Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 04:17
Behavioral task
behavioral1
Sample
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Resource
win10v2004-20230221-en
General
-
Target
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
-
Size
5.0MB
-
MD5
f74bd5f56433110b95565e56f07afd8e
-
SHA1
5d44f174c65a052f7479aa3726def72a44145288
-
SHA256
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758
-
SHA512
715507e2ae43f1e6dc3f6410184b62915504b4f0465fcca22911db928f7fd4ae7629cc59b0e1e72abb6b3cbb69a19a5095e43190f4c2ddb6a51db1fa840e0662
-
SSDEEP
98304:0g1glG4ajy2toG3AMzo3kDS0TDPQqKiuW3Am1HF3F/DudvwUuI+Qz8aY4v:084H0CBigCD2vwHIX8aY4v
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exepid process 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe -
Processes:
resource yara_rule behavioral2/memory/1740-133-0x0000000000400000-0x000000000086A000-memory.dmp vmprotect behavioral2/memory/1740-134-0x0000000000400000-0x000000000086A000-memory.dmp vmprotect behavioral2/memory/1740-248-0x0000000000400000-0x000000000086A000-memory.dmp vmprotect -
Modifies registry class 36 IoCs
Processes:
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049} 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B} 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0} 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary" 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exepid process 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exepid process 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exepid process 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe 1740 4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe"C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\k[1].jsFilesize
94B
MD5514eb157c352678fe6e6ffb103579bfa
SHA15892249a4b53845b0761623aefa1c0d251ccf7da
SHA2565e0f936c52cb1e65ccda6fe580472f66166fa4687aeb931c2f0b25bf8c858daf
SHA51291832b7b508d3386e65bea57a42c5b8af73f5cee55efa0b05ffb8dc9a60473cec718f2d28a9d8c7420ae92ec6ba43a1df598541571ffed4726a61fa4b8703edc
-
C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.iniFilesize
141B
MD5e30fe94a4f1c522f9f22140ab8f18d35
SHA19ed39e9a555e65f6cbc5ecc922231eefeec87713
SHA256497bb656f01b208016dfb0e989f97e8de17ffa73c986cd4f5bd76f01932d3137
SHA512933012be7d9169b6e3258127553c347ec68b7d0e99cef32958b8395de34b669ae5b600412c1cd78187b72d0cd715f3a4ddb9fb075d5eaddd56fd935e984c04c1
-
C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.iniFilesize
177B
MD58892f0595db0617f1df5f3d622346c14
SHA1424bdb8665bca00b7a227e8522157649cd335063
SHA256b3d5b1e0f8014d3b9e03834c923c4a8c7b2283afc2f3beaf24161f56dbda927c
SHA512577444527e706326028eca634f188881e2dcc1f2fd20b82ba041e2b5d71e49983197a7c679d349da17e4c4ca8ad08fb99ba7ab3337ddb4787bb96179414dcc32
-
C:\Users\Admin\AppData\Local\Temp\7C68.tmpFilesize
897B
MD5c007d3dbd75e68e081f3989abb3ac500
SHA1fe2bf83519cfa40e0dc9316d0f036c2ce127865a
SHA256c33dea9c78fd745bd74e38aaae210349f9f3dc52b21bad68896cd1c1bbe095cc
SHA512afce746bae2a7d9a148fcebebbf42ba3a6a6b7b615022cb1319332cb76fe2d34cf2d9394d259cdf8ab8d71e40b5d21828063c3b302c0e0a7588d176fe381d3d8
-
C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmpFilesize
3KB
MD56a004b4196400a627b5b6248a2a2dcba
SHA1fa9a555e83a4c3a73e07a728ec92827f55fbcf02
SHA2569cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101
SHA5121b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624
-
C:\Users\Admin\AppData\Local\Temp\cfgdll.dllFilesize
59KB
MD5929f56b46242fa68a616374a5403689b
SHA145b4ade1f0cc2bf13e74d9801eee5c7abee3c3b2
SHA256767b2e735693a9455a23b19e7a94643fd6095fa1158cbe22f612d657ebbb670d
SHA51281c69649efff9d320533bcb3256d42c671877e1d48f9df99134c514aa2d888d11ded13b9d3447949881513e376cf4644b41b997cad2a9ffb51f4f45ca3cdc641
-
C:\Users\Admin\AppData\Local\Temp\cfgdll.dllFilesize
59KB
MD5929f56b46242fa68a616374a5403689b
SHA145b4ade1f0cc2bf13e74d9801eee5c7abee3c3b2
SHA256767b2e735693a9455a23b19e7a94643fd6095fa1158cbe22f612d657ebbb670d
SHA51281c69649efff9d320533bcb3256d42c671877e1d48f9df99134c514aa2d888d11ded13b9d3447949881513e376cf4644b41b997cad2a9ffb51f4f45ca3cdc641
-
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dllFilesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622
-
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dllFilesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622
-
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dllFilesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622
-
memory/1740-133-0x0000000000400000-0x000000000086A000-memory.dmpFilesize
4.4MB
-
memory/1740-172-0x0000000004670000-0x000000000467F000-memory.dmpFilesize
60KB
-
memory/1740-248-0x0000000000400000-0x000000000086A000-memory.dmpFilesize
4.4MB
-
memory/1740-134-0x0000000000400000-0x000000000086A000-memory.dmpFilesize
4.4MB