d2edcffe99ef081635b3ea3d5e57090fbb78d55c6ceabc0b32645f742925ae26

General

Target

IDA Pro 8.3/IDA Pro 8.3 (x86, x86_64)/ida64.exe
Size

4.0MB
MD5

23fe02467fb05b85cc78bcaaf1b015da
SHA1

79399bce20c07e0845197f4b5ef3d2a2d780ef6a
SHA256

c695b8de0b3cb3b152890625ec3e0495bad2cd1b257c89de3169b35e3d67b44c
SHA512

cb38da2a0366c73ddcac2a7024d302b80ecb36e5d4dea4a161e468e989e94b8db31cef8326a6a4837a7e3ff59808bd90829311431007aa93b5a521490a1b1c63
SSDEEP

49152:3JSx9rKN/uUVPb4QpuLuv9C1nq7IqqvAkuvnb6wPxLIfFvnP9bCxK/kLC/XIB9C:3Qx9asSFClEZlT5a8LaIBAazGXMZ8G

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 46 IoCs

Processes:

ida64.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 620031000000000079576e9b100049444150524f7e312e330000480009000400efbe79576e9b79576e9b2e0000008eab01000000070000000000000000000000000000004c4f8a004900440041002000500072006f00200038002e00330000001a000000	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 80003100000000007957729b100049444150524f7e312e3328580000640009000400efbe79576e9b7957729b2e0000008fab0100000006000000000000000000000000000000790725014900440041002000500072006f00200038002e003300200028007800380036002c0020007800380036005f0036003400290000001c000000	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ida64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000054574b74120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe54574b7454574b742e000000a852010000000100000000000000000000000000000032844c004100700070004400610074006100000042000000	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000005457a48010004c6f63616c003c0009000400efbe54574b745457a4802e000000bb520100000001000000000000000000000000000000ccad0a014c006f00630061006c00000014000000	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	ida64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ida64.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	ida64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000054578b80100054656d7000003a0009000400efbe54574b7454578b802e000000bc520100000001000000000000000000000000000000929b2301540065006d007000000014000000	ida64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ida64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ida64.exe

pid process

2892 ida64.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ida64.exe

pid process

2892 ida64.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ida64.exe

description pid process

Token: SeDebugPrivilege 2892 ida64.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ida64.exe

pid process

2892 ida64.exe
2892 ida64.exe
2892 ida64.exe
2892 ida64.exe

pid	process
2892	ida64.exe

pid	process
2892	ida64.exe

description	pid	process
Token: SeDebugPrivilege	2892	ida64.exe

pid	process
2892	ida64.exe
2892	ida64.exe
2892	ida64.exe
2892	ida64.exe

C:\Users\Admin\AppData\Local\Temp\IDA Pro 8.3\IDA Pro 8.3 (x86, x86_64)\ida64.exe
"C:\Users\Admin\AppData\Local\Temp\IDA Pro 8.3\IDA Pro 8.3 (x86, x86_64)\ida64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-0-0x00007FF70B8F0000-0x00007FF70BCF2000-memory.dmp

Filesize
4.0MB

Download
memory/2892-1-0x00007FFFF01D0000-0x00007FFFF0728000-memory.dmp

Filesize
5.3MB

Download
memory/2892-2-0x00000159AC230000-0x00000159AC240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing