2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Size

1.4MB
MD5

986a79ca264247282a1c3234f85c3d4e
SHA1

6b5ebc7cc1fb026b4a18f8c4d11458f784c8ec71
SHA256

2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02
SHA512

bdef3c88f158d5ddf1ae819aa73056ad0c319284801f50c10f551eb6820cda7bd83afe9ca2da6b1de3af9fdf4356a3444d92d109de29bcdf8f2445b94689431d
SSDEEP

24576:Ub4ZCijkG44B71LyI84bphU0SRtdjOl/OWw9lBGtw+bUV/3e:LZCirjU440ojOsWwi9s/3e

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\MiscStatus	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\DocObject\ = "0"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol\StdFileEditing	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Verb\0	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\MiscStatus\ = "32"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\InprocHandler32	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\DefaultExtension\ = ".net, ?????? (*.net)"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\open	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE /dde"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\print\command	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\DocObject	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\printto	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\print\ddeexec	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\Insertable\	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol\StdFileEditing\verb\0	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Verb\0\ = "&Edit,0,2"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\AuxUserType\3	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\LocalServer32	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Printable\	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\ProgID	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\InprocHandler32\ = "ole32.dll"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\AuxUserType	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\printto\command	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE /dde"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\ = "NetPlan.Document"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\DefaultExtension	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\open\command	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\ = "??????"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.net	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Insertable\	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\AuxUserType\3\ = "????"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\CLSID\ = "{C77B0185-6F6E-11D4-801F-0080C87CE353}"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\DefaultIcon	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Insertable	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\DocObject	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol\StdFileEditing\server	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Verb\1	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE,1"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\print\ddeexec\ = "[print(\"%1\")]"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\Insertable	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol\StdFileEditing\verb	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\AuxUserType\2	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE /dde"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\ShellNew	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\ = "??????"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\Verb\1\ = "&Open,0,2"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\CLSID	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\open\ddeexec\ = "[open(\"%1\")]"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\ProgID\ = "NetPlan.Document"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\open\ddeexec	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\printto\ddeexec	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\DocObject\ = "0"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\DefaultIcon	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77B0185-6F6E-11D4-801F-0080C87CE353}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2F159A~1.EXE,1"	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetPlan.Document\shell\print	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4580	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
4580	2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe

C:\Users\Admin\AppData\Local\Temp\2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe
"C:\Users\Admin\AppData\Local\Temp\2f159ae88fc6985eb73e14b4a5d110ea760674a1d36b039d8a3670dc09e2ee02.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4580-0-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4580-1-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads