dcd79abfd2551b374a248d118000aee784d8f30670bd4938dc9ffd005927ac4c

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 22:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16300e73db1cb8a18a95bbf26396c08f.exe
Size

244KB
MD5

16300e73db1cb8a18a95bbf26396c08f
SHA1

c7b84b71fdf5eaea3c472f957bc4f22708a559e3
SHA256

dcd79abfd2551b374a248d118000aee784d8f30670bd4938dc9ffd005927ac4c
SHA512

1c199681a9976a82f1fd877875832768460f9fa4249a87ac8411e7e63a86ff1c96300e6d075b54a8c51e6d1702c8f1c0db37c551cc073a2a3429113e3b724ba4
SSDEEP

3072:8zT3Y3CjBwiHCoyox7Vsg3D452jny/+LsMvNphg8UHfU7oZz/tgxjuro7lpip8:wo3iBtioyor85Gnn9en/UATJ0lM

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3804	regsvr32.exe
3860	regsvr32.exe
1532	16300e73db1cb8a18a95bbf26396c08f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1532-0-0x0000000000400000-0x00000000004A1000-memory.dmp	upx
behavioral2/memory/1532-10-0x0000000000400000-0x00000000004A1000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	16300e73db1cb8a18a95bbf26396c08f.exe
File opened for modification	C:\Windows\SysWOW64\MSSTDFMT.DLL	16300e73db1cb8a18a95bbf26396c08f.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1152	taskkill.exe
2324	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Print Property Page Object"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\ = "StdDataFormats Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ = "IStdDataValueDisp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\CurVer\ = "MSSTDFMT.StdDataFormats.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Color Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ = "IStdDataFormatDisp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\ = "Microsoft Common Dialog Control, version 6.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\Version = "1.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat.1\ = "StdDataFormat Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Open Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSSTDFMT.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\VersionIndependentProgID\ = "MSSTDFMT.StdDataFormats"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ = "IStdDataFormatDisp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\ = "StdDataFormat Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1\ = "StdDataValue Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\ = "StdDataFormat Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID\ = "MSComDlg.CommonDialog.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1\CLSID\ = "{2B11E9B0-9F09-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats.1\CLSID\ = "{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Version\ = "1.0"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	16300e73db1cb8a18a95bbf26396c08f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3804	1532	16300e73db1cb8a18a95bbf26396c08f.exe	88
PID 1532 wrote to memory of 3804	1532	16300e73db1cb8a18a95bbf26396c08f.exe	88
PID 1532 wrote to memory of 3804	1532	16300e73db1cb8a18a95bbf26396c08f.exe	88
PID 1532 wrote to memory of 1152	1532	16300e73db1cb8a18a95bbf26396c08f.exe	91
PID 1532 wrote to memory of 1152	1532	16300e73db1cb8a18a95bbf26396c08f.exe	91
PID 1532 wrote to memory of 1152	1532	16300e73db1cb8a18a95bbf26396c08f.exe	91
PID 1532 wrote to memory of 3860	1532	16300e73db1cb8a18a95bbf26396c08f.exe	90
PID 1532 wrote to memory of 3860	1532	16300e73db1cb8a18a95bbf26396c08f.exe	90
PID 1532 wrote to memory of 3860	1532	16300e73db1cb8a18a95bbf26396c08f.exe	90
PID 1532 wrote to memory of 2324	1532	16300e73db1cb8a18a95bbf26396c08f.exe	95
PID 1532 wrote to memory of 2324	1532	16300e73db1cb8a18a95bbf26396c08f.exe	95
PID 1532 wrote to memory of 2324	1532	16300e73db1cb8a18a95bbf26396c08f.exe	95

C:\Users\Admin\AppData\Local\Temp\16300e73db1cb8a18a95bbf26396c08f.exe
"C:\Users\Admin\AppData\Local\Temp\16300e73db1cb8a18a95bbf26396c08f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\System32\COMDLG32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3804
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\System32\MSSTDFMT.DLL
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM regsvr32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM regsvr32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
136KB

MD5
3ec0a48ed8d8a019175cfa3952ccb3b7

SHA1
075ffa431a55a272c2cdfe465ac130ab654ba9e8

SHA256
f9ecca1f6718f7ab711e3f675dce438930079ca8649f101fb41a93d85977149d

SHA512
0c51c31c0fa9d5b4909a5085bd72881c4e4867f90c0e576d5344b311f4e1d22ed7141ff359e43dcf53e8c84782bc34062c16dab04f63e73487e91b1db4cc33ca

Download Submit
C:\Windows\SysWOW64\MSSTDFMT.DLL

Filesize
116KB

MD5
92b712df390367bfa4252a48d9d71d51

SHA1
417873c8c3f8aec413ca59de44d4f560d471520e

SHA256
b0980fb78f801a50cc7c5cfb5b653d30c650789f5443a536f05a518dcf4f59a7

SHA512
38e119ea005b44cebfec6da4a81afbca7a72d54052b8e3b920af416cf2d87ca9317e3817fde2175442069173d3ac2bd69bf0bae700391bc7b813f3c3c78764bf

Download Submit
memory/1532-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/1532-10-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download