14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f

Analysis

max time kernel
134s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Size

3.2MB
MD5

9da4d34c63790562fcf7258515d05c45
SHA1

70825648789314017e7557bb14eb84ccdf10a379
SHA256

14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f
SHA512

bbcfe8453c9df563a0cd46a8ee5a699d838e29e3788359845730a0ac7a648b24ef8c38313cb829fd999c10832494177933a8a97fa81a3bcec5f0423c5dc13857
SSDEEP

98304:K1DofoRV6Jt/rDMUNAv7kTfuX48HPcC2P6Cd6cpxujdf:K1EfoKkXv7No6cpMj

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000139db-72.dat	acprotect
behavioral1/files/0x00070000000139db-73.dat	acprotect
behavioral1/files/0x0007000000013a03-74.dat	acprotect
behavioral1/files/0x00070000000139db-80.dat	acprotect

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1652-56-0x0000000000400000-0x0000000000BB2000-memory.dmp	upx
behavioral1/memory/1652-57-0x0000000000400000-0x0000000000BB2000-memory.dmp	upx
behavioral1/files/0x00070000000139db-72.dat	upx
behavioral1/files/0x00070000000139db-73.dat	upx
behavioral1/files/0x0007000000013a03-74.dat	upx
behavioral1/memory/1652-75-0x0000000010000000-0x00000000100CA000-memory.dmp	upx
behavioral1/files/0x00070000000139db-80.dat	upx
behavioral1/memory/1652-81-0x0000000008500000-0x0000000008636000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
956	regsvr32.exe
1712	regsvr32.exe
876	regsvr32.exe
560	regsvr32.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\ = "Microsoft ImageList Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tools\\COMDLG32.OCX"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ = "IImageList"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "237969"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CurVer\ = "MSComctlLib.TabStrip.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tools\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ = "DSO Framer Control Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ = "Microsoft Rich Textbox Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ = "ITreeViewEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl\CLSID\ = "{8E3867A3-8586-11D1-B16A-00C0F0283628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ = "IControls"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib\Version = "2.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tools\\MSCOMCTL.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ = "Microsoft ImageComboBox Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Version	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Token: SeIncBasePriorityPrivilege	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Token: 33	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Token: SeIncBasePriorityPrivilege	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 956	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	27
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 1712	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	28
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 876	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	29
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30
PID 1652 wrote to memory of 560	1652	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	30

C:\Users\Admin\AppData\Local\Temp\14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
"C:\Users\Admin\AppData\Local\Temp\14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:956
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1712
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:876
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
\Users\Admin\AppData\Local\Temp\tools\skinh_vb6.dll

Filesize
136KB

MD5
cdec482c5149f0cce5546ef506ea033b

SHA1
4ed383e7c9b648d90a9b73b8e690774fd6a7c0c1

SHA256
0089d7ec375ad3852fddb306ff14bd2c195ad667c5f1553a4e19258546c16671

SHA512
eee60bbd1070d33114685d279287b31b8e9d9fd88cdeed0e9eaa153383d4221b2796f32bf9ea33c2ee1d57534801c72f4c887ef927352344ab5b25e24e734846

Download Submit
memory/956-59-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1652-57-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/1652-56-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/1652-75-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download
memory/1652-81-0x0000000008500000-0x0000000008636000-memory.dmp

Filesize
1.2MB

Download