6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

General

Target

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Size

471KB
MD5

25892ea00e7495810a766fbe47b70c94
SHA1

6b5e9174d9416a9cf9d9df9fb427d307fb504cfa
SHA256

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b
SHA512

b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833
SSDEEP

12288:NRI+MKzQ6ryInvu23sQZtHW1K3Dnsvm6DrY7M:TIQQ6ryInGqsQZtHW4DsbnYw

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wininit.exe

pid process

5044 wininit.exe

pid	process
5044	wininit.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1664-136-0x0000000000640000-0x0000000000650000-memory.dmp	upx
behavioral2/memory/1664-137-0x0000000000640000-0x0000000000650000-memory.dmp	upx
behavioral2/memory/5044-145-0x0000000002150000-0x0000000002160000-memory.dmp	upx
behavioral2/memory/5044-149-0x0000000002150000-0x0000000002160000-memory.dmp	upx
behavioral2/memory/1664-151-0x0000000000640000-0x0000000000650000-memory.dmp	upx
behavioral2/memory/5044-153-0x0000000002150000-0x0000000002160000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

pid process

1664 6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3416 1664 WerFault.exe 6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

pid	pid_target	process	target process
3416	1664	WerFault.exe	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

Modifies registry class 39 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exewininit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\InprocServer32\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\0\win32\ = "%systemroot%\\SysWow64\\wkspbroker.exe"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\VersionIndependentProgID	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\Version\ = "5.4"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\ProgID	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\ProgID\ = "SAPI.SpMMAudioIn.1"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\FLAGS\ = "0"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\HELPDIR\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\HELPDIR\ = "%systemroot%\\system32"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\Version\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\VersionIndependentProgID\ = "SAPI.SpMMAudioIn"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\TypeLib\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\ProgID\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\0	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\FLAGS\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\FLAGS	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\HELPDIR	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\ = "Ivepop.Daxele.Nizado Object"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\ = "wkspbrokerLib"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\0\win32\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\TypeLib	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\TypeLib\ = "{1FD84AB6-4085-4979-623F-235CE00B5CA2}"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\VersionIndependentProgID\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\InprocServer32	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\0\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FD84AB6-4085-4979-623F-235CE00B5CA2}\1.0\0\win32	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99BD967A-3024-4444-92AB-7E865A2CF180}\Version	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exewininit.exe

pid	process
1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe
5044	wininit.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe

description	pid	process	target process
PID 1664 wrote to memory of 5044	1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe
PID 1664 wrote to memory of 5044	1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe
PID 1664 wrote to memory of 5044	1664	6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe	wininit.exe

C:\Users\Admin\AppData\Local\Temp\6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe
"C:\Users\Admin\AppData\Local\Temp\6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  C:\Users\Admin\AppData\Local\Temp\wininit.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 860
  2⤵
  - Program crash
  PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1664 -ip 1664
1⤵
PID:5080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kernel45.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
471KB

MD5
25892ea00e7495810a766fbe47b70c94

SHA1
6b5e9174d9416a9cf9d9df9fb427d307fb504cfa

SHA256
6af1df80b7cdcafb966cf1486a9d3cb098769cb59a58b42e097ea9742691df5b

SHA512
b9335ce8ffcb79454b8c199b9c4e7a89b955d9f4eafa85715c183dd0ff2acec4ff881ec57811ed5ff28d284c301846515b7ab75deaa004607e998f1befdfa833

Download Submit
memory/1664-146-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1664-133-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/1664-134-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/1664-136-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1664-137-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1664-151-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1664-150-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/1664-132-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1664-147-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5044-143-0x0000000002130000-0x0000000002141000-memory.dmp

Filesize
68KB

Download
memory/5044-145-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/5044-149-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/5044-148-0x0000000002130000-0x0000000002141000-memory.dmp

Filesize
68KB

Download
memory/5044-142-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5044-138-0x0000000000000000-mapping.dmp

Download
memory/5044-152-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/5044-153-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads