1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Size

486KB
MD5

4cb2c42972c8f3b02e8d989ff6e25ca8
SHA1

52ef9b6324e7e34555b8418d87d04441ba88c807
SHA256

1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac
SHA512

6fce80de7b7aff75dd0dd7297a87d6f9ea95eab90d5f3d3441b8f5f190e7dc92c495a448a8892d37c5de08492573d6fd4de4eb8b2ede74f18a0b7e954b2adb9f
SSDEEP

12288:ULFU2oitpf5hCPFZYdfUUhbdObEWUMSNi6CZtlZFc:U2ztZYRUVFZyqHFc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\FLAGS	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\TypeLib\Version = "1.0"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\TypeLib\ = "{d5ec8d81-d699-4585-b1f2-729e06fafbe9}"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\0\win32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\FLAGS	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\TypeLib	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\VersionIndependentProgID	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\Version\ = "1.0"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\ = "InstallerLib"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ = "IBoot"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves\ = "Inst Class"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves.1\CLSID	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves.1\CLSID\ = "{80cf5b2b-867a-40d6-9703-1d3859db132c}"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves\CurVer\ = "pretest.approves.1"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves.1	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\Version	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\ProgID	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ProxyStubClsid32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\LocalServer32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\TypeLib	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\ProgID\ = "pretest.approves.1"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\TypeLib	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\ProgID	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\ = "Inst Class"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\Version	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves.1\CLSID	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\FLAGS\ = "0"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ProxyStubClsid32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\TypeLib	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\TypeLib\ = "{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves\CurVer	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\Programmable	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ProxyStubClsid32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves.1	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\LocalServer32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\TypeLib	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ProxyStubClsid32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\0\win32	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\TypeLib\Version = "1.0"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\HELPDIR	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\HELPDIR	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}\ = "IBoot"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\VersionIndependentProgID	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\0	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EDEA770-E7CF-4A13-A19D-757C886D75FC}	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pretest.approves\CurVer	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\VersionIndependentProgID\ = "pretest.approves"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80cf5b2b-867a-40d6-9703-1d3859db132c}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe\""	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5EC8D81-D699-4585-B1F2-729E06FAFBE9}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe:typelib"	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe:typelib	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1384	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
1384	1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe

C:\Users\Admin\AppData\Local\Temp\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe
"C:\Users\Admin\AppData\Local\Temp\1028bf20482445d16809fb25e45ea7268d8b39fe13d6579fdbca7ef660854cac.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1384-55-0x0000000000380000-0x0000000000475000-memory.dmp

Filesize
980KB

Download
memory/1384-56-0x0000000000380000-0x0000000000475000-memory.dmp

Filesize
980KB

Download