multimedia Platform\sqmapi4297652.dll

Filesize
726KB

MD5
c9716a7e81808fa5767877534b3da393

SHA1
a2b8b74ad4d2c98371c21c033049b769edc218f5

SHA256
e5d4473528dc0a07571a995a33bc83a4e9b61de04ca839ac639c740f5fde70dc

SHA512
a2009d801721c75baae9bf5bc35d8eaf1c997b3070aa878ccf0b1bc23788274b644965eb9f3c26b204735c416d47f2d702b3722fda8f138cc8b29c7d9975934e

Download Submit
C:\Program Files\Windows Multimedia Platform\sqmapi4297652.dll

Filesize
726KB

MD5
c9716a7e81808fa5767877534b3da393

SHA1
a2b8b74ad4d2c98371c21c033049b769edc218f5

SHA256
e5d4473528dc0a07571a995a33bc83a4e9b61de04ca839ac639c740f5fde70dc

SHA512
a2009d801721c75baae9bf5bc35d8eaf1c997b3070aa878ccf0b1bc23788274b644965eb9f3c26b204735c416d47f2d702b3722fda8f138cc8b29c7d9975934e

Download Submit
C:\Program Files\Windows Multimedia Platform\sqmapi4297652.dll

Filesize
726KB

MD5
c9716a7e81808fa5767877534b3da393

SHA1
a2b8b74ad4d2c98371c21c033049b769edc218f5

SHA256
e5d4473528dc0a07571a995a33bc83a4e9b61de04ca839ac639c740f5fde70dc

SHA512
a2009d801721c75baae9bf5bc35d8eaf1c997b3070aa878ccf0b1bc23788274b644965eb9f3c26b204735c416d47f2d702b3722fda8f138cc8b29c7d9975934e

Download Submit
C:\Windows\Containers\WindowsDefenderApplicationGuard4297652.dll

Filesize
707KB

MD5
fb77dd216ab8bf37ff11bb7ebc2a1a8d

SHA1
4905a80f1de0330db5dbc0c868b652b75d8c2676

SHA256
0a1b87ea292859939084983d8babd57ed10944cf4c4409b68bc822c609ac452e

SHA512
51b00f2b26669823e63e7ba19bb18162853383a306e2de67bad258114b51cf59b956970dc2a1f570821e8254b085b1bf11284ae28274dca91174c048ea805b07

Download Submit
C:\Windows\Containers\WindowsDefenderApplicationGuard4297652.dll

Filesize
707KB

MD5
fb77dd216ab8bf37ff11bb7ebc2a1a8d

SHA1
4905a80f1de0330db5dbc0c868b652b75d8c2676

SHA256
0a1b87ea292859939084983d8babd57ed10944cf4c4409b68bc822c609ac452e

SHA512
51b00f2b26669823e63e7ba19bb18162853383a306e2de67bad258114b51cf59b956970dc2a1f570821e8254b085b1bf11284ae28274dca91174c048ea805b07

Download Submit
C:\Windows\DelA.bat

Filesize
285B

MD5
22009fbff32bba907cabaccc23cb1f95

SHA1
cc1285cb8c886b4a331949e2a9aa8effdf205a5b

SHA256
3c452c042eefd269800089dae607e260563c428686065bc369a99a3d85943ebd

SHA512
59cf1452a35072245b496306886885a1c937cb7437be65758965470f6557ebfebc8dce2c7bdd1023660eff9ca5e6bc92e8874106a394d344a555cd525e7cb9a6

Download Submit
C:\Windows\SysWOW64\HHaX6yLcg.exe

Filesize
568B

MD5
70aab54e2493b634a29687c459a2c23b

SHA1
4d6ffa9576eb022dd4d52f408293147036a1d145

SHA256
af8fcb9a847a992df6586329f874b70eaea30251caf65f0f7734848baf849202

SHA512
9dac5d1cfe0454dac487b6be93c7ff5c5042aafbeaf5ffa8746a0aea2b28abffe827a0d9e941cd5f266878db8d0abd558189498ca64338b085bef8b64fcef566

Download Submit
C:\Windows\SysWOW64\HHaX6yLcg.exe

Filesize
568B

MD5
70aab54e2493b634a29687c459a2c23b

SHA1
4d6ffa9576eb022dd4d52f408293147036a1d145

SHA256
af8fcb9a847a992df6586329f874b70eaea30251caf65f0f7734848baf849202

SHA512
9dac5d1cfe0454dac487b6be93c7ff5c5042aafbeaf5ffa8746a0aea2b28abffe827a0d9e941cd5f266878db8d0abd558189498ca64338b085bef8b64fcef566

Download Submit
C:\Windows\SysWOW64\HHaX6yLcg.exe

Filesize
568B

MD5
70aab54e2493b634a29687c459a2c23b

SHA1
4d6ffa9576eb022dd4d52f408293147036a1d145

SHA256
af8fcb9a847a992df6586329f874b70eaea30251caf65f0f7734848baf849202

SHA512
9dac5d1cfe0454dac487b6be93c7ff5c5042aafbeaf5ffa8746a0aea2b28abffe827a0d9e941cd5f266878db8d0abd558189498ca64338b085bef8b64fcef566

Download Submit
C:\Windows\SysWOW64\HHaX6yLcg.exe

Filesize
568B

MD5
70aab54e2493b634a29687c459a2c23b

SHA1
4d6ffa9576eb022dd4d52f408293147036a1d145

SHA256
af8fcb9a847a992df6586329f874b70eaea30251caf65f0f7734848baf849202

SHA512
9dac5d1cfe0454dac487b6be93c7ff5c5042aafbeaf5ffa8746a0aea2b28abffe827a0d9e941cd5f266878db8d0abd558189498ca64338b085bef8b64fcef566

Download Submit
C:\Windows\SysWOW64\HHaX6yLcg.exe

Filesize
696B

MD5
2ec032424ecaf982b7ec02e68904c2e5

SHA1
69fe9646872161bffcb5cec5770f77c6e5d15cfa

SHA256
085db88d07567ce2f1e87e024c697d6aa0c8d86d349a91cf0bfc6d7e8d1165aa

SHA512
6e325cd838900fc2fd7c6f5be41415c99366cbc1bacf05625225dfd4ef78ed32352a156adf65ac16b075609a4eaedf2f018d5e47aad88f781463844fb9c14b34

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-shortcut_31bf3856ad364e35_10.0.19041.1_none_64c27fc7ed12e401\Windows Media Player.lnk

Filesize
1KB

MD5
77dd26770dba4fba02ca8697b739f6b6

SHA1
322cd09d3aa108c26a4ac85271dd32d4cb237925

SHA256
ec7a043c2efa3b0f87d09243bf183ec91ea9b301a1ba17336c6c683b3da52079

SHA512
6ea960a9ba85c38f31c03934f1843bb6a6b2bc0044821b1c0b60eb02740551ba74fb867cabec8e8a80be4d3d8fafbf73f0b348afce7f0a06d79cad56b9f85ecc

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.1_none_440e94288def3f95\Paint.lnk

Filesize
1KB

MD5
a6596c7312fc4516628d39395f66e88c

SHA1
053b8175aac978f50e122d29be7968fafb5353f7

SHA256
d44b4c061c414f9882a135e13bd743a586c8c0240f43a2411ca0d9f536896c1b

SHA512
c4a87caf11e3bd6a1f0f9ff46c241a7c2a007ef08ee77004fd4419aff26e08c674018212fb7e673b826fda622ebb693013e179018fe1eee28da14e517e0e229b

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.1081_none_e3f87355251e8c43\Notepad.lnk

Filesize
1KB

MD5
c178eb63a06ee4ca9eb6112a9e5fd722

SHA1
350010e829abf8eb350e139aaa1665fdb9994439

SHA256
030bcabfda11388c8080aeaf845a3c7f5e08023293e81fe49592636c38d75990

SHA512
2d0e7aba6015b7fb1c08d9dcbf68881bd71b82f3707e018684aaf18a6f2ca0b1d1d0d251d8639ce543880d97b07df9868087bd6870c515493a852a38cadae935

Download Submit
C:\Windows\security\1363634M.exe

Filesize
963KB

MD5
7c744e12d32ba52dfa5e7dd75e2eba80

SHA1
0f77bdd7c1c5e7659028562caae4fa3eab1c2861

SHA256
7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a

SHA512
ca77378f86a9c555a8a718a7d09a9be45c75bf33eb4313d3fb8e5c5793176799b8c9820b10441efecc19f868d40b105f7a35209f5afcf4b529fafff8e5211a6a

Download Submit
C:\Windows\security\1363634M.exe

Filesize
963KB

MD5
7c744e12d32ba52dfa5e7dd75e2eba80

SHA1
0f77bdd7c1c5e7659028562caae4fa3eab1c2861

SHA256
7c5ccd2f3279bad7e7494a6a0b592096ef280aab1aa03589b02c89a045276b6a

SHA512
ca77378f86a9c555a8a718a7d09a9be45c75bf33eb4313d3fb8e5c5793176799b8c9820b10441efecc19f868d40b105f7a35209f5afcf4b529fafff8e5211a6a

Download Submit
\??\c:\program files\windows multimedia platform\sqmapi4297652.dll

Filesize
726KB

MD5
c9716a7e81808fa5767877534b3da393

SHA1
a2b8b74ad4d2c98371c21c033049b769edc218f5

SHA256
e5d4473528dc0a07571a995a33bc83a4e9b61de04ca839ac639c740f5fde70dc

SHA512
a2009d801721c75baae9bf5bc35d8eaf1c997b3070aa878ccf0b1bc23788274b644965eb9f3c26b204735c416d47f2d702b3722fda8f138cc8b29c7d9975934e

Download Submit
memory/3332-137-0x0000000002DD0000-0x0000000002E8C000-memory.dmp

Filesize
752KB

Download
memory/3332-134-0x0000000002A90000-0x0000000002B82000-memory.dmp

Filesize
968KB

Download
memory/4344-152-0x0000000001500000-0x00000000015B7000-memory.dmp

Filesize
732KB

Download