4ae39e5b8702915eeadfa571067cade17016990fc229c38d1b29e25252cef4c1

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1526b2bee89f9fc940ae4a0f8e110f6f.exe
Size

955KB
MD5

1526b2bee89f9fc940ae4a0f8e110f6f
SHA1

9bea8fa264ea4d0a66674577053329947ede29ca
SHA256

4ae39e5b8702915eeadfa571067cade17016990fc229c38d1b29e25252cef4c1
SHA512

488c469aa0698f94215fd04afcbf297a1180ec938871e49709dffbbd3d460851a952b945946329908135fcfcec8f4e119cb80719e6aad3f63ce3038707a682b7
SSDEEP

24576:4epzFWcoV7h4g2HCO5BHUEfJkLBiQBnxjb1uK9:3Wc+18NUEf21Ku

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan.1\CLSID	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib\Version = "1.0"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\VersionIndependentProgID	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\Programmable	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\ProgID	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib\ = "{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\VersionIndependentProgID	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\Version\ = "1.0"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1526b2bee89f9fc940ae4a0f8e110f6f.exe"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\LocalServer32	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan.1	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan.1\CLSID\ = "{ac567257-9d13-4d25-a3ac-b5f43ca98f32}"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib\ = "{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1526b2bee89f9fc940ae4a0f8e110f6f.exe:typelib"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\HELPDIR	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\ProgID\ = "overbusy.capelan.1"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\Version	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan.1\CLSID	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ = "IBoot"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib\Version = "1.0"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan\CurVer	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\FLAGS	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ProxyStubClsid32	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\Programmable	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\ = "InstallerLib"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\TypeLib	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan\CurVer	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan\CurVer\ = "overbusy.capelan.1"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\ = "Inst Class"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1526b2bee89f9fc940ae4a0f8e110f6f.exe"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ProxyStubClsid32	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan\ = "Inst Class"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\TypeLib	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\VersionIndependentProgID\ = "overbusy.capelan"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\TypeLib	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\FLAGS	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\0	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\FLAGS\ = "0"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\0	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ProxyStubClsid32	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan.1\ = "Inst Class"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{854CC538-3C95-4DB4-8D2B-90D326C94178}\ = "IBoot"	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1526b2bee89f9fc940ae4a0f8e110f6f.exe\""	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\0\win32	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\ProgID	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac567257-9d13-4d25-a3ac-b5f43ca98f32}\LocalServer32	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\HELPDIR	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\overbusy.capelan.1	1526b2bee89f9fc940ae4a0f8e110f6f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{04A1FC56-4A00-4934-91BA-3BA2AC74DABC}\1.0\0\win32	1526b2bee89f9fc940ae4a0f8e110f6f.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\1526b2bee89f9fc940ae4a0f8e110f6f.exe:typelib	1526b2bee89f9fc940ae4a0f8e110f6f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	1526b2bee89f9fc940ae4a0f8e110f6f.exe
2040	1526b2bee89f9fc940ae4a0f8e110f6f.exe

C:\Users\Admin\AppData\Local\Temp\1526b2bee89f9fc940ae4a0f8e110f6f.exe
"C:\Users\Admin\AppData\Local\Temp\1526b2bee89f9fc940ae4a0f8e110f6f.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1526b2bee89f9fc940ae4a0f8e110f6f.exe:typelib

Filesize
8KB

MD5
20af680f2f10bf058c9bad9340b97122

SHA1
5fdead6b85919939ed320ea24c6b043e21da77ce

SHA256
b39683accb7dfffba1fb4280b6d9ecbff543ef7ac1ff993c81625fc0aadc5c37

SHA512
1e2d9a17186cbb5c7182925e193656a7dbcb7da06b42c4216007373010b9ebc16d2b5eb21684b91d9194ff53b641bf1655b77b55e80e5681796a6a2019d23073

Download Submit
memory/2040-0-0x0000000000300000-0x00000000004E3000-memory.dmp

Filesize
1.9MB

Download
memory/2040-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2040-13-0x0000000000300000-0x00000000004E3000-memory.dmp

Filesize
1.9MB

Download