db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe
Size

280KB
MD5

65e43100cdb49d632b3e7accac67bd8f
SHA1

221cd2ec3bc4327a7fa3ef058b7740c7be3bf9ac
SHA256

db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d
SHA512

c10d401c5dbb06fd5d5aa9e022774b6a75b1320207ecfa721b959fb009513fc0470d11e661ec287c49574ee0234ec7a35223b04e686923f0aa73b3a2693b2682
SSDEEP

6144:SlC7L23NkVsuaRaU6mHGqBgL3x3RCzTB:qC7LC0aRz6mHGf93R6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4912	framenetworkx.exe

Loads dropped DLL 4 IoCs

pid	Process
4912	framenetworkx.exe
4912	framenetworkx.exe
4912	framenetworkx.exe
4912	framenetworkx.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\msinet.ocx	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe
File opened for modification	C:\WINDOWS\SysWOW64\mswinsck.ocx	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5036	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	framenetworkx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control 6.0 (SP4)"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control 6.0 (SP4)"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	framenetworkx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0 (SP4)"	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	framenetworkx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	framenetworkx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	framenetworkx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	framenetworkx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe
4912	framenetworkx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2692	1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe	81
PID 1692 wrote to memory of 2692	1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe	81
PID 1692 wrote to memory of 2692	1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe	81
PID 2692 wrote to memory of 5036	2692	cmd.exe	83
PID 2692 wrote to memory of 5036	2692	cmd.exe	83
PID 2692 wrote to memory of 5036	2692	cmd.exe	83
PID 1692 wrote to memory of 4912	1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe	84
PID 1692 wrote to memory of 4912	1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe	84
PID 1692 wrote to memory of 4912	1692	db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe	84

C:\Users\Admin\AppData\Local\Temp\db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe
"C:\Users\Admin\AppData\Local\Temp\db11b1f988528f00aced995dd24e4b217b1a4a41dfbd2bbc602985e22de44d7d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /d /c taskkill /f /im framenetworkx.exe /t && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im framenetworkx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\framenetworkx.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\framenetworkx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\framenetworkx.exe

Filesize
36KB

MD5
a6a3c6589a5250da1a9e7c6a8cf68b39

SHA1
031a709f7c805f9217801db39659b3284fe61775

SHA256
7715e438008e6dde400111be3af0853d4287bb04102f5dcfca03c1b192a04a12

SHA512
fa27da631f65c54fd8b675d83415f8ce001db105e18c716fc57b3c4cdb8bac7683f40ec859d96febce1f69d1ecd486f19cc17914c8ba66ccdca6e1a25cba78ff

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\framenetworkx.exe

Filesize
36KB

MD5
a6a3c6589a5250da1a9e7c6a8cf68b39

SHA1
031a709f7c805f9217801db39659b3284fe61775

SHA256
7715e438008e6dde400111be3af0853d4287bb04102f5dcfca03c1b192a04a12

SHA512
fa27da631f65c54fd8b675d83415f8ce001db105e18c716fc57b3c4cdb8bac7683f40ec859d96febce1f69d1ecd486f19cc17914c8ba66ccdca6e1a25cba78ff

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
113KB

MD5
40d81470a19269d88bf44e766be7f84a

SHA1
4030e8e94297bc0aa5139fe241e8cf8f8142d8d4

SHA256
dd1215f01b484e7842763302d42749d516963d9ac74e2fe8825a5eaba34f6229

SHA512
e4a39613cc32885b67f6219281fbf99f50018b5fd2886b5389cfa04dc9dc4ebfc46fca2b9e89586116094fa3a7600c20b2ca0fa3535dd2615739621856506864

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\msinet.ocx

Filesize
113KB

MD5
40d81470a19269d88bf44e766be7f84a

SHA1
4030e8e94297bc0aa5139fe241e8cf8f8142d8d4

SHA256
dd1215f01b484e7842763302d42749d516963d9ac74e2fe8825a5eaba34f6229

SHA512
e4a39613cc32885b67f6219281fbf99f50018b5fd2886b5389cfa04dc9dc4ebfc46fca2b9e89586116094fa3a7600c20b2ca0fa3535dd2615739621856506864

Download Submit
C:\Windows\SysWOW64\msinet.ocx

Filesize
113KB

MD5
40d81470a19269d88bf44e766be7f84a

SHA1
4030e8e94297bc0aa5139fe241e8cf8f8142d8d4

SHA256
dd1215f01b484e7842763302d42749d516963d9ac74e2fe8825a5eaba34f6229

SHA512
e4a39613cc32885b67f6219281fbf99f50018b5fd2886b5389cfa04dc9dc4ebfc46fca2b9e89586116094fa3a7600c20b2ca0fa3535dd2615739621856506864

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit