307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2023 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Size

2.8MB
MD5

cd9fba471821f09ba15e691a4a2e99c9
SHA1

d62bb9be5d8b17f88167491351e16a7c846e2b19
SHA256

307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef
SHA512

5c0753810c010439f0a836e9d4227319cb9af99b996d6ab5100d533911d3849c4d575a5884c2c93575f114450a2ec6d0b9e6e86e204e91ffe266ccde19cb5590
SSDEEP

49152:6pxKB2UqRbbEqBKhmxFPLD3Di/IMiugQDee8OsKC4H+Q8MN+nQKRPrv3MI/:jB2UqRAmxFPLD31OsZ4H+Q8MN8NZr3Mg

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
732	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
732	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zipack.dll	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\sShortDate = "yyyy-MM-dd"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\iLZero = "1"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\Compatibility Flags = "1024"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Compatibility Flags = "1024"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\MiscStatus\1\ = "132497"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\MiscStatus	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\VersionIndependentProgID	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\MiscStatus\1\ = "132497"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\MiscStatus	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\ProgID	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\ToolboxBitmap32	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{39977C62-C383-463D-AF61-C71220634656}\CONTROL	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Control	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\VersionIndependentProgID	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\InprocServer32\ThreadingModel = "Apartment"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\CONTROL	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\InprocServer32\ThreadingModel = "Apartment"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\ProgID\ = "MSWinsock.Winsock.1"	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
732	307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe

C:\Users\Admin\AppData\Local\Temp\307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe
"C:\Users\Admin\AppData\Local\Temp\307679e733c5b2f1a2b68c6e6ca385080d15395a3884cc416af9b493d22be6ef.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mswinsck.ocx

Filesize
124KB

MD5
57325d394119db3d3b3cf8a3bbfda5ca

SHA1
91fc9a75807f8cd98c52d8804dada489bd187430

SHA256
b66e17e0d7bbfe4f6be537c544083e844b5dd0ebc660910bff17ad6cd5480971

SHA512
a6efdc59a999df797d3030042e62eb452e5ad87a19429fdaf4117fff1c85ff2e58015159c24b3c2e4c7fe97b601fcfe795fa3457da66b69b08eaf7e34ba5ad48

Download Submit
C:\Windows\SysWOW64\zipack.dll

Filesize
52KB

MD5
7d886442668d1c79ce95e172ae69cccf

SHA1
697e31d6bb0dba9d3a60efbd22f432230873c430

SHA256
afc7cf5b0772b27d05d224136739cd56d1ad07647d996cad97a7e2fe29ab86f1

SHA512
0aa2f753a0a47a139ad232a3bb9725554692fd176f21f25addba56aabcb150960c83d355e5505f37764b0e6da705f35cdd31e285ec13701150b1e3a1c0795955

Download Submit
memory/732-5-0x0000000002500000-0x0000000002527000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads