d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Size

3.6MB
MD5

cf6e6ba018de6cc47d7dd446da29c6d0
SHA1

469c5d1146affa003a96a01b287b164a0423d880
SHA256

d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f
SHA512

1a38b3162b94edae86dde1468010248bee0bb160fb2b22f14194922a8970e44c1d9f70b45afd9a3ab83dff295802e2c349e95e92cd7564e1b841b4dabe078e76
SSDEEP

98304:MtBf470R4LNuu+izhCDU90ql08MSlBzxLLcD2v5Js2mEZU07IS:Mth470RCFlmS05SbzxLLcD2v5JCEZV7b

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 17 IoCs

pid	Process
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
5028	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isc889A.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ius8918.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp863F.tmp\temp.000	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp86CF.tmp\iGdi.dll	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\Dot8859.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\cto8879.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ius8918.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsP8948.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Obj8977.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe8839.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\iKernel.rgs	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\iKernel.rgs	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\cto8879.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isc889A.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsP8948.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Obj8977.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp863F.tmp\setup.dll	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp86CF.tmp\temp.000	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe8839.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\Dot8859.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogService"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ = "ISetupWizardUI"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ = "ISetupType"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A74C06E4-12DF-4060-9AA7-83CFAA66D604}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5469EE67-1493-402F-8E2C-99936C9E4983}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ = "ISetupShell"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BD0749C-12DC-4D2B-A4F6-9E52F0F38A6C}	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94636247-BC39-4B8B-A728-2D1FBEBFA76A}\1.0\FLAGS\ = "0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B288F47-79AB-43A8-8494-D9F4D5985B29}\ = "ISetupProgress2"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B4D3EAE5-8A3A-4376-8B65-6A81293EDB1D}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2A3A842-FBA3-49D4-8806-7734716364A2}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ = "ISetupWindowImage"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ED19966-1493-4539-B9F5-97A6556CE8F8}	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3CD7A86-04E4-4B47-88E8-3EE03A3DEE56}	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ = "ISetupDriver"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ = "ISetupShell"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpTypes"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\ = "ISetupRegistry2"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E67BBC9-18CB-4B22-BACD-687CDF6387B6}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib\Version = "1.0"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4D3EAE5-8A3A-4376-8B65-6A81293EDB1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECBE1E54-3649-4287-9888-D9FB133CAE0D}\ = "ISetupSharedFiles2"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BD0749C-12DC-4D2B-A4F6-9E52F0F38A6C}\ProxyStubClsid32	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 5028	3392	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	83
PID 3392 wrote to memory of 5028	3392	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	83
PID 3392 wrote to memory of 5028	3392	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	83

C:\Users\Admin\AppData\Local\Temp\d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
"C:\Users\Admin\AppData\Local\Temp\d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
  -deleter
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll

Filesize
56KB

MD5
e3db818aca6889a18fee5ebef336d305

SHA1
d68f8cc397f448c5fa6265642833a36a680e60ae

SHA256
ad48c416a57a9f8a47ec4c8f82f25430a2da42730c3891b43a44c1f21e7f5932

SHA512
1c44160f74b7afe992e6818689e375e88d07203856f6167e1602ead64210bd09787c2fb41ba31f21542861bcbc67f03b45e113937a9b069e8e5e2dadee9785e4

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll

Filesize
160KB

MD5
150f19ffcf1c56e3c5f77eb712d0310b

SHA1
ee29d37fe83ac48c00b5a15ef8073a653ac3354d

SHA256
63e799505ac9f425a9ae000adf438812d50cb7b92de50d4e45e042af704af49c

SHA512
e2bef9203abbd6934a16bd43c3f8975a69eca3c9ddea66d76dfd97fafceadb8779ea3c2b1f75787e7f909357ef636f5964a903148190886cee35a81668780e49

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll

Filesize
676KB

MD5
f7217ffc0aac4e60dc9f1c0d687c20b3

SHA1
c04fa2ab93aaf44a824364cfd4b2c03a9bdb1f38

SHA256
8b44a220ec6760a728d2fc7c1a31c39550c5c991d8decd1cd56e7d9c18f12135

SHA512
ab954477f04319b5c14a5d4dd09f964dc2dddf1dcf1222fd7e32b39d02f40004f53296ef05484b1bce995035f4626acdcb8632eebed40b11c2b5e679e21842d1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll

Filesize
676KB

MD5
f7217ffc0aac4e60dc9f1c0d687c20b3

SHA1
c04fa2ab93aaf44a824364cfd4b2c03a9bdb1f38

SHA256
8b44a220ec6760a728d2fc7c1a31c39550c5c991d8decd1cd56e7d9c18f12135

SHA512
ab954477f04319b5c14a5d4dd09f964dc2dddf1dcf1222fd7e32b39d02f40004f53296ef05484b1bce995035f4626acdcb8632eebed40b11c2b5e679e21842d1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll

Filesize
232KB

MD5
742679327ee56723096eb5aa5928be26

SHA1
20c6d65b0ae8e5e98198cf6dc993c60ada1d6553

SHA256
9fae0665d7b6d21a93a73708249bd44337910cf4f32210c584eda24733cacf7f

SHA512
05fa9e09fa3fd114eb1dbb96f27c680d78a82e318731a81174e68fe559e1d9f1b3565f2e7eff6b838ed41a429fd00577f2bb5885015bc68bb04d0f97c3150bf1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll

Filesize
152KB

MD5
85b1375725843284c7987b6bad170bcc

SHA1
490e87557116cc75167044d18f50af47167df467

SHA256
36f4b8a79035b4df985dbeae8e42312a6ff74d947275ac312d5f2a3fd45b4030

SHA512
7fc14814bc06c176796c0fbab17dd2131859db35f5c53685792d8e1c0b2ca3da16af017df20b0f035ef44a10bb92c5a556e26ed1a37f16bf3ad3e7212f74d02c

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll

Filesize
152KB

MD5
85b1375725843284c7987b6bad170bcc

SHA1
490e87557116cc75167044d18f50af47167df467

SHA256
36f4b8a79035b4df985dbeae8e42312a6ff74d947275ac312d5f2a3fd45b4030

SHA512
7fc14814bc06c176796c0fbab17dd2131859db35f5c53685792d8e1c0b2ca3da16af017df20b0f035ef44a10bb92c5a556e26ed1a37f16bf3ad3e7212f74d02c

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
f68ba4725d1aaf180ff33cf18d262c5e

SHA1
c80aa11dac0425dcc41e44a955036dbbb773cdc9

SHA256
dfb91bc980fd1267fb8032b0d36c72d08fca03bb723d895be481ae7d275174e4

SHA512
7aba373385f2d7a9d4bba03facc2df50bb1a644580fcfbfabab090bccc835b25c48a8432325d1bf380795e92a700e45a8615138a609e8848dc7f82c9b4cfdbc8

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
f68ba4725d1aaf180ff33cf18d262c5e

SHA1
c80aa11dac0425dcc41e44a955036dbbb773cdc9

SHA256
dfb91bc980fd1267fb8032b0d36c72d08fca03bb723d895be481ae7d275174e4

SHA512
7aba373385f2d7a9d4bba03facc2df50bb1a644580fcfbfabab090bccc835b25c48a8432325d1bf380795e92a700e45a8615138a609e8848dc7f82c9b4cfdbc8

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
f68ba4725d1aaf180ff33cf18d262c5e

SHA1
c80aa11dac0425dcc41e44a955036dbbb773cdc9

SHA256
dfb91bc980fd1267fb8032b0d36c72d08fca03bb723d895be481ae7d275174e4

SHA512
7aba373385f2d7a9d4bba03facc2df50bb1a644580fcfbfabab090bccc835b25c48a8432325d1bf380795e92a700e45a8615138a609e8848dc7f82c9b4cfdbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp8553.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp86CE.tmp\_Setup.dll

Filesize
152KB

MD5
157884f3b1a35d2dbb09ee8f83a09ce6

SHA1
d3b796b4d3b59b41f1c802497c384b6b8053e101

SHA256
8bfe91c43b96c42c6a7d264cb931085279e126a40a1e65920c8d485df8a32691

SHA512
7a0070b648e5c6441443a661fc78897662786dcd6f2c1fbb358d23fa17ce21ef85cf503224fd023e66ea963be87a1b80de2f986fe6cfe64af01ad0df1380c0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8EF6D82D-8957-4DE8-A121-84D98D467130}\{47743903-B1C2-4491-962B-72675F50E1B1}\_IsRes.dll

Filesize
284KB

MD5
acaaba44f7cba91322b541a751bddfc5

SHA1
9a79cc84a2d0157bcaed088ae6ad48225e7be609

SHA256
c8f5527054c6de2b645a5419ee410a9f636e6f25f42a29c39ec2d6e72cfdc19e

SHA512
52c0b5fe8478d6e16a82931dca4f75fc32d436f14b51e6cd9817804e196be7801573703963048c8e831ff0bb4bdfd4dcb5bfe3fed0f3d412bf72d7c546e43633

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8EF6D82D-8957-4DE8-A121-84D98D467130}\{47743903-B1C2-4491-962B-72675F50E1B1}\isrt.dll

Filesize
364KB

MD5
e90d6b156b10a4c6e18f65b336e939c0

SHA1
f93cb622a53e032233d1d17a26af55cf46d795e8

SHA256
329ad573ab2243755b8eafc01b0247c1931b9f7ca8bdc1fc7448795714dcafb4

SHA512
4a76f73b2ad8726d3ff105cbaafe5fccc4119e1e2bea499c717c4acd504c8c31eef192ec38cdad12862aa2cefa24b3d040065b7886d1640ee8cffb33d49a3a11

Download Submit
memory/5028-151-0x0000000004C10000-0x0000000004C38000-memory.dmp

Filesize
160KB

Download
memory/5028-143-0x00000000044C0000-0x000000000457F000-memory.dmp

Filesize
764KB

Download
memory/5028-136-0x0000000004B20000-0x0000000004B66000-memory.dmp

Filesize
280KB

Download