d541b6bb2281a69d4ff43b65a9a17a7c3884a2b2cabfd9af5d296be02a294be6

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/03/2023, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advbattoexeconverter.exe
Size

830KB
MD5

22826a7ab6b064e343cb2f1a4d49ac13
SHA1

74e60eab80047681492eeaea7a132e9e9990440b
SHA256

d541b6bb2281a69d4ff43b65a9a17a7c3884a2b2cabfd9af5d296be02a294be6
SHA512

3899557fcff90004a63bda2f3affb8743495d85c97c17327713fbaecedc9f62d8f488b821c82d39f654e488ebb65cde90deb87b53bd9cf65b6ba317d6e7954d6
SSDEEP

12288:JSGxFfeYqmg855iMxdE/pK/zo5pmxy16+5Eb6b/XKSnjzUqbcl6YJRlF3jzR7g9p:BxFvlgsrMaipUqV5LjFb2D/zN7au9o4k

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1096	setupinf.exe
1616	aB2Econv.exe

Loads dropped DLL 11 IoCs

pid	Process
1708	advbattoexeconverter.exe
1708	advbattoexeconverter.exe
1708	advbattoexeconverter.exe
1708	advbattoexeconverter.exe
1708	advbattoexeconverter.exe
1708	advbattoexeconverter.exe
1708	advbattoexeconverter.exe
1096	setupinf.exe
1096	setupinf.exe
1096	setupinf.exe
1616	aB2Econv.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Command	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\aB2Econv.exe \"%1\" \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Command	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\aB2Econv.exe \"%1\""	setupinf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RICHTX32.OCX	advbattoexeconverter.exe
File opened for modification	C:\Windows\SysWOW64\RICHTX32.OCX	advbattoexeconverter.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon9.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp6.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex12.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex2.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex5.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp5.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\blfp.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\fastcmd.exe	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon10.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex10.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon10.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex8.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gx1.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gx4.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex3.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon5.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon9.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\uninstall.ini	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp1.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon6.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\uninstall.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon12.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp3.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\license.txt	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex10.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gewold.exe	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon1.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex8.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex5.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bat2exe.dll	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gewizold.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gex2.gew	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex15.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp4a.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\doc.htm	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon13.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon5.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon6.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex4.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex7.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bat2exe.dll	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gx3.gw	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon11.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex6.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon4.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gew10.fst	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gx1.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon12.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex4.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp4a.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gx5.gw	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex9.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex16.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\battoexe16.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gew10.fst	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gewizold.exe	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex12.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\gew11.fst	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon4.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\icons\icon7.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\bfchlp1a.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\advex1.bat	advbattoexeconverter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\MiscStatus	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CurVer	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\FLAGS	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ = "DRichTextEvents"	advbattoexeconverter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}	advbattoexeconverter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Compile with Advanced BAT to EXE\Command	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Compile with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Programmable	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Open with Advanced BAT to EXE\Command	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\VersionIndependentProgID	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ProgID\ = "RICHTEXT.RichtextCtrl.1"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\ = "Microsoft Rich Textbox Control 6.0 (SP6)"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\ = "C:\\Windows\\SysWow64\\richtx32.ocx"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Compile with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\aB2Econv.exe \"%1\" \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\ = "RichText General Property Page Object"	advbattoexeconverter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Command	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\TypeLib	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ToolboxBitmap32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObjectFiles"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ProxyStubClsid32	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CLSID\ = "{3B7C8860-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\HELPDIR	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Open with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\battoexe16.ico"	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\aB2Econv.exe \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\0	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Open with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.52\\ab2econv452\\aB2Econv.exe \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\InprocServer32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\VersionIndependentProgID\ = "RICHTEXT.RichtextCtrl"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\MiscStatus\1\ = "131473"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1096	setupinf.exe
1616	aB2Econv.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29
PID 1708 wrote to memory of 1096	1708	advbattoexeconverter.exe	29

C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe
"C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe
  "C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1096

C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\aB2Econv.exe
"C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\aB2Econv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\aB2Econv.exe

Filesize
588KB

MD5
742c0c675ad114320988d58618d2425a

SHA1
e36a1c1b93f7f0abc5fe946536056ab53bbc3990

SHA256
ba09d4beb049c67a6ba7e8dfe3d4e6c4ac20af43b6fb26b31c42e7ded679d419

SHA512
b8533ea3248c847240f57bd66597bcf7653f405bd2bcd6c628d1ec17da64a4dddfa382fbe926a11833b462f6df02d5243f1e569835a9858064b790d3d0767975

Download Submit
C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\aB2Econv.exe

Filesize
588KB

MD5
742c0c675ad114320988d58618d2425a

SHA1
e36a1c1b93f7f0abc5fe946536056ab53bbc3990

SHA256
ba09d4beb049c67a6ba7e8dfe3d4e6c4ac20af43b6fb26b31c42e7ded679d419

SHA512
b8533ea3248c847240f57bd66597bcf7653f405bd2bcd6c628d1ec17da64a4dddfa382fbe926a11833b462f6df02d5243f1e569835a9858064b790d3d0767975

Download Submit
C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
C:\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\1Default.bmp

Filesize
1KB

MD5
0895d223fa59a94bed73d25d1cb5af70

SHA1
298a895d164f2c17d2e287ad32d27d8d01d0c275

SHA256
53228a7c924889d300c7ffe9baa1879ee94bd9b4286e84b7b29f870e9567b82d

SHA512
6fbe9ed82d10b5f42cefff5e65bdd8f4d2ae6f685cc1161de398c026cf5bf00d703da725fbe67cd52c1802b781b3eba6b1fb07ad421793a050895d7c63756dc3

Download Submit
C:\Windows\SysWow64\richtx32.ocx

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\aB2Econv.exe

Filesize
588KB

MD5
742c0c675ad114320988d58618d2425a

SHA1
e36a1c1b93f7f0abc5fe946536056ab53bbc3990

SHA256
ba09d4beb049c67a6ba7e8dfe3d4e6c4ac20af43b6fb26b31c42e7ded679d419

SHA512
b8533ea3248c847240f57bd66597bcf7653f405bd2bcd6c628d1ec17da64a4dddfa382fbe926a11833b462f6df02d5243f1e569835a9858064b790d3d0767975

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\aB2Econv.exe

Filesize
588KB

MD5
742c0c675ad114320988d58618d2425a

SHA1
e36a1c1b93f7f0abc5fe946536056ab53bbc3990

SHA256
ba09d4beb049c67a6ba7e8dfe3d4e6c4ac20af43b6fb26b31c42e7ded679d419

SHA512
b8533ea3248c847240f57bd66597bcf7653f405bd2bcd6c628d1ec17da64a4dddfa382fbe926a11833b462f6df02d5243f1e569835a9858064b790d3d0767975

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\ab2econv452\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
\Program Files (x86)\Advanced BAT to EXE Converter v4.52\uninstall.exe

Filesize
98KB

MD5
1d42806362830ac35273bc77c2a97e4a

SHA1
b345e9054a0834eab38a54d50a45ab5212bd005b

SHA256
aab24c3366c981e3173a484adfc161e33bd12470521787fdb34c9c73aa596aec

SHA512
0f7fe0f85636233c6cd2c75c4a9a265736af46623770d41992a2e775b4a3b1ad74d2298981a075cedaa45ba347861dc08e928ab56c1a461ddf27d6fdbaf063d7

Download Submit
\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll

Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
\Users\Admin\AppData\Local\Temp\gentee00\guig.dll

Filesize
20KB

MD5
f78ee6369ada1fb02b776498146cc903

SHA1
d5ba66acdab6a48327c76796d28be1e02643a129

SHA256
f1073319d4868d38e0ae983ad42a00cdc53be93b31275b4b55af676976c1aa3f

SHA512
88cff3e58cf66c3f2b5b3a65b8b9f9e8ac011e1bd6025cadadb0f765f062cb3d608c23c2d3832f89ada0b7681170dce1ee4a0b8b873e84135756d14ba8c69fa9

Download Submit
\Windows\SysWOW64\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
\Windows\SysWOW64\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit