112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

Analysis

max time kernel
155s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Size

454KB
MD5

69182c8b9c7417b5122e8f1cab557210
SHA1

85ab95a7f13951bb1002224fb10cd5e5f0999773
SHA256

112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079
SHA512

3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab
SSDEEP

12288:kbzq8pqz1uKSE9EzMTOBW1K3Dns9HeXrw5:uzuMrZzpW4Ds9HeXra

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
816	wininit.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/728-136-0x00000000022A0000-0x00000000022B0000-memory.dmp	upx
behavioral2/memory/728-138-0x00000000022A0000-0x00000000022B0000-memory.dmp	upx
behavioral2/memory/816-146-0x0000000000900000-0x0000000000910000-memory.dmp	upx
behavioral2/memory/816-149-0x0000000000900000-0x0000000000910000-memory.dmp	upx
behavioral2/memory/728-152-0x00000000022A0000-0x00000000022B0000-memory.dmp	upx
behavioral2/memory/816-153-0x0000000000900000-0x0000000000910000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\ = "Zixofig.Honopani.Gojer class"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\VersionIndependentProgID\ = "AcroBroker.Broker"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\LocalServer32\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroBroker.exe\""	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\0\win32	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\0\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\0\win32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll\\106"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\TypeLib\ = "{BD5D30CA-D4AF-1291-833B-3DDBD803C257}"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\ProgID\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\ProgID	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\0\win32\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\FLAGS\ = "0"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\HELPDIR	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\HELPDIR\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\TypeLib\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\ = "Microsoft OneNote 15.0 Extended Type Library"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\FLAGS	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\FLAGS\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\TypeLib	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\LocalServer32	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\ProgID\ = "AcroBroker.Broker.1"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD5D30CA-D4AF-1291-833B-3DDBD803C257}\1.0\0	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\VersionIndependentProgID	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\VersionIndependentProgID\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{094B2352-390B-4000-A1AC-BA6D161B2669}\LocalServer32\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe
816	wininit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1340	728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	78
PID 728 wrote to memory of 1340	728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	78
PID 728 wrote to memory of 1340	728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	78
PID 728 wrote to memory of 816	728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	80
PID 728 wrote to memory of 816	728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	80
PID 728 wrote to memory of 816	728	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	80
PID 816 wrote to memory of 2068	816	wininit.exe	81
PID 816 wrote to memory of 2068	816	wininit.exe	81
PID 816 wrote to memory of 2068	816	wininit.exe	81

C:\Users\Admin\AppData\Local\Temp\112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
"C:\Users\Admin\AppData\Local\Temp\112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  C:\Users\Admin\AppData\Local\Temp\wininit.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
454KB

MD5
69182c8b9c7417b5122e8f1cab557210

SHA1
85ab95a7f13951bb1002224fb10cd5e5f0999773

SHA256
112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

SHA512
3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
454KB

MD5
69182c8b9c7417b5122e8f1cab557210

SHA1
85ab95a7f13951bb1002224fb10cd5e5f0999773

SHA256
112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

SHA512
3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab

Download Submit
memory/728-150-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/728-133-0x0000000000700000-0x0000000000711000-memory.dmp

Filesize
68KB

Download
memory/728-152-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/728-136-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/728-137-0x0000000000700000-0x0000000000711000-memory.dmp

Filesize
68KB

Download
memory/728-138-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/728-151-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/728-132-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/816-143-0x00000000008E0000-0x00000000008F1000-memory.dmp

Filesize
68KB

Download
memory/816-146-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/816-147-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/816-148-0x00000000008E0000-0x00000000008F1000-memory.dmp

Filesize
68KB

Download
memory/816-149-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/816-139-0x0000000000000000-mapping.dmp

Download
memory/816-153-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/1340-134-0x0000000000000000-mapping.dmp

Download
memory/2068-144-0x0000000000000000-mapping.dmp

Download