d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7

Analysis

max time kernel
101s
max time network
134s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Size

183KB
MD5

da7f28a346445f10e95c6cf46c12e875
SHA1

e5f981e70068151efe769173b9ca96909916eefb
SHA256

d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7
SHA512

e50d276689235c2621980cd6845fdca87c2981814fcca61420d60c29aea7d4a44fdc54c2de0a19443070c6e8651a15f4b5f2499ecb285d753a3bbf75ad6de058
SSDEEP

3072:ggXdZt9P6D3XJE45iOPsNzQ6cu5xvByDNqioZItk6C0UYo6wGBKYSA1sNzQ9:ge34+NOPsN0u5nyEi4tx0UYo6wG/sNa

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1292	Shop_Matching.exe

Loads dropped DLL 7 IoCs

pid	Process
956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
1292	Shop_Matching.exe
1292	Shop_Matching.exe
1292	Shop_Matching.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shop_Matching = "C:\\Program Files (x86)\\Shop_Matching\\Shop_Matching.exe"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Shop_Matching\Shop_Matching.dll	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
File created	C:\Program Files (x86)\Shop_Matching\UninstShop_Matching.exe	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
File created	C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{821E6121-78EE-11ED-8965-5263E908E3CD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cf5f66fb0cd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000941e7bbaea3ba61bcd6156c1b4e02322934f35afdd009c2ddcc1e71cfc6736d6000000000e8000000002000020000000b0959d84b8e59062c050695029d6e64b4ed41d27aadcb4be73c4bda61fe97c4120000000f353138fd186aa3988ce1d70ae72c485344183e3a92d8bab516982588e6e238340000000a52519310af793ea210f1059868820bd04a76bdc4baf7eacb17624db5f084f571f25c8998e4d41305de1b0f2f6961748acf1f9789ec7759965330e5e43f825e1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{51990B59-E2B7-45ca-817A-26026CD36437}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{51990B59-E2B7-45ca-817A-26026CD36437}\BarSize = da00000001000000	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Explorer Bars	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000de55c6e48989b3b0d3197957001738ec790a85ea7c2dbb23f497e4f7f7c5dded000000000e8000000002000020000000542a2bee7478c16f2d32ed4958884710d69fb407c40aae805d208aec45cd72e090000000f9d90ed043be5cb717168fa76531ae9e4b24354f0d964a59dd8bdfc3923fe13f186675e55e1625847767e85c9ff3a018fea23b84e32f2f94b736c8a7b2bb1c39e528245c75bd45a637bfe95daa04538f774f99c703bf5cdb545745cece6374de09b3455f4094760d2e3a5c518727c58130fa822489498e2306d0ae8b033b768e72fb607fe2356accfaef2d2d950309de40000000ceb449e0b88c1617d9d825fd9f9f7db284516f46b415aa355809d59c3441a17d45bfa335c483c3d03f21ed4a1d92cc69715f903ce592cd5fb9cf9c7cae8c3786	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\InprocServer32\ = "C:\\Program Files (x86)\\Shop_Matching\\Shop_Matching.dll"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\ = "ISideLinkBand"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41914E06-CC40-4969-9D22-79408AE14509}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41914E06-CC40-4969-9D22-79408AE14509}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.SideLinkBand.1\CLSID\ = "{51990B59-E2B7-45ca-817A-26026CD36437}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\TypeLib\ = "{0C0FBB52-0270-4244-A59E-9882B604D752}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}\1.0\FLAGS\ = "0"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41914E06-CC40-4969-9D22-79408AE14509}\ = "IUISideLinkBand"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\TypeLib	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.SideLinkBand.1\ = "Shop_Matching"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.SideLinkBand	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45ca-817A-26026CD36437}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45ca-817A-26026CD36437}\ = "Shop_Matching"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}\1.0\ = "Dll_utildown_shop 1.0 Type Library"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\ = "IURLEncode"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.SideLinkBand.1	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\ProgID\ = "Dll_Shop_Matching.UISideLinkBand.1"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Shop_Matching\\"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\TypeLib\Version = "1.0"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\TypeLib\ = "{0C0FBB52-0270-4244-A59E-9882B604D752}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\TypeLib	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.SideLinkBand\ = "Shop_Matching"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.UISideLinkBand\CurVer\ = "Dll_Shop_Matching.UISideLinkBand.1"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\ProxyStubClsid32	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\TypeLib\ = "{0C0FBB52-0270-4244-A59E-9882B604D752}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41914E06-CC40-4969-9D22-79408AE14509}\ProxyStubClsid32	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\TypeLib\Version = "1.0"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}\1.0\0	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41914E06-CC40-4969-9D22-79408AE14509}\TypeLib\Version = "1.0"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45ca-817A-26026CD36437}\Instance	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45ca-817A-26026CD36437}\Instance\CLSID = "{4D5C8C2A-D075-11d0-B416-00C04FB90376}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\TypeLib	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\TypeLib\ = "{0C0FBB52-0270-4244-A59E-9882B604D752}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\VersionIndependentProgID\ = "Dll_Shop_Matching.UISideLinkBand"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\ProxyStubClsid32	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\TypeLib\ = "{0C0FBB52-0270-4244-A59E-9882B604D752}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B49F1852-8579-4A40-BBF6-B2A37290F301}\TypeLib	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41914E06-CC40-4969-9D22-79408AE14509}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\ProxyStubClsid32	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45ca-817A-26026CD36437}\Instance\InitPropertyBag	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.UISideLinkBand.1\ = "UISideLinkBand Class"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.UISideLinkBand.1\CLSID\ = "{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\ProgID	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\InprocServer32	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41914E06-CC40-4969-9D22-79408AE14509}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\TypeLib\Version = "1.0"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D065CBD-1D82-4B63-81E4-25CCBB6D4E6E}\ProxyStubClsid32	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45CA-817A-26026CD36437}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45CA-817A-26026CD36437}\Implemented Categories	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}\1.0	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}\1.0\FLAGS	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.SideLinkBand\CurVer	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51990B59-E2B7-45ca-817A-26026CD36437}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.UISideLinkBand	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dll_Shop_Matching.UISideLinkBand\CLSID	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77DDDE9F-ABE4-41d7-8EFD-97AAA7B12DEF}\InprocServer32\ThreadingModel = "Apartment"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C0FBB52-0270-4244-A59E-9882B604D752}	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41914E06-CC40-4969-9D22-79408AE14509}\TypeLib\ = "{0C0FBB52-0270-4244-A59E-9882B604D752}"	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
272	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1292	Shop_Matching.exe
272	iexplore.exe
272	iexplore.exe
1016	IEXPLORE.EXE
1016	IEXPLORE.EXE
1292	Shop_Matching.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 956 wrote to memory of 1292	956	d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe	28
PID 272 wrote to memory of 1016	272	iexplore.exe	31
PID 272 wrote to memory of 1016	272	iexplore.exe	31
PID 272 wrote to memory of 1016	272	iexplore.exe	31
PID 272 wrote to memory of 1016	272	iexplore.exe	31
PID 272 wrote to memory of 1016	272	iexplore.exe	31
PID 272 wrote to memory of 1016	272	iexplore.exe	31
PID 272 wrote to memory of 1016	272	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
"C:\Users\Admin\AppData\Local\Temp\d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe
  "C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe" A100354348
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:272 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
\Program Files (x86)\Shop_Matching\Shop_Matching.dll

Filesize
104KB

MD5
6ee6329d1cc50594cb838e5633373f78

SHA1
d106fa3d30016606ee9b228a397eba7dca4a7b82

SHA256
d9a047a79822b98d9b8c66242461875e9d0fd926dfdee9583bb421718d57f734

SHA512
084497260caaa1f14f4ae6041929a558f62f0860154f9b01b812fc242692f192d3568a6b54b4c0256f43cee37fdf362a5f1a8a42f58152eef3ce0c767d9b12d5

Download Submit
\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
\Program Files (x86)\Shop_Matching\Shop_Matching.exe

Filesize
200KB

MD5
594566ae4e389635b42f8f3daa29392b

SHA1
adfa9933797e9fb597482166a5f68c9c4222aa15

SHA256
7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

SHA512
4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

Download Submit
\Users\Admin\AppData\Local\Temp\nst22CE.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
memory/956-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1292-59-0x0000000000000000-mapping.dmp

Download