9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Size

526KB
MD5

b0b795898c6a8e8184ab518694b372e5
SHA1

db69712c974e09529b3e1d020bab161b356c1d4a
SHA256

9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad
SHA512

dcdddd2e26076d141f5a4bda0f28a6a16288641720a90e518eff515045ef68157476104d6f416a6b4675eacb08fc170b2fcefb01938a8bbcbb47e3c8aca12995
SSDEEP

6144:7crgz4j8BSNXs/lCt8rBOqO/zjb82CEMKV5F1fyua8sR0sXNNfX6aK+JO5:DBSQCqTEjI2/MKVWisn6t+JW

Score

1^/10

Malware Config

Signatures

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Main.Document	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9E76FE~1.EXE"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\HELPDIR\	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\TypeLib\ = "{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\InprocHandler32	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\TypeLib	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\TypeLib\Version = "1.0"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Main.Document\CLSID	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\FLAGS\ = "0"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\0	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\ = "IMain"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Main.Document\CLSID\ = "{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\InprocHandler32\ = "ole32.dll"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\ = "Main"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\0\win32	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\ProxyStubClsid32	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\TypeLib	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\TypeLib\ = "{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Main.Document\ = "Main.Document"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\ProgID	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\ProgID\ = "Main.Document"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\FLAGS	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\ = "Main.Document"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D159AB9B-2BE2-4BEC-B399-1C1063AD9197}\LocalServer32	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A78B4CBC-9284-40EA-B3EC-1C22B98997E6}\1.0\HELPDIR	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\ = "IMain"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\TypeLib\Version = "1.0"	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FEF543F-3EC4-422A-AA81-64DDD5261CE0}\ProxyStubClsid32	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3320	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
3320	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3268	3320	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe	81
PID 3320 wrote to memory of 3268	3320	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe	81
PID 3320 wrote to memory of 3268	3320	9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe	81

C:\Users\Admin\AppData\Local\Temp\9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe
"C:\Users\Admin\AppData\Local\Temp\9e76fea9a80b2ae5c8d6d71f42bbef6976ae3fc0c0a6b4dd43225e100a9fdbad.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del /f /q /s "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\*.txt"
  2⤵
  PID:3268

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads