e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Size

602KB
MD5

7611b80eb8ecadb38818e252529d8121
SHA1

1e81f26c19fb8b4568e0236548da31b15f70cdd3
SHA256

e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45
SHA512

a6da0f7fe4e6e39c84812caed4a32612efd943df2f02f03618c720ecbf7859d80272ec0b06308cd57a34308f3324a803fb0618e204c4d99accd8da6cfb28b591
SSDEEP

12288:FO88e/dAqxxk9LrGGss5DkaUkuQFXlGKU5Hoc9:FOBetxxkBzbkzxQpdAHoc

Score

1^/10

Malware Config

Signatures

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\ = "Íø¹ØÊý¾Ý²É¼¯ÏµÍ³"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\ = "IOPCDataAccess20"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Modbus TCP OPC Server\Clsid\ = "{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\TypeLib\ = "{273C6C07-3EFC-4137-9BDA-4469E963E0EF}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\ProgID	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\ProgID\ = "Modbus TCP OPC Server"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\FLAGS\ = "0"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\0	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\ = "ºÓ±±Öé·åÒÇÆ÷ÒÇ±íÉè±¸ÓÐÏÞ¹«Ë¾"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Modbus TCP OPC Server\ = "ºÓ±±Öé·åÒÇÆ÷ÒÇ±íÉè±¸ÓÐÏÞ¹«Ë¾"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Modbus TCP OPC Server\Clsid	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\TypeLib	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\ProxyStubClsid32	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\TypeLib\ = "{273C6C07-3EFC-4137-9BDA-4469E963E0EF}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\TypeLib	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\AppID = "{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\ = "ºÓ±±Öé·åÒÇÆ÷ÒÇ±íÉè±¸ÓÐÏÞ¹«Ë¾"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{63D5F432-CFE4-11D1-B2C8-0060083BA1FB}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\0\win32	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\HELPDIR	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\TypeLib	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Modbus TCP OPC Server	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{63D5F432-CFE4-11D1-B2C8-0060083BA1FB}\409 = "OPC Daten Server V2.0"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\ = "IOPCDataAccess20"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\ProxyStubClsid32	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\TypeLib\ = "{273C6C07-3EFC-4137-9BDA-4469E963E0EF}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\Implemented Categories	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\TypeLib\Version = "1.0"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\LocalServer32	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\Version	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\RunAs = "Interactive User"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\FLAGS	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{273C6C07-3EFC-4137-9BDA-4469E963E0EF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BFCB129-10D5-45A9-9959-4B9A1F1103A1}\TypeLib\Version = "1.0"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\Implemented Categories\{63D5F432-CFE4-11D1-B2C8-0060083BA1FB}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}\Version\ = "1.0"	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8CCD8E32-DF07-4C2A-B783-C9C9FEA1A17A}	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1908	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
1908	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1908	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
1908	e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe

C:\Users\Admin\AppData\Local\Temp\e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe
"C:\Users\Admin\AppData\Local\Temp\e8d6880de77339fc2f50b6e287b930c1959c8fc8567bd96385a88b2411c34e45.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-133-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1908-134-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1908-135-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads