601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 02:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
Size

1.9MB
MD5

dbe027e10c6452bda90427d389be8dd5
SHA1

faa3821af4a7bb0089452fc4018055cc2916261c
SHA256

601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417
SHA512

c639f3513999bce3f3d361890d167f07856632726dc57f10b6493dea56762b646b16d0b01366f6086b7198023a695a307fde22fc8cf8f49fb77c8df5612670df
SSDEEP

49152:OCITT2qH7ZNFg79w9DcRKY5pHD+VwPs/f+Xxx4KarOCGBXq44eo:OfTTtZXg7ocR9pO2Xxx4SF4eo

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
64	regsvr32.exe
2300	regsvr32.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-13076-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13078-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13079-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13080-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13082-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13081-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13084-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13086-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13088-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13090-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13092-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13094-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13096-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13098-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13108-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13110-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13112-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13114-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13116-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13118-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13120-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13122-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13124-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5052-13125-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91420B16-AC0C-49D5-949F-14CD9EAB19F4}\150.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{174C9476-9DC6-4A02-8EB3-BEF91B7F1A2C}\TypeLib\Version = "30.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37ECAB06-ED48-4199-A22F-2BD8E7202061}\ = "_ICON"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19CCD549-9EF7-498B-943A-386C165C0626}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{42B85D47-1528-4518-B0D9-8E0B57173E86}\ = "_System"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D6E110D-F6B8-4E06-B40F-9564B663EA28}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E207F05-E677-4211-9007-FD3587B06684}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F8FEB8C-F389-4894-9E71-7EDCA01171F4}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FED94B37-7B4D-433A-8A34-27A8DDA52713}\ = "Voice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3788C8B9-C8A9-4362-A6DA-6B5503AA8258}\ = "Regedit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C930ACF-9058-4BA5-8B0F-9E14FB78DAA8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3A988D7-8A39-4505-83B9-9E31CCB7CB16}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01F8B0BE-B48A-41DF-98CE-A3EA35895C43}\ProgID\ = "lxj_Plug.Water"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19CCD549-9EF7-498B-943A-386C165C0626}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50AAA9B8-C237-4692-885F-37BFFC63E1A1}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lxj_Plug.Net\Clsid\ = "{6E207F05-E677-4211-9007-FD3587B06684}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01F8B0BE-B48A-41DF-98CE-A3EA35895C43}\TypeLib\ = "{0FDA8769-AFE0-437D-B237-4575E135EDE9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lxj_Plug.Process\Clsid\ = "{50AAA9B8-C237-4692-885F-37BFFC63E1A1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E207F05-E677-4211-9007-FD3587B06684}\VERSION\ = "48.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABB8CE32-77EE-4E4F-BB0E-DBC9568B8F00}\ = "Lazy.LxjWord"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F8FEB8C-F389-4894-9E71-7EDCA01171F4}\ = "_Net"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3788C8B9-C8A9-4362-A6DA-6B5503AA8258}\TypeLib\ = "{0FDA8769-AFE0-437D-B237-4575E135EDE9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D18CD73-EC2E-41EA-83C1-661A3F01DE6D}\TypeLib\Version = "30.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48CBCF4E-5087-48D1-BB44-91FDA3A7ECA2}\VERSION\ = "48.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50AAA9B8-C237-4692-885F-37BFFC63E1A1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3A988D7-8A39-4505-83B9-9E31CCB7CB16}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B48C0EEB-9BBE-4476-B83B-B362545AFF8C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{174C9476-9DC6-4A02-8EB3-BEF91B7F1A2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F8FEB8C-F389-4894-9E71-7EDCA01171F4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D809B530-4E9F-4FBF-9D0A-38C854D28F9D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5EBCAE-6D36-43EC-938B-D0784538BC60}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D18CD73-EC2E-41EA-83C1-661A3F01DE6D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FED94B37-7B4D-433A-8A34-27A8DDA52713}\TypeLib\Version = "30.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5EBCAE-6D36-43EC-938B-D0784538BC60}\TypeLib\ = "{0FDA8769-AFE0-437D-B237-4575E135EDE9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48CBCF4E-5087-48D1-BB44-91FDA3A7ECA2}\InprocServer32\ = "C:\\Ê«ÓêæÌÈ»ÀÁÈË²å¼þ\\lxj_Plug.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABB8CE32-77EE-4E4F-BB0E-DBC9568B8F00}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FED94B37-7B4D-433A-8A34-27A8DDA52713}\ = "_Voice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D6E110D-F6B8-4E06-B40F-9564B663EA28}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8316739A-192A-475F-B734-32AD9460CC27}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5EBCAE-6D36-43EC-938B-D0784538BC60}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lxj_Plug.Process	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4050DED9-403F-4F43-9553-930081EE9916}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37DC1D39-EDCD-476D-98C8-A358592ED01D}\ = "lxj_Plug.Methods"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE1DB081-E114-43FB-AA94-FE951549D18E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19CCD549-9EF7-498B-943A-386C165C0626}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37ECAB06-ED48-4199-A22F-2BD8E7202061}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lxj_Plug.Regedit\ = "lxj_Plug.Regedit"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19CCD549-9EF7-498B-943A-386C165C0626}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED5FC864-4C0A-465A-BB9D-81DBF4FE6505}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE1DB081-E114-43FB-AA94-FE951549D18E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{174C9476-9DC6-4A02-8EB3-BEF91B7F1A2C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8316739A-192A-475F-B734-32AD9460CC27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABB8CE32-77EE-4E4F-BB0E-DBC9568B8F00}\TypeLib\ = "{91420B16-AC0C-49D5-949F-14CD9EAB19F4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3A988D7-8A39-4505-83B9-9E31CCB7CB16}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3788C8B9-C8A9-4362-A6DA-6B5503AA8258}\ = "_Regedit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5EBCAE-6D36-43EC-938B-D0784538BC60}\ProgID\ = "lxj_Plug.Voice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B48C0EEB-9BBE-4476-B83B-B362545AFF8C}\TypeLib\ = "{0FDA8769-AFE0-437D-B237-4575E135EDE9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D6E110D-F6B8-4E06-B40F-9564B663EA28}\ProgID\ = "lxj_Plug.ICON"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01F8B0BE-B48A-41DF-98CE-A3EA35895C43}\ = "lxj_Plug.Water"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37DC1D39-EDCD-476D-98C8-A358592ED01D}\TypeLib\ = "{0FDA8769-AFE0-437D-B237-4575E135EDE9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F8FEB8C-F389-4894-9E71-7EDCA01171F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{174C9476-9DC6-4A02-8EB3-BEF91B7F1A2C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06DD276F-1945-4BD7-A49D-0F533E8AE25F}\ = "_LxjAccess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8316739A-192A-475F-B734-32AD9460CC27}\TypeLib\ = "{91420B16-AC0C-49D5-949F-14CD9EAB19F4}"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1424	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	97
PID 5052 wrote to memory of 1424	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	97
PID 5052 wrote to memory of 1424	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	97
PID 5052 wrote to memory of 64	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	98
PID 5052 wrote to memory of 64	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	98
PID 5052 wrote to memory of 64	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	98
PID 5052 wrote to memory of 2612	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	99
PID 5052 wrote to memory of 2612	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	99
PID 5052 wrote to memory of 2612	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	99
PID 5052 wrote to memory of 2300	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	100
PID 5052 wrote to memory of 2300	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	100
PID 5052 wrote to memory of 2300	5052	601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe	100

C:\Users\Admin\AppData\Local\Temp\601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe
"C:\Users\Admin\AppData\Local\Temp\601ea57991f45ee2c83b144c4550d49d17957abd2e0ae0b50fb35a92a942e417.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 atl.dll /s
  2⤵
  PID:1424
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Ê«ÓêæÌÈ»ÀÁÈË²å¼þ\lxj_Plug.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:64
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 atl.dll /s
  2⤵
  PID:2612
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Ê«ÓêæÌÈ»ÀÁÈË°ì¹«²å¼þ\LazyOffice.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Ê«ÓêæÌÈ»ÀÁÈË°ì¹«²å¼þ\LazyOffice.dll

Filesize
392KB

MD5
413f05277966fb16b443bac1d9f33008

SHA1
d1aaa4e0b46773cf11cafe3b946a04bdefbb75c0

SHA256
7701a2cfb7d7b390e48db10e40dd286e2870de79a14e31d86d9da81bf8d10568

SHA512
5e14687b7d3cdd541e630d5393f24841c610809f68c3056055308b0bccdf124e8661e20dc9edd79cde93c4e4d0c2d4e587eccbe533efa75b0ef03daae0bfd2f6

Download Submit
C:\Ê«ÓêæÌÈ»ÀÁÈË°ì¹«²å¼þ\LazyOffice.dll

Filesize
392KB

MD5
413f05277966fb16b443bac1d9f33008

SHA1
d1aaa4e0b46773cf11cafe3b946a04bdefbb75c0

SHA256
7701a2cfb7d7b390e48db10e40dd286e2870de79a14e31d86d9da81bf8d10568

SHA512
5e14687b7d3cdd541e630d5393f24841c610809f68c3056055308b0bccdf124e8661e20dc9edd79cde93c4e4d0c2d4e587eccbe533efa75b0ef03daae0bfd2f6

Download Submit
C:\Ê«ÓêæÌÈ»ÀÁÈË²å¼þ\lxj_Plug.dll

Filesize
484KB

MD5
73d262c0e36879640ed84b65b2390a78

SHA1
bc09307af46d6c90ce624cedf226027c47226e27

SHA256
22e02188a618d5c752ee642bf14eb6a099cc48f2ec3e419664756e7ab02bf5e4

SHA512
2b8ed926a43e85622ad36f6d7f4be1cc71b4dc70d9efca1a14698ce1e19bcdab6fa680b1a00c32b1747950db28d4f397edf2e22d1d0d828e393499ddd1ace24b

Download Submit
C:\Ê«ÓêæÌÈ»ÀÁÈË²å¼þ\lxj_Plug.dll

Filesize
484KB

MD5
73d262c0e36879640ed84b65b2390a78

SHA1
bc09307af46d6c90ce624cedf226027c47226e27

SHA256
22e02188a618d5c752ee642bf14eb6a099cc48f2ec3e419664756e7ab02bf5e4

SHA512
2b8ed926a43e85622ad36f6d7f4be1cc71b4dc70d9efca1a14698ce1e19bcdab6fa680b1a00c32b1747950db28d4f397edf2e22d1d0d828e393499ddd1ace24b

Download Submit
memory/5052-13100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13090-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13071-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13072-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13074-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13075-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13076-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13078-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13079-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13080-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13082-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13081-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13084-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13108-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13088-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13092-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13094-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13096-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13098-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-0-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13101-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13070-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13086-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13110-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13112-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13114-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13116-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13118-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13120-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13122-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13124-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13125-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5052-13126-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13069-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-5884-0x0000000075DD0000-0x0000000075E4A000-memory.dmp

Filesize
488KB

Download
memory/5052-3875-0x0000000075760000-0x0000000075900000-memory.dmp

Filesize
1.6MB

Download
memory/5052-1-0x0000000075540000-0x0000000075755000-memory.dmp

Filesize
2.1MB

Download
memory/5052-13135-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13136-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13137-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13138-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13139-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download
memory/5052-13140-0x0000000000400000-0x0000000000741000-memory.dmp

Filesize
3.3MB

Download