a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb

Analysis

max time kernel
118s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Size

537KB
MD5

9da02f4018e74ec275a75ca38c7cb19e
SHA1

aa9a92f062a7834c90e5978e814b961c42597ab3
SHA256

a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb
SHA512

bd596b36b65263ec26132d041beaf83ec4b60303f33fc974911ec42016586158bd7486c323e626ced9fa2d30887f75e965fa53f8880674c72c527b577ab8c7f6
SSDEEP

6144:MhOfjZXluQA/qNgSr5oK4c276VPAa9aVO4ikeCUVw:4YjTVxNgSFD+w9aVOIvUO

Score

1^/10

Malware Config

Signatures

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\InprocHandler32\ = "ole32.dll"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dialer	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ = "电话拨号程序文档"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document\CLSID\ = "{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A9BFAA~1.EXE"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dialer\ = "dialer.chm"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document\ = "电话拨号程序文档"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ProgID\ = "PhoneDialer.Document"	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\LocalServer32	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneDialer.Document\CLSID	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ProgID	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\InprocHandler32	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
2688	a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe

C:\Users\Admin\AppData\Local\Temp\a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe
"C:\Users\Admin\AppData\Local\Temp\a9bfaa61c6c4a0e4b0894d3101c871a649d69d1678dffbd4746fd5455f7cd2fb.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2688-0-0x0000000001000000-0x0000000001082000-memory.dmp

Filesize
520KB

Download
memory/2688-1-0x0000000001000000-0x0000000001082000-memory.dmp

Filesize
520KB

Download
memory/2688-2-0x0000000000D60000-0x0000000000DE2000-memory.dmp

Filesize
520KB

Download