3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Size

1.9MB
MD5

c92f0fea8d7a5010ed4493cd5600cb1c
SHA1

fa256e858b84cff6bdaabbec96a911dbdb2c04d4
SHA256

3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad
SHA512

48af6bc13792bb5eb579f50a00f69c28199459a59a3321fcbf3c2c51f7392deda2b09d55e03692c014de84cd692c24c12c565ee794cb2736c1d9b9316ab15ac6
SSDEEP

24576:51MhLpgeK7gMD5cClV3j0nNI6hn2IQFiJC:5Kdk7JlNjy73JC

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\TypeLib	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\TypeLib\ = "{2CE64F20-D4B0-11D3-9CA6-444553540000}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\TypeLib\ = "{2CE64F20-D4B0-11D3-9CA6-444553540000}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\ProxyStubClsid32	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\TypeLib\ = "{2CE64F20-D4B0-11D3-9CA6-444553540000}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\TypeLib	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\FLAGS\ = "0"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\HELPDIR	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\ = "DispInterface1"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\TypeLib\Version = "1.0"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\0\win32	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\ = "DispInterface1"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\ = "ITBrowserToDelphi"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\ProxyStubClsid32	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\TypeLib\ = "{2CE64F20-D4B0-11D3-9CA6-444553540000}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\FLAGS	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\TypeLib\Version = "1.0"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\ = "ITBrowserToDelphi"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\ProxyStubClsid32	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\TypeLib\Version = "1.0"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\ = "example Library"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\TypeLib	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\TypeLib\Version = "1.0"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\ProxyStubClsid32	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECD7C67C-BC6E-4A2A-9530-45547BE7B3F9}\TypeLib	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2CE64F20-D4B0-11D3-9CA6-444553540000}\1.0\0	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE64F21-D4B0-11D3-9CA6-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4376	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4376	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4376	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
4376	3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe

C:\Users\Admin\AppData\Local\Temp\3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe
"C:\Users\Admin\AppData\Local\Temp\3c205a39087d06c3892e178994344f11962e12355d6636127f8a088d10d925ad.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.ini

Filesize
23B

MD5
26f53843188bf2b9399b4fe89e20fbe5

SHA1
0809c4cccd5d3b7d04f92418b248b465d727840f

SHA256
0755ed42d97172933d1071f2d17a9171c6efb615855c028c6581fbef64c82a8e

SHA512
4d0f3fc31db41a6245dc992a179f95471174253eb606cddcafbc11a5fd0d2dd01d2d7daa08f2a7984ae704c26d1593892ca7ac935bd199706c08ee3b1c117ef7

Download Submit
memory/4376-0-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4376-77-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/4376-78-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download