Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe
Resource
win10v2004-20220812-en
General
-
Target
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe
-
Size
397KB
-
MD5
b7a516168f609affb770595b12aa73aa
-
SHA1
eb4cc9682e8b3b1fdc233b5159f72364d0fe7af5
-
SHA256
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97
-
SHA512
ee6b518081a481c9a2b080f9f94aa67e8bb17f5ac7347dcf63252f7387fabc12d8a94397f0b8014df6b4fb42101170dc6fea58f41e885d268e50d1f5191db425
-
SSDEEP
6144:N46j0bE9UUFAVKZqWLm1uMwP+eEZsf7pZeNyWj8eCj4BOi3jx9:N9j+E9UgqW6ZsfDoyQCj4YQl9
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\vck1BDB.tmp acprotect -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Microsoft Windows Media Player 12.0" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe -
Loads dropped DLL 1 IoCs
Processes:
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exepid process 1324 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Compatibility Flags = "32" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe -
Modifies registry class 64 IoCs
Processes:
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IVFfile\shell 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F40-D5C8-11D0-A520-145405C10000}\ = "Indeo Video (r) 5.1 Progressive Download Source" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F43-D5C8-11D0-A520-145405C10000}\InprocServer32\ThreadingModel = "Both" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.m3u\Source Filter = "{e436ebb5-524f-11ce-9f53-0020af0ba770}" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F41-D5C8-11D0-A520-145405C10000} 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSBD 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Compressors\vids 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shellex\ContextMenuHandlers 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C69E8F40-D5C8-11D0-A520-145405C10000}\CLSID = "{C69E8F40-D5C8-11D0-A520-145405C10000}" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Compressors 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.m3u\SubType = "{a98c8400-4181-11d1-a520-00a0d10129c0}" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmx 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{6B6D0800-9ADA-11D0-A520-00A0D10129C0}\Source Filter = "{C69E8F40-D5C8-11D0-A520-145405C10000}" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F43-D5C8-11D0-A520-145405C10000}\InprocServer32 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IVFfile 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F42-D5C8-11D0-A520-145405C10000}\InprocServer32\ThreadingModel = "Both" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmx\Animation = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\RIFFHandlers 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wmafile 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{6B6D0800-9ADA-11D0-A520-00A0D10129C0}\0 = "0,14,,50ef8119b3bdd011a3e500a0c924" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FTP\Extensions 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IVFfile\DefaultIcon 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\RIFFHandlers\AVI 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\Extensions 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IVFfile\shell\open 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F40-D5C8-11D0-A520-145405C10000}\InprocServer32\ThreadingModel = "Both" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F43-D5C8-11D0-A520-145405C10000}\ = "Indeo Video (r) 5.1 Progressive Download Source Dynamic Info" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wmafile\shellex\ContextMenuHandlers\WMPBurnAudioCD\ = "{8DD448E6-C188-4aed-AF92-44956194EB1F}" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.asx = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wmv = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F41-D5C8-11D0-A520-145405C10000}\InprocServer32 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\RIFFHandlers\WAVE 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.asx\Animation = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.asp = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{33FACFE0-A9BE-11d0-A520-00A0D10129C0 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSBD\Animation = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSM 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wax\Animation = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MMST 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmv\Animation = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shellex\ContextMenuHandlers\WMPBurnAudioCD 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shellex 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.IVF 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C69E8F40-D5C8-11D0-A520-145405C10000} 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmv 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ivf 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F42-D5C8-11D0-A520-145405C10000}\InprocServer32\ = "C:\\Windows\\SysWow64\\ivfsrc.ax" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wvx\Animation = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.IVF\Content Type = "video/x-ivf" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wvx 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Extensions\AU 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.asf = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IVFfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\ivfsrc.ax,0" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Compressors\auds 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ivf\Extension = ".IVF" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.asx 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wmafile\shellex\ContextMenuHandlers\WMPBurnAudioCD 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E8F43-D5C8-11D0-A520-145405C10000}\InprocServer32\ = "C:\\Windows\\SysWow64\\ivfsrc.ax" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MMSU 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.nsc = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wvx = "dxmasf.dll,150" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IVFfile\shell\close\command\ = "RunDll32.exe C:\\Windows\\SysWOW64\\wmpdxm.dll,RunDll /play %1" 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exepid process 1324 194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe"C:\Users\Admin\AppData\Local\Temp\194e44e97e035f14328c3554a161b3acc524bb43737be4ab3c7e8c1815a9ed97.exe"1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9