03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12

Analysis

max time kernel
163s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Size

1.6MB
MD5

84b11dd46200e2a33cf4ae6adc285699
SHA1

a017bbd63f16b3389153be81e5d3bc0854749de0
SHA256

03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12
SHA512

23b1ba450ba7f444c8ba99223dd1d4e8c01fb37645acad26b00fefdd06e4974c908cbf7e90397d53751264fa8c679a032f3b40b8ffdc92e393ea6c43f57daf20
SSDEEP

24576:MLAe58NVmvumzyNeXmQ9Z/ZLNUlAZlab5hDHDjRDToFvxeXAHB6:cAe58Gvn2eXmQdZTZlYfxTk6

Score

9^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	acprotect

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "9.0.124.0"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe

Loads dropped DLL 10 IoCs

pid	Process
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil9f.exe"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation\Enabled = "1"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\""	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe

C:\Users\Admin\AppData\Local\Temp\03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe
"C:\Users\Admin\AppData\Local\Temp\03d19c30a8d8bb99c5ebbcbc6723675807cdd2ac78e03b21db1202352c020f12.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy9763.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Users\Admin\AppData\Local\Temp\nsy9763.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
\Users\Admin\AppData\Local\Temp\zok95FA.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx

Filesize
2.9MB

MD5
48fdf435b8595604e54125b321924510

SHA1
e13d25bdac576e95e9134c3f95f0f8cbe94d6185

SHA256
7fcd80f7f56a841a4c5ef950afac8991da71ba9eae82f20db2954c7b4b72efd9

SHA512
86a59d83cc3d39b752b7a9c98e79b3f8fbcca66087926f026aabf5453bde83321928b77947e2aa5f625a53dafc89c0bf224daa7ce004b1851345abe93c6e83f3

Download Submit
memory/2024-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-64-0x0000000004A80000-0x0000000004EC9000-memory.dmp

Filesize
4.3MB

Download
memory/2024-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/2024-57-0x0000000001C20000-0x0000000001C93000-memory.dmp

Filesize
460KB

Download
memory/2024-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-70-0x0000000001C20000-0x0000000001C93000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads