3fede8c9d41af5866fc7f2f615cd0bced16061fc577c8e262097031d34fd35c4

Analysis

max time kernel
42s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MacroRecorderSetup.exe
Size

40.0MB
MD5

1d15e6a7b5de88e713bf0c43da23c4fb
SHA1

f66b4f6899d79a9deab6eb1a0563084b14c877b2
SHA256

3fede8c9d41af5866fc7f2f615cd0bced16061fc577c8e262097031d34fd35c4
SHA512

f2f87f780cf13efffc34edf345ee6432b991f1c942c02c8a2809e60a0bc4104973018cb62f90a7af3db4efff311ce4d27c90db1dbbe61b4b9ca438d2fb1e0ef1
SSDEEP

786432:JQZcwv7vc5iWucdCIMeUaSutnaX+c82tftuc+nipj6y/lW+xY6K71OPSV/+Pq3Ah:LwDc5VVMcSuB2Ac+n1y9p3vqVmPqwXgm

Score

8^/10

discovery evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4844	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
496	MacroRecorderSetup.tmp
5024	MacroRecorder.exe

Loads dropped DLL 4 IoCs

pid	Process
496	MacroRecorderSetup.tmp
496	MacroRecorderSetup.tmp
5024	MacroRecorder.exe
5024	MacroRecorder.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\KasperskyLab	MacroRecorderSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MacroRecorder\mrkey.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\unins000.dat	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-R8VV3.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-FGDD3.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-5K1M7.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-KDSTS.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-LLLR2.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\unins000.dat	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\libeay32.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-CD6OT.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-Q0HAU.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-QMQRT.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-ICVVM.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-1R3C6.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\mrinst.exe	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\mrocr.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-CN24L.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-MCO8L.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-20V59.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-5V9B4.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\unins000.msg	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\ssleay32.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-8UATJ.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\tessdata\is-0M3U5.tmp	MacroRecorderSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\DefaultIcon	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell\open	MacroRecorderSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell\open\command\ = "C:\\Program Files (x86)\\MacroRecorder\\MacroRecorder.exe \"%1\""	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrf	MacroRecorderSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\ = "MacroRecorder macro file"	MacroRecorderSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\DefaultIcon\ = "C:\\Program Files (x86)\\MacroRecorder\\MacroRecorder.exe,1"	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell\open\command	MacroRecorderSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacroRecorder\shell	MacroRecorderSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrf\ = "MacroRecorder"	MacroRecorderSetup.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
496	MacroRecorderSetup.tmp
496	MacroRecorderSetup.tmp
5024	MacroRecorder.exe
5024	MacroRecorder.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
496	MacroRecorderSetup.tmp
5024	MacroRecorder.exe
5024	MacroRecorder.exe
5024	MacroRecorder.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5024	MacroRecorder.exe
5024	MacroRecorder.exe
5024	MacroRecorder.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 496	1388	MacroRecorderSetup.exe	85
PID 1388 wrote to memory of 496	1388	MacroRecorderSetup.exe	85
PID 1388 wrote to memory of 496	1388	MacroRecorderSetup.exe	85
PID 496 wrote to memory of 4844	496	MacroRecorderSetup.tmp	94
PID 496 wrote to memory of 4844	496	MacroRecorderSetup.tmp	94
PID 496 wrote to memory of 4844	496	MacroRecorderSetup.tmp	94
PID 496 wrote to memory of 5024	496	MacroRecorderSetup.tmp	97
PID 496 wrote to memory of 5024	496	MacroRecorderSetup.tmp	97
PID 496 wrote to memory of 5024	496	MacroRecorderSetup.tmp	97

C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\is-4GQOB.tmp\MacroRecorderSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4GQOB.tmp\MacroRecorderSetup.tmp" /SL5="$9005C,41013136,845312,C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh" advfirewall firewall add rule name="MacroRecorder" dir=in action=allow program="C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4844
- - C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe
    "C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
14.3MB

MD5
418fbd5d9c4a05e5f8061300ebaaa1db

SHA1
306cafc9071c3e75ee066fd52ea54d1d69d9eaa6

SHA256
9426b81ea606756154aeb51e54100f3d4022dc6790c7a89f7b4b81e6367ed0de

SHA512
0bac61aad0896b06b0686cda573c8a249aaf420a97db478ea48f67665794fc37cc1a9250573bcca5e1fc5298aa284cc4fa008e2ddc4e7aff3e99d5abb2122b7b

Download Submit
C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
14.3MB

MD5
418fbd5d9c4a05e5f8061300ebaaa1db

SHA1
306cafc9071c3e75ee066fd52ea54d1d69d9eaa6

SHA256
9426b81ea606756154aeb51e54100f3d4022dc6790c7a89f7b4b81e6367ed0de

SHA512
0bac61aad0896b06b0686cda573c8a249aaf420a97db478ea48f67665794fc37cc1a9250573bcca5e1fc5298aa284cc4fa008e2ddc4e7aff3e99d5abb2122b7b

Download Submit
C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
14.3MB

MD5
418fbd5d9c4a05e5f8061300ebaaa1db

SHA1
306cafc9071c3e75ee066fd52ea54d1d69d9eaa6

SHA256
9426b81ea606756154aeb51e54100f3d4022dc6790c7a89f7b4b81e6367ed0de

SHA512
0bac61aad0896b06b0686cda573c8a249aaf420a97db478ea48f67665794fc37cc1a9250573bcca5e1fc5298aa284cc4fa008e2ddc4e7aff3e99d5abb2122b7b

Download Submit
C:\Program Files (x86)\MacroRecorder\mrkey.dll

Filesize
156KB

MD5
1d01aa12abca7c2405abb863ae670305

SHA1
452b72fd0d41f008be8e2f8bdbcb3d727da885dc

SHA256
e92e12209048ffdca0c9e8bbbbf0616ce3e83dc66152c727f1758cd711dc529a

SHA512
36fdf55268418da1f09a22f284bf3b4d63b88af998d80d41ca9e7558b498143e5babc8329504c0e4c44d0a3edfc9692e612fb90e27d78f88cb92994181e1b550

Download Submit
C:\Program Files (x86)\MacroRecorder\mrkey.dll

Filesize
156KB

MD5
1d01aa12abca7c2405abb863ae670305

SHA1
452b72fd0d41f008be8e2f8bdbcb3d727da885dc

SHA256
e92e12209048ffdca0c9e8bbbbf0616ce3e83dc66152c727f1758cd711dc529a

SHA512
36fdf55268418da1f09a22f284bf3b4d63b88af998d80d41ca9e7558b498143e5babc8329504c0e4c44d0a3edfc9692e612fb90e27d78f88cb92994181e1b550

Download Submit
C:\Program Files (x86)\MacroRecorder\mrkey.dll

Filesize
156KB

MD5
1d01aa12abca7c2405abb863ae670305

SHA1
452b72fd0d41f008be8e2f8bdbcb3d727da885dc

SHA256
e92e12209048ffdca0c9e8bbbbf0616ce3e83dc66152c727f1758cd711dc529a

SHA512
36fdf55268418da1f09a22f284bf3b4d63b88af998d80d41ca9e7558b498143e5babc8329504c0e4c44d0a3edfc9692e612fb90e27d78f88cb92994181e1b550

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4GQOB.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
6866b7783f72e33430a53f153cdda471

SHA1
21ff5e8db17df6103c39bf86387b86697a9ca3cb

SHA256
817843f3509a830b705a8a0a52dfa6f7669af2c6ac2de466cdd8aa2acf6fed35

SHA512
ca113f3c1d9ec09a2cd75fb70a321f81331174bab412fdbc278a1cbdc7fbc94a08b961cf5528107fb087942d8139c1d345ce9d6328e377e9aaf7f764e881e2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4GQOB.tmp\MacroRecorderSetup.tmp

Filesize
3.0MB

MD5
6866b7783f72e33430a53f153cdda471

SHA1
21ff5e8db17df6103c39bf86387b86697a9ca3cb

SHA256
817843f3509a830b705a8a0a52dfa6f7669af2c6ac2de466cdd8aa2acf6fed35

SHA512
ca113f3c1d9ec09a2cd75fb70a321f81331174bab412fdbc278a1cbdc7fbc94a08b961cf5528107fb087942d8139c1d345ce9d6328e377e9aaf7f764e881e2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7H5BD.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7H5BD.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/496-191-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/496-167-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/496-144-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/496-199-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/1388-133-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1388-145-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1388-200-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5024-195-0x0000000001420000-0x0000000001451000-memory.dmp

Filesize
196KB

Download
memory/5024-201-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/5024-202-0x0000000000400000-0x0000000001279000-memory.dmp

Filesize
14.5MB

Download
memory/5024-203-0x0000000001420000-0x0000000001451000-memory.dmp

Filesize
196KB

Download
memory/5024-204-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download