58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

Analysis

max time kernel
187s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Size

392KB
MD5

a325f38538ebeed4e980b6664a5e4c4e
SHA1

1c24415cc529e61e7036609c992f2f38eb99aa16
SHA256

58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f
SHA512

e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30
SSDEEP

6144:FwalwseW0StDNY5nf4/zn3pjo0MfC4jaL/rGnn+aCyIK3ccnMxjiziQP5BfSF:dlwfytM4rnq0Utja+nW1K3DnsGr3U

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4176	wininit.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4156-136-0x0000000000830000-0x0000000000840000-memory.dmp	upx
behavioral2/memory/4156-138-0x0000000000830000-0x0000000000840000-memory.dmp	upx
behavioral2/memory/4176-147-0x00000000006B0000-0x00000000006C0000-memory.dmp	upx
behavioral2/memory/4156-149-0x0000000000830000-0x0000000000840000-memory.dmp	upx
behavioral2/memory/4176-151-0x00000000006B0000-0x00000000006C0000-memory.dmp	upx
behavioral2/memory/4176-153-0x00000000006B0000-0x00000000006C0000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\imapi2fs.dll"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\FLAGS	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\TypeLib	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\VersionIndependentProgID	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\ProgID\ = "OneNote.IEAddin.LinkedNotes.14"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\FLAGS\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\TypeLib\ = "{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\VersionIndependentProgID\ = "OneNote.IEAddin.LinkedNotes"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\InprocServer32\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\ProgID	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\0\win64\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\TypeLib\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\0\win64	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\0\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\FLAGS\ = "0"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\ProgID\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\Programmable	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\ = "Microsoft IMAPI2 File System Image Creator"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FBB2D41-07DF-18F5-C84C-BB4D81779EE1}\1.0\0	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\ = "Cawode Object"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\InprocServer32	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\Programmable\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B053687D-5777-48DB-7CA0-D889E9491FDB}\VersionIndependentProgID\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe
4176	wininit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 4152	4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	79
PID 4156 wrote to memory of 4152	4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	79
PID 4156 wrote to memory of 4152	4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	79
PID 4156 wrote to memory of 4176	4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	81
PID 4156 wrote to memory of 4176	4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	81
PID 4156 wrote to memory of 4176	4156	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	81
PID 4176 wrote to memory of 4008	4176	wininit.exe	82
PID 4176 wrote to memory of 4008	4176	wininit.exe	82
PID 4176 wrote to memory of 4008	4176	wininit.exe	82

C:\Users\Admin\AppData\Local\Temp\58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
"C:\Users\Admin\AppData\Local\Temp\58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  C:\Users\Admin\AppData\Local\Temp\wininit.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
392KB

MD5
a325f38538ebeed4e980b6664a5e4c4e

SHA1
1c24415cc529e61e7036609c992f2f38eb99aa16

SHA256
58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

SHA512
e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
392KB

MD5
a325f38538ebeed4e980b6664a5e4c4e

SHA1
1c24415cc529e61e7036609c992f2f38eb99aa16

SHA256
58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

SHA512
e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30

Download Submit
memory/4156-137-0x0000000000810000-0x0000000000821000-memory.dmp

Filesize
68KB

Download
memory/4156-138-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/4156-132-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4156-136-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/4156-148-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4156-149-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/4156-133-0x0000000000810000-0x0000000000821000-memory.dmp

Filesize
68KB

Download
memory/4176-143-0x0000000000690000-0x00000000006A1000-memory.dmp

Filesize
68KB

Download
memory/4176-147-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/4176-150-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4176-151-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/4176-153-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download