0f74f24a5c1b60aca05d1292e91b351243b3cd95dda66cd6dfdd13e8fd0c26a0

Resubmissions

03/03/2023, 01:44

230303-b6arcsfc9s 10

03/03/2023, 01:42

230303-b4nv7sfc7z 7

03/03/2023, 01:39

230303-b2ymmafg72 8

Analysis

max time kernel
44s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/03/2023, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

regdelete-readme-edits.zip
Size

102KB
MD5

c311b0155c1b4b6fa69907535561ab6e
SHA1

6f67ac188a59afe75c9823aa67c71f5965da3ed5
SHA256

0f74f24a5c1b60aca05d1292e91b351243b3cd95dda66cd6dfdd13e8fd0c26a0
SHA512

85fed902be923a86c69320568c2bf7e122a415f83cb82f414b4928da744d037e2096f2121289e988f6462da52a84bd8b0c70814e30e1f5182d64454a1c9d8484
SSDEEP

3072:YmKFecO/Q3TWn8N2ArDlz4N7/82WXYAikEC:0xO/Ln8RGNL8xriJC

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 41 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D40D9DE-2821-44A8-BAF3-8011E362CF59}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E435C-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD1EADA-D373-11D3-8D21-0050048383FB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E65CBC3-926D-11D0-8E27-00C04FC99DCF}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F050-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F0C09C5-601E-4396-BCD0-CDB343D7F657}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E947-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C81A-3CFD-11D1-98BC-006008197D41}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{942f72e2-b5ce-4e6c-8d76-0519b3f1bff7}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573CE-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000560-0000-0010-8000-00AA006D2EA4}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F2-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E65CBC5-926D-11D0-8E27-00C04FC99DCF}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91493448-5A91-11CF-8700-00AA0060263B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E4359-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C81C-3CFD-11D1-98BC-006008197D41}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E886F1D9-7842-485D-8EDF-9E1C7062A483}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFC20920-DA4E-11CE-B943-00AA006887B4}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD000002-8B95-11D1-82DB-00C04FB1625D}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\InprocServer32	reg.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hell9o.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	hell9o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hell9o.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	hell9o.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78D1DB4F-C557-4DC5-A2DD-5369D21B1C8C}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.fky\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30510740-98B5-11CF-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3050F5A2-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30510731-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BCSRuntime.EntityInstanceReference.1\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020900-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Macrosheet\shell\ViewProtected\ddeexec\topic	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCC6-4E68-101B-A2BC-00AA00404770}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xaml	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{866738B9-6CF2-4DE8-8767-F794EBE74F4E}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.ACCDTFile.14\shell\Open\ddeexec\topic	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Forms.HTML:Select.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8155E4CA-1607-4E69-81F4-24201A1C70B1}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0FFBC28-5482-4366-BE27-3E81E78E06C2}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6e682784-1eca-4cf2-988d-96b6e89e9a4d}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HxDS.HxSession.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\ois.exe\SupportedTypes	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E65CBC1-926D-11D0-8E27-00C04FC99DCF}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Forms.Frame.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71DC7F9D-50F3-44AD-A58D-DD192A6C243A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\eHomeSchedulerService.EhepgdatWrapper\CurVer	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D91EEA1-9932-11D2-BE86-00A0C9A83DA1}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A50EA6F8-4764-4299-B309-022B2A8B4D8D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5AB9C96-C11D-43E7-B44C-79B13EE7AC6F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.maf\Access.Shortcut.Form.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9C24A977-0951-451A-8006-0E49BD28CD5F}\Instance\VBI Codec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.art	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C29-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757359-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d3c86d56-03a1-42d5-af4c-1b612be90448}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C594F9F-9F30-47A1-979A-C9E83D3D0A06}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{489E9453-869B-4BCC-A1C7-48B5285FD9D8}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MAPI/IPM.Post.Rss	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.z96\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Function.1\shell\Open\ddeexec\application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{421F717F-692A-4F50-AE1F-AFF4140C45BF}\Programmable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile_FullWindowEmbed	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E95D-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3050F3EE-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.diz	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.OLE2Link	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellNew\Config	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Form.1\shell\Design\ddeexec	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5261B0B1-BE1B-4DD6-AC83-D5051C2D6DFB}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2DCC4B3-35B9-4BEE-BDD2-C319B10F5ED2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.crd	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd\PersistentHandler	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2036	1216	hell9o.exe	32
PID 1216 wrote to memory of 2036	1216	hell9o.exe	32
PID 1216 wrote to memory of 2036	1216	hell9o.exe	32
PID 2036 wrote to memory of 1736	2036	cmd.exe	34
PID 2036 wrote to memory of 1736	2036	cmd.exe	34
PID 2036 wrote to memory of 1736	2036	cmd.exe	34
PID 2004 wrote to memory of 992	2004	hell9o.exe	36
PID 2004 wrote to memory of 992	2004	hell9o.exe	36
PID 2004 wrote to memory of 992	2004	hell9o.exe	36
PID 992 wrote to memory of 1020	992	cmd.exe	38
PID 992 wrote to memory of 1020	992	cmd.exe	38
PID 992 wrote to memory of 1020	992	cmd.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\regdelete-readme-edits.zip
1⤵
PID:936

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\Desktop\regdelete-readme-edits\hell9o.exe
"C:\Users\Admin\Desktop\regdelete-readme-edits\hell9o.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CLASSES_ROOT /f
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:1736
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CURRENT_USER /f
    3⤵
    PID:1616
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_LOCAL_MACHINE /f
    3⤵
    PID:1764
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_USERS /f
    3⤵
    PID:628
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CURRENT_CONFIG /f
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD
  2⤵
  PID:1584

C:\Users\Admin\Desktop\regdelete-readme-edits\hell9o.exe
"C:\Users\Admin\Desktop\regdelete-readme-edits\hell9o.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\regdel.CMD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CLASSES_ROOT /f
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:1020
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CURRENT_USER /f
    3⤵
    PID:1968
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_LOCAL_MACHINE /f
    3⤵
    PID:1204
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_USERS /f
    3⤵
    PID:1732
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CURRENT_CONFIG /f
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\regdel.CMD
  2⤵
  PID:1536

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
1⤵
PID:1724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1116

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD

Filesize
159B

MD5
e26bcceba32f987399a0decf331f0697

SHA1
64540b56c5ff6dbb963faa50a85159c62edf7365

SHA256
0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

SHA512
d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD

Filesize
159B

MD5
e26bcceba32f987399a0decf331f0697

SHA1
64540b56c5ff6dbb963faa50a85159c62edf7365

SHA256
0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

SHA512
d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\regdel.CMD

Filesize
159B

MD5
e26bcceba32f987399a0decf331f0697

SHA1
64540b56c5ff6dbb963faa50a85159c62edf7365

SHA256
0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

SHA512
d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads