2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
Size

2.9MB
MD5

57b793980305d89811962127f8fef6b8
SHA1

42c69df2b806d49623dbd83edce97874dbae641f
SHA256

2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0
SHA512

1b5facaec16430005dcbd621b98c3014c37f336f985aa638618e53d8f446e90eba47c45c04176747a6c1cb21cc93e25ac81863ef2f4c9e8a0d04c6bf4e09484a
SSDEEP

49152:CuWrvn5IZNcpSSRfrTbu651dnTmtGcrRlGvRmraDCkmXkCsIkHt:CuW7nENcp9RfrT665rnTYNRlGZmr2ZmA

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe

Executes dropped EXE 1 IoCs

pid	Process
2580	WebClientAppConn.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WebClientAppConn = "C:\\Program Files\\WebClient_p2p_conn_Plugin\\WebClientAppConn.exe \"\""	reg.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\WebClient_p2p_conn_Plugin\webConfig.xml	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\WebClientAppConn.exe	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\delFile.exe	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\WebClientAppConn.exe	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\delFile.exe	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\delFile.exe	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\delFile.exe	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\webConfig.xml	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\delFile.exe	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\uninstall.cmd	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\webConfig.xml	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\uninstall.cmd	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\webConfig.xml	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\setup.cmd	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\uninstall.cmd	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\setup.cmd	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\setup.cmd	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll	xcopy.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\setup.cmd	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File opened for modification	C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\uninstall.cmd	xcopy.exe
File created	C:\Program Files\WebClient_p2p_conn_Plugin\__tmp_rar_sfx_access_check_240660312	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4564	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\TypeLib\ = "{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPWEBCLIENT_9000.npWebClient_9000Ctrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\ToolboxBitmap32\ = "C:\\Program Files\\WebClient_p2p_conn_Plugin\\npWebClient_p2p_conn_Plugin.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556E2FE4-3F01-4A4C-9A8F-879DF6258A53}\InprocServer32\ = "C:\\Program Files\\WebClient_p2p_conn_Plugin\\npWebClient_p2p_conn_Plugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn\shell\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556E2FE4-3F01-4A4C-9A8F-879DF6258A53}\ = "npWebClient_9000 Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\ProgID\ = "NPWEBCLIENT_9000.npWebClient_9000Ctrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\TypeLib\ = "{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\0\win32\ = "C:\\Program Files\\WebClient_p2p_conn_Plugin\\npWebClient_p2p_conn_Plugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556E2FE4-3F01-4A4C-9A8F-879DF6258A53}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\TypeLib\ = "{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\ = "_DnpWebClient_9000Events"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn\ = "URL:WebClientAppConn Protocol Handler"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\ = "npWebClient_9000Lib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPWEBCLIENT_9000.npWebClient_9000Ctrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn\URL Protocol	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\ = "_DnpWebClient_9000"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556E2FE4-3F01-4A4C-9A8F-879DF6258A53}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\ = "WebClient_VPPlugin_P2P CONN_Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn\shell\open\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPWEBCLIENT_9000.npWebClient_9000Ctrl.1\ = "WebClient_VPPlugin_P2P CONN_Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebClientAppConn\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\ = "_DnpWebClient_9000Events"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{324C2AE9-E416-4FCA-96B5-C41777E0E166}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6334C1EB-5F19-430A-A41B-D7B4BBE65166}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FCCFEE7-737B-45CC-9F71-F4F263ED2166}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE49F9D6-6B55-46F0-A924-B59D564B7166}\ = "_DnpWebClient_9000"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	WebClientAppConn.exe
2580	WebClientAppConn.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2004	4336	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe	85
PID 4336 wrote to memory of 2004	4336	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe	85
PID 4336 wrote to memory of 2004	4336	2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe	85
PID 2004 wrote to memory of 928	2004	cmd.exe	88
PID 2004 wrote to memory of 928	2004	cmd.exe	88
PID 2004 wrote to memory of 928	2004	cmd.exe	88
PID 2004 wrote to memory of 4564	2004	cmd.exe	89
PID 2004 wrote to memory of 4564	2004	cmd.exe	89
PID 2004 wrote to memory of 4564	2004	cmd.exe	89
PID 2004 wrote to memory of 1228	2004	cmd.exe	104
PID 2004 wrote to memory of 1228	2004	cmd.exe	104
PID 2004 wrote to memory of 1228	2004	cmd.exe	104
PID 2004 wrote to memory of 2212	2004	cmd.exe	91
PID 2004 wrote to memory of 2212	2004	cmd.exe	91
PID 2004 wrote to memory of 2212	2004	cmd.exe	91
PID 2004 wrote to memory of 3520	2004	cmd.exe	103
PID 2004 wrote to memory of 3520	2004	cmd.exe	103
PID 2004 wrote to memory of 3520	2004	cmd.exe	103
PID 2004 wrote to memory of 380	2004	cmd.exe	92
PID 2004 wrote to memory of 380	2004	cmd.exe	92
PID 2004 wrote to memory of 380	2004	cmd.exe	92
PID 2004 wrote to memory of 3848	2004	cmd.exe	94
PID 2004 wrote to memory of 3848	2004	cmd.exe	94
PID 2004 wrote to memory of 3848	2004	cmd.exe	94
PID 2004 wrote to memory of 4608	2004	cmd.exe	93
PID 2004 wrote to memory of 4608	2004	cmd.exe	93
PID 2004 wrote to memory of 4608	2004	cmd.exe	93
PID 2004 wrote to memory of 3388	2004	cmd.exe	100
PID 2004 wrote to memory of 3388	2004	cmd.exe	100
PID 2004 wrote to memory of 3388	2004	cmd.exe	100
PID 2004 wrote to memory of 3264	2004	cmd.exe	99
PID 2004 wrote to memory of 3264	2004	cmd.exe	99
PID 2004 wrote to memory of 3264	2004	cmd.exe	99
PID 2004 wrote to memory of 3088	2004	cmd.exe	95
PID 2004 wrote to memory of 3088	2004	cmd.exe	95
PID 2004 wrote to memory of 3088	2004	cmd.exe	95
PID 2004 wrote to memory of 4448	2004	cmd.exe	98
PID 2004 wrote to memory of 4448	2004	cmd.exe	98
PID 2004 wrote to memory of 4448	2004	cmd.exe	98
PID 2004 wrote to memory of 4728	2004	cmd.exe	96
PID 2004 wrote to memory of 4728	2004	cmd.exe	96
PID 2004 wrote to memory of 4728	2004	cmd.exe	96
PID 2004 wrote to memory of 2580	2004	cmd.exe	97
PID 2004 wrote to memory of 2580	2004	cmd.exe	97
PID 2004 wrote to memory of 2580	2004	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe
"C:\Users\Admin\AppData\Local\Temp\2aad4ec0937305c930ade4e9585ffad09d1a733d3d9b3fcb1c7a67b144f73cb0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\setup.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\delFile.exe" "C:\Program Files\WebClient_p2p_conn_Plugin\" /e /y
    3⤵
    - Drops file in Program Files directory
    - Enumerates system info in registry
    PID:928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "WebClientAppConn.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /S "C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebClient_p2p_conn_Plugin" /v "DisplayName" /t reg_sz /d "WebClient_p2p_conn_Plugin" /f
    3⤵
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebClientAppConn" /ve /t reg_sz /d "URL:WebClientAppConn Protocol Handler" /f
    3⤵
    - Modifies registry class
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebClient_p2p_conn_Plugin" /v "UninstallString" /t reg_sz /d "C:\Program Files\WebClient_p2p_conn_Plugin\uninstall.cmd" /f
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebClientAppConn\shell\open" /f
    3⤵
    - Modifies registry class
    PID:3088
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "WebClientAppConn" /t reg_sz /d "C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe \"\"" /f
    3⤵
    - Adds Run key to start application
    PID:4728
- - C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe
    "C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebClientAppConn\shell\open\command" /ve /t reg_sz /d "C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe \"\"" /f
    3⤵
    - Modifies registry class
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebClientAppConn\shell" /f
    3⤵
    - Modifies registry class
    PID:3264
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebClientAppConn" /v "URL Protocol" /t reg_sz /d "" /f
    3⤵
    - Modifies registry class
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@ocxPlugin/WebClient_p2p_conn_Plugin" /v "Path" /t reg_sz /d "C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll" /f
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\*.*" "C:\Program Files\WebClient_p2p_conn_Plugin\" /e /y
    3⤵
    - Drops file in Program Files directory
    - Enumerates system info in registry
    PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml

Filesize
157B

MD5
1f4b5925901aca48b182b45d3ce91ebf

SHA1
b64f9bbd595a38441a53d22da9f68cf779f92370

SHA256
d70526377f236a261e754252ebaeefe99dea47dbb2c267b81b9fb285de656e89

SHA512
4787009ec500518ca07b0b357f3f43401de0f83b7324f0d16e4093ac50e2a9df734b3daf97e4e1e4a6a9169e243dfd6a32fbbf2409648f017ddb1bb9ded99d7e

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml

Filesize
157B

MD5
1f4b5925901aca48b182b45d3ce91ebf

SHA1
b64f9bbd595a38441a53d22da9f68cf779f92370

SHA256
d70526377f236a261e754252ebaeefe99dea47dbb2c267b81b9fb285de656e89

SHA512
4787009ec500518ca07b0b357f3f43401de0f83b7324f0d16e4093ac50e2a9df734b3daf97e4e1e4a6a9169e243dfd6a32fbbf2409648f017ddb1bb9ded99d7e

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe

Filesize
1.9MB

MD5
5508c608d98e5e6d04b798eccc9f0a35

SHA1
584fd6f0d636c764d5eed4e641e8f2c38019bae9

SHA256
7955845fe7cf51b05f98156eac9561627b70bf7573b4650877a0591b5cf2cc85

SHA512
12a6eb3ac1b3adc9a99a2cf8715be9c307558d6bda7f879355254a71c66c0757f1cccdf680bd71c923e571d0ea0b801a6cdca889c6468f7ed82432a25245e7ee

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe

Filesize
1.9MB

MD5
5508c608d98e5e6d04b798eccc9f0a35

SHA1
584fd6f0d636c764d5eed4e641e8f2c38019bae9

SHA256
7955845fe7cf51b05f98156eac9561627b70bf7573b4650877a0591b5cf2cc85

SHA512
12a6eb3ac1b3adc9a99a2cf8715be9c307558d6bda7f879355254a71c66c0757f1cccdf680bd71c923e571d0ea0b801a6cdca889c6468f7ed82432a25245e7ee

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClientAppConn.exe

Filesize
1.9MB

MD5
5508c608d98e5e6d04b798eccc9f0a35

SHA1
584fd6f0d636c764d5eed4e641e8f2c38019bae9

SHA256
7955845fe7cf51b05f98156eac9561627b70bf7573b4650877a0591b5cf2cc85

SHA512
12a6eb3ac1b3adc9a99a2cf8715be9c307558d6bda7f879355254a71c66c0757f1cccdf680bd71c923e571d0ea0b801a6cdca889c6468f7ed82432a25245e7ee

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\WebClientAppCfg.xml

Filesize
157B

MD5
1f4b5925901aca48b182b45d3ce91ebf

SHA1
b64f9bbd595a38441a53d22da9f68cf779f92370

SHA256
d70526377f236a261e754252ebaeefe99dea47dbb2c267b81b9fb285de656e89

SHA512
4787009ec500518ca07b0b357f3f43401de0f83b7324f0d16e4093ac50e2a9df734b3daf97e4e1e4a6a9169e243dfd6a32fbbf2409648f017ddb1bb9ded99d7e

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\WebClientAppConn.exe

Filesize
1.9MB

MD5
5508c608d98e5e6d04b798eccc9f0a35

SHA1
584fd6f0d636c764d5eed4e641e8f2c38019bae9

SHA256
7955845fe7cf51b05f98156eac9561627b70bf7573b4650877a0591b5cf2cc85

SHA512
12a6eb3ac1b3adc9a99a2cf8715be9c307558d6bda7f879355254a71c66c0757f1cccdf680bd71c923e571d0ea0b801a6cdca889c6468f7ed82432a25245e7ee

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\delFile.exe

Filesize
14KB

MD5
94f640ea5ef171e391db57a65dac5708

SHA1
8cd8a5ceb8c634fdc534b6254846e61e804b86f1

SHA256
35a525b50a2bf81d4767490badccfb8d686586bac2b35ada0121110f71c0345a

SHA512
3b9dd5fc03a4989d78125cff18cced5359510290dd8e0659c8236d87f5549894c18170679a6df43141e96972fc7a41f46653a382b89a9e10b90eba324d00d8a8

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll

Filesize
6.2MB

MD5
c4fce0abe659d699e173b7e8797a7819

SHA1
9451d5d45ae58fa48e96d5061b8342fa212cdd70

SHA256
38f87a4da0c4775efdf8f3d17c58e752ca2b7f54291dbb2e695ba25009f65055

SHA512
d7ffaf2dc90c87c661ad9f6af434e97f8eae3e00f2ce412ef764854e1d5ca150b084c29ae0eff9f9fa522baa07b1f9d5695507fc1fc46b803fbc04d2a2a6c0ae

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\setup.cmd

Filesize
3KB

MD5
d9d16ee27bcf8e754b1dda3add36de19

SHA1
3ccdbf12fb0fdf898646d07e180b3d3744789ddd

SHA256
98b2a87a867e3d4d5c380ab9deff9b70ad37cff3792f988e8308931f8a5674d3

SHA512
e7ec28ed48bd52ea3679ced817e377e74e5cd55aa65c9b51f989e9b27fb7752ce92554a9864a9bfd85fca3cae605fc6f7d3746058e1181ce6bda577849c5c98c

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\uninstall.cmd

Filesize
649B

MD5
faf71ea434d29e2638ba850f63af0d37

SHA1
ca59423aebe6f66fee6299ff7c0bfcdb5abb2516

SHA256
70bad7b0d869ed2689506359709abf2bc329e0841aebca61bb0303b2a8d02a83

SHA512
aaf17b094ad4a5aed32a8c7ab09c94d2de48d48bd8ddc71b3898c4950e98e224d8ecd36015628b47bfd26d03d7e23c239a49f649afc403e7d682f0f3df0ce9db

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\WebClient_p2p_conn_Plugin\webConfig.xml

Filesize
241B

MD5
a63940e5d022cf06f1460032d1617d77

SHA1
2744565f3e3ac8381211e237bdc9557bc97a67d3

SHA256
0df32d04a551fc7132de5cef0bdf676a7d9858e9d1b6fe70d0728ed859ff1a4e

SHA512
ca9c67a43521fc55bbc4ac074f172c9aeeeb9917423f6dc139273ad2619935c4aa01576cc491b40923184687032e7902a914f485523f3bd4c9bf6f44eba2446c

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\delFile.exe

Filesize
14KB

MD5
94f640ea5ef171e391db57a65dac5708

SHA1
8cd8a5ceb8c634fdc534b6254846e61e804b86f1

SHA256
35a525b50a2bf81d4767490badccfb8d686586bac2b35ada0121110f71c0345a

SHA512
3b9dd5fc03a4989d78125cff18cced5359510290dd8e0659c8236d87f5549894c18170679a6df43141e96972fc7a41f46653a382b89a9e10b90eba324d00d8a8

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll

Filesize
6.2MB

MD5
c4fce0abe659d699e173b7e8797a7819

SHA1
9451d5d45ae58fa48e96d5061b8342fa212cdd70

SHA256
38f87a4da0c4775efdf8f3d17c58e752ca2b7f54291dbb2e695ba25009f65055

SHA512
d7ffaf2dc90c87c661ad9f6af434e97f8eae3e00f2ce412ef764854e1d5ca150b084c29ae0eff9f9fa522baa07b1f9d5695507fc1fc46b803fbc04d2a2a6c0ae

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll

Filesize
6.2MB

MD5
c4fce0abe659d699e173b7e8797a7819

SHA1
9451d5d45ae58fa48e96d5061b8342fa212cdd70

SHA256
38f87a4da0c4775efdf8f3d17c58e752ca2b7f54291dbb2e695ba25009f65055

SHA512
d7ffaf2dc90c87c661ad9f6af434e97f8eae3e00f2ce412ef764854e1d5ca150b084c29ae0eff9f9fa522baa07b1f9d5695507fc1fc46b803fbc04d2a2a6c0ae

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\npWebClient_p2p_conn_Plugin.dll

Filesize
6.2MB

MD5
c4fce0abe659d699e173b7e8797a7819

SHA1
9451d5d45ae58fa48e96d5061b8342fa212cdd70

SHA256
38f87a4da0c4775efdf8f3d17c58e752ca2b7f54291dbb2e695ba25009f65055

SHA512
d7ffaf2dc90c87c661ad9f6af434e97f8eae3e00f2ce412ef764854e1d5ca150b084c29ae0eff9f9fa522baa07b1f9d5695507fc1fc46b803fbc04d2a2a6c0ae

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\setup.cmd

Filesize
3KB

MD5
d9d16ee27bcf8e754b1dda3add36de19

SHA1
3ccdbf12fb0fdf898646d07e180b3d3744789ddd

SHA256
98b2a87a867e3d4d5c380ab9deff9b70ad37cff3792f988e8308931f8a5674d3

SHA512
e7ec28ed48bd52ea3679ced817e377e74e5cd55aa65c9b51f989e9b27fb7752ce92554a9864a9bfd85fca3cae605fc6f7d3746058e1181ce6bda577849c5c98c

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\setup.cmd

Filesize
3KB

MD5
d9d16ee27bcf8e754b1dda3add36de19

SHA1
3ccdbf12fb0fdf898646d07e180b3d3744789ddd

SHA256
98b2a87a867e3d4d5c380ab9deff9b70ad37cff3792f988e8308931f8a5674d3

SHA512
e7ec28ed48bd52ea3679ced817e377e74e5cd55aa65c9b51f989e9b27fb7752ce92554a9864a9bfd85fca3cae605fc6f7d3746058e1181ce6bda577849c5c98c

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\uninstall.cmd

Filesize
649B

MD5
faf71ea434d29e2638ba850f63af0d37

SHA1
ca59423aebe6f66fee6299ff7c0bfcdb5abb2516

SHA256
70bad7b0d869ed2689506359709abf2bc329e0841aebca61bb0303b2a8d02a83

SHA512
aaf17b094ad4a5aed32a8c7ab09c94d2de48d48bd8ddc71b3898c4950e98e224d8ecd36015628b47bfd26d03d7e23c239a49f649afc403e7d682f0f3df0ce9db

Download Submit
C:\Program Files\WebClient_p2p_conn_Plugin\webConfig.xml

Filesize
241B

MD5
a63940e5d022cf06f1460032d1617d77

SHA1
2744565f3e3ac8381211e237bdc9557bc97a67d3

SHA256
0df32d04a551fc7132de5cef0bdf676a7d9858e9d1b6fe70d0728ed859ff1a4e

SHA512
ca9c67a43521fc55bbc4ac074f172c9aeeeb9917423f6dc139273ad2619935c4aa01576cc491b40923184687032e7902a914f485523f3bd4c9bf6f44eba2446c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads