4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
Size

4.5MB
MD5

dae2f0d08e24f48d50f9150bb926cf39
SHA1

4412f3ff5dc81034f2dc1246e1343c25420da59c
SHA256

4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394
SHA512

7377fb786254af08d79b5a369ba2ad956828630394259bc791644ef73b988b91c36d98a17e81b80ba5e36e8fe095e9544932c2a13cbfd8027e77b381219515f2
SSDEEP

98304:HXPPJ5EIqKe6q3oKbtRMv3tho3hahqOr9JajQbu2+NUzQ6lMU:/PjaKHAtmv3tho3hahqOrTajku2FzQ6W

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2536	regsvr32.exe
3056	regsvr32.exe
2128	regsvr32.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\W95INF16.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\COMDLG32.ocx	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\MSCOMCTL.ocx	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\OLEAUT32.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\ASYCFILT.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\MSVBVM60.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\OLEPRO32.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\STDOLE2.tlb	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\W95INF32.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.ocx	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\COMCTL32.ocx	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\MSSTDFMT.ocx	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\COMCAT.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\TABCTL32.OCX	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
File created	C:\Windows\SysWOW64\ADVPACK.dll	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ = "IImageCombo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\ = "Toolbar General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ = "ITabs"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E80-DF38-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\CONTROL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\ = "Microsoft Tabbed Dialog Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.ocx"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E791-850A-101B-AFC0-4210102A8DA7}\ = "ITabs10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA60-E020-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D95-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CurVer\ = "COMCTL.ListViewCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.TabStrip.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E6393-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83604-895E-11D0-B0A6-000000000000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\ToolboxBitmap32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\ = "IListItem10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7}\ = "ITreeView10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2632	2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe	28
PID 2696 wrote to memory of 2632	2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe	28
PID 2696 wrote to memory of 2632	2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe	28
PID 2696 wrote to memory of 2632	2696	4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe	28
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2492	2632	cmd.exe	30
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2508	2632	cmd.exe	31
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2536	2632	cmd.exe	32
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 2568	2632	cmd.exe	33
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	cmd.exe	34
PID 2632 wrote to memory of 2128	2632	cmd.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	35
PID 2632 wrote to memory of 2128	2632	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe
"C:\Users\Admin\AppData\Local\Temp\4778e22a6c0699c3d9a63ac350e2c1b29b4cfaca65e282600193739ce0258394.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\reg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 scrrun.dll -s
    3⤵
    - Modifies registry class
    PID:2492
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 msstdfmt.dll -s
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 COMDLG32.ocx -s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2536
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 MSCOMCTL.ocx -s
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2568
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 TABCTL32.OCX -s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3056
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 COMCTL32.ocx -s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\reg.bat

Filesize
183B

MD5
026cb7b5ebe20c232fcee11df1c2aa4a

SHA1
415b8ec42a7f668b00ba941fdef518fd0f346fef

SHA256
1f5b270df0376f3fb7a3124b809f166d18d6e82c09c930865b271e7fa3ef109c

SHA512
ae76dd3b68271ced21cc31517ad825457138630b8893b28b30fc3b83c513a9a429071c37e175523062a15b093c3981b12c3323874caf080e1d872f0202b7a320

Download Submit
C:\Users\Admin\AppData\Local\Temp\reg.bat

Filesize
183B

MD5
026cb7b5ebe20c232fcee11df1c2aa4a

SHA1
415b8ec42a7f668b00ba941fdef518fd0f346fef

SHA256
1f5b270df0376f3fb7a3124b809f166d18d6e82c09c930865b271e7fa3ef109c

SHA512
ae76dd3b68271ced21cc31517ad825457138630b8893b28b30fc3b83c513a9a429071c37e175523062a15b093c3981b12c3323874caf080e1d872f0202b7a320

Download Submit
C:\Windows\SysWOW64\COMCTL32.ocx

Filesize
595KB

MD5
17f1d8f9666c7c5eabe9f9a18d312841

SHA1
b5f9ff1c013cbad374c988a410ff98bb53a7f972

SHA256
45a2c828ea26033b75e71e9e9f1cb2028f4ae923f307b83da12f1837ba328644

SHA512
771c1635d691dfa0d4c514560bbecc46017efdd772eb21cd7ec982f837719826dffe99343aaeed0c4e1755a0e81f3ad6db2704063159e3777e0b6fb0357941ec

Download Submit
C:\Windows\SysWOW64\COMDLG32.ocx

Filesize
136KB

MD5
fdd53313fb364f0e8e4b217909cd5d61

SHA1
800fbec8a78bbda6ec03984958fd1bac9c5b768e

SHA256
118c3f4fae7c1867fc2af7f333aedfc28dbdb57e89cb586a3abda46e364242f8

SHA512
1a365f3f25334905282cbf28d99ad50d1f2eb9da9d3ad0d8ed8b28c45a357a7b381507f6a36ecb67c05c7fcbc02895ee23bfcca5b7b37faac0e09bdc5d7cdedf

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
218KB

MD5
dc925b6d77ba9ecb532e2f6750be943b

SHA1
f71215e701401f0dd6fe143e3a630b2e168a4fac

SHA256
d10a197fd53e65dc910ca4aed86cb674c613ff14ce6436d1a445bb27a7a499e0

SHA512
ee9c40e695a29de7e7b8a9fe1ca01ebba9a8bdc199d46d98c71a4e3ecfec566f2fc31300a5e9867e8c791b15ac3ebec076f0710e0f6eec6c3fdea3bde37ab171

Download Submit
\Windows\SysWOW64\COMCTL32.ocx

Filesize
595KB

MD5
17f1d8f9666c7c5eabe9f9a18d312841

SHA1
b5f9ff1c013cbad374c988a410ff98bb53a7f972

SHA256
45a2c828ea26033b75e71e9e9f1cb2028f4ae923f307b83da12f1837ba328644

SHA512
771c1635d691dfa0d4c514560bbecc46017efdd772eb21cd7ec982f837719826dffe99343aaeed0c4e1755a0e81f3ad6db2704063159e3777e0b6fb0357941ec

Download Submit
\Windows\SysWOW64\COMDLG32.ocx

Filesize
136KB

MD5
fdd53313fb364f0e8e4b217909cd5d61

SHA1
800fbec8a78bbda6ec03984958fd1bac9c5b768e

SHA256
118c3f4fae7c1867fc2af7f333aedfc28dbdb57e89cb586a3abda46e364242f8

SHA512
1a365f3f25334905282cbf28d99ad50d1f2eb9da9d3ad0d8ed8b28c45a357a7b381507f6a36ecb67c05c7fcbc02895ee23bfcca5b7b37faac0e09bdc5d7cdedf

Download Submit
\Windows\SysWOW64\TABCTL32.OCX

Filesize
218KB

MD5
dc925b6d77ba9ecb532e2f6750be943b

SHA1
f71215e701401f0dd6fe143e3a630b2e168a4fac

SHA256
d10a197fd53e65dc910ca4aed86cb674c613ff14ce6436d1a445bb27a7a499e0

SHA512
ee9c40e695a29de7e7b8a9fe1ca01ebba9a8bdc199d46d98c71a4e3ecfec566f2fc31300a5e9867e8c791b15ac3ebec076f0710e0f6eec6c3fdea3bde37ab171

Download Submit