901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43

Analysis

max time kernel
143s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 00:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe
Size

91KB
MD5

87ccd83a0a21f2a410561e12c5c47736
SHA1

a304ea24ad80109258c12658b7d2183cd9de528a
SHA256

901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43
SHA512

ece93e5e2b38a0754030c25b8de9ccbd3677368a28a76a86b03db24051a1a060214999cae8437f14fede42322fd03a0b643d8fbe3f35ca584163840064ac9c38
SSDEEP

1536:ts1PA0gTHF55DH/4J1/MFMge+zB9FD7ZkCgHH9kx9efIN0uJq2rAwEGO:m1Phw7DH/4DeMge+1HHZNgn9kxsfK0y8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	CA70.exe
1736	7C08.exe

Loads dropped DLL 2 IoCs

pid	Process
1116	CA70.exe
1116	CA70.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CA70.exe	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe
File opened for modification	C:\Windows\SysWOW64\7C08.exe	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe
File opened for modification	C:\Windows\SysWOW64\CA70.exe	7C08.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA70.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	CA70.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	CA70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	CA70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	CA70.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe
1116	CA70.exe
1736	7C08.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4072	4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe	83
PID 4536 wrote to memory of 4072	4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe	83
PID 4536 wrote to memory of 4072	4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe	83
PID 4072 wrote to memory of 1116	4072	cmd.exe	85
PID 4072 wrote to memory of 1116	4072	cmd.exe	85
PID 4072 wrote to memory of 1116	4072	cmd.exe	85
PID 4536 wrote to memory of 1736	4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe	86
PID 4536 wrote to memory of 1736	4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe	86
PID 4536 wrote to memory of 1736	4536	901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe	86

C:\Users\Admin\AppData\Local\Temp\901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe
"C:\Users\Admin\AppData\Local\Temp\901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\CA70.exe eee
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\CA70.exe
    C:\Windows\system32\CA70.exe eee
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1116
- C:\Windows\SysWOW64\7C08.exe
  C:\Windows\system32\7C08.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\7C08.exe

Filesize
91KB

MD5
87ccd83a0a21f2a410561e12c5c47736

SHA1
a304ea24ad80109258c12658b7d2183cd9de528a

SHA256
901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43

SHA512
ece93e5e2b38a0754030c25b8de9ccbd3677368a28a76a86b03db24051a1a060214999cae8437f14fede42322fd03a0b643d8fbe3f35ca584163840064ac9c38

Download Submit
C:\Windows\SysWOW64\7C08.exe

Filesize
91KB

MD5
87ccd83a0a21f2a410561e12c5c47736

SHA1
a304ea24ad80109258c12658b7d2183cd9de528a

SHA256
901cf1ee7b73de5195d8fd9866ce3a9224a0d40e572de5a937064bb4b5ac3f43

SHA512
ece93e5e2b38a0754030c25b8de9ccbd3677368a28a76a86b03db24051a1a060214999cae8437f14fede42322fd03a0b643d8fbe3f35ca584163840064ac9c38

Download Submit
C:\Windows\SysWOW64\CA70.exe

Filesize
100KB

MD5
85c954b86e2244665db7f8860211f2ca

SHA1
110c3d765c1729398bcd3d73f684cb6fab57bd9f

SHA256
8fc050e1c3af13ef0e26d1243196a7fd00311bbd4fb0d9a6069fa937a4859ea8

SHA512
84a3a492e1beacbe398d1fd4ff83d20ee3b997c4d6978bd1d38195608d547e6e46be640397a0e45c0ae056febc0acd77c1db83ddf25728028ff122b417076c1c

Download Submit
C:\Windows\SysWOW64\CA70.exe

Filesize
100KB

MD5
85c954b86e2244665db7f8860211f2ca

SHA1
110c3d765c1729398bcd3d73f684cb6fab57bd9f

SHA256
8fc050e1c3af13ef0e26d1243196a7fd00311bbd4fb0d9a6069fa937a4859ea8

SHA512
84a3a492e1beacbe398d1fd4ff83d20ee3b997c4d6978bd1d38195608d547e6e46be640397a0e45c0ae056febc0acd77c1db83ddf25728028ff122b417076c1c

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/1736-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1736-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download