bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752

Analysis

max time kernel
19s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 08:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Size

680KB
MD5

7412345b598bf933863ccd25af2881cc
SHA1

371fc394fcc2449c67f6ad36d1320fc4d0b7e386
SHA256

bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752
SHA512

cc7db15e6d582f3a7191162dc8ac76ec5088472a999b60b9da958a28c81b79b746c6eaa19e7741177401c03b4f628d88e781784a363e3c3c58b7acacf9a0a349
SSDEEP

12288:4Mff5DK2p3XYZe0mEjnzMugNVYwHtoBKc6cGfH9cy2GPzTo0bikahfS0:4M5HpueNa1IFtPcA2ynlx0

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe\" -noconnect"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe\""	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe\""	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe\" -noconnect"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1128	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
1128	bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe

C:\Users\Admin\AppData\Local\Temp\bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe
"C:\Users\Admin\AppData\Local\Temp\bfa74162df0b622d50dce1504f436792df5bafa8dba41f02cab34171daf31752.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1128-55-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1128-56-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download