8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a

Analysis

max time kernel
153s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Size

488KB
MD5

c34c87e4afe9628557ba9d7f86e7a25a
SHA1

c8d303a2f4d361d13b30035a14d12f56814d82b1
SHA256

8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a
SHA512

dfe762e6b1bfcc7ded724429197e4201089b56dd7470ff73e6f3e79fab1d50692d0704446fe30470843b8827328eb4752aca93712f6ea71a11282eaabb36212a
SSDEEP

12288:7uo44C+sf08Um+/qrp/jrSB2QiIG6CzTnTH3x2PViSCv8MfSdaNPRWP:yo44C+sf08Um+/qrp/jrSB2QiIG6CzTO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1776	msnmsg.exe

Loads dropped DLL 7 IoCs

pid	Process
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
1776	msnmsg.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsg = "C:\\Windows\\system\\msnmsg.exe"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msnmsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsg = "C:\\Windows\\system\\msnmsg.exe"	msnmsg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.ocx	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
File opened for modification	C:\Windows\SysWOW64\Bmp2Jpeg.dll	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.ocx	msnmsg.exe
File opened for modification	C:\Windows\SysWOW64\Bmp2Jpeg.dll	msnmsg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\msnmsg.exe	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
File opened for modification	C:\Windows\system\msnmsg.exe	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
File opened for modification	C:\Windows\system\aplication.ico	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
File opened for modification	C:\Windows\system\SHELL32.dll	msnmsg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	msnmsg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
1776	msnmsg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1776	2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe	28
PID 2020 wrote to memory of 1776	2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe	28
PID 2020 wrote to memory of 1776	2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe	28
PID 2020 wrote to memory of 1776	2020	8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe	28

C:\Users\Admin\AppData\Local\Temp\8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe
"C:\Users\Admin\AppData\Local\Temp\8682ede348acbf0dc4fcc76b9b3034704421d47e597c4f683fbbcbcf5022a78a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system\msnmsg.exe
  C:\Windows\system\msnmsg.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmp2Jpeg.dll

Filesize
181KB

MD5
79a23aaad184e3fbc407cb41daa2e360

SHA1
ed3039a162d4f1cce7dab4c41b5a82ac5982e26b

SHA256
5ed0ed19a158205ffb8bf2474ba3895e33f3db1318cfcda181f41b8fd432b7d6

SHA512
d3a4bc584cb9850ae4e27520e614df19bad95b1b9cc612efded955b0abb8fe881a87d0b030f9d3d26c7b87a8449ee527ea156e68ac47395dbbb090e949351467

Download Submit
C:\Windows\SysWOW64\MSWINSCK.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
C:\Windows\system\msnmsg.exe

Filesize
488KB

MD5
dfb02ebf1b1245e534d3c4479596a004

SHA1
393bbbd0c4fb9218fa6bd6dd4d9d87a53ee0ad89

SHA256
7aeb277da73819e66aa3340d02d4283c2f112ed2def92f89d61b764e404c3ed9

SHA512
1b7b82eb774d64d6746ea0ebad779741b1b3aff828d645987b20ba6ec3c34c9960cd783055ad31c141ffdbfab50d6b65a2f0752e7bd0ec5a075f7118f01e4ebe

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
\Windows\system\msnmsg.exe

Filesize
488KB

MD5
dfb02ebf1b1245e534d3c4479596a004

SHA1
393bbbd0c4fb9218fa6bd6dd4d9d87a53ee0ad89

SHA256
7aeb277da73819e66aa3340d02d4283c2f112ed2def92f89d61b764e404c3ed9

SHA512
1b7b82eb774d64d6746ea0ebad779741b1b3aff828d645987b20ba6ec3c34c9960cd783055ad31c141ffdbfab50d6b65a2f0752e7bd0ec5a075f7118f01e4ebe

Download Submit
\Windows\system\msnmsg.exe

Filesize
488KB

MD5
dfb02ebf1b1245e534d3c4479596a004

SHA1
393bbbd0c4fb9218fa6bd6dd4d9d87a53ee0ad89

SHA256
7aeb277da73819e66aa3340d02d4283c2f112ed2def92f89d61b764e404c3ed9

SHA512
1b7b82eb774d64d6746ea0ebad779741b1b3aff828d645987b20ba6ec3c34c9960cd783055ad31c141ffdbfab50d6b65a2f0752e7bd0ec5a075f7118f01e4ebe

Download Submit