e57929289a3b02ed8b9a0a99448557607143d8a79b6a30c611a539a0b0e6cc67

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6a1932bcc5565d3f252d2c607ae9f0.exe
Size

525KB
MD5

1f6a1932bcc5565d3f252d2c607ae9f0
SHA1

8a524bab68c84971ab6cf1af0167cbfa69fa5ef4
SHA256

e57929289a3b02ed8b9a0a99448557607143d8a79b6a30c611a539a0b0e6cc67
SHA512

6dc998c99e93353cfbce3789fd8e433ed6a4f79c9bc27a43767c6af2cbb68d320640dfc0beae60580401e6e0635e120b562f54e1f5e4647f884a54b7ff028b32
SSDEEP

12288:Rttb3HMwxd0ApF1KfYe1hyszRSKm+9p8nNIue2JAQ8qvnlVdK:RtuEeEF1KVhyszRzmY8S2J1nvdK

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1812	1f6a1932bcc5565d3f252d2c607ae9f0.exe
1812	1f6a1932bcc5565d3f252d2c607ae9f0.exe
1812	1f6a1932bcc5565d3f252d2c607ae9f0.exe
1812	1f6a1932bcc5565d3f252d2c607ae9f0.exe
1812	1f6a1932bcc5565d3f252d2c607ae9f0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Excite Private Messenger Pipe = "C:\\Program Files\\Excite\\PrvtMsgr\\bin\\x8IMPipe.exe"	1f6a1932bcc5565d3f252d2c607ae9f0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\SNARL.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\CONFUSED.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\PHONE.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\LOVE.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\SMILE.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\WINK.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\SMILE.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DOORCLOS.WAV_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DRUMDOWN.WAV	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8HTML.DLL	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8MSG.DLL	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\IDEA.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\WOW.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DOORCLOS.WAV	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DOOROPEN.WAV	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\MSGRCFG$.HTM	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\CRY.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\LOVE.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8HELPER.EXE_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8IDLE.DLL	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8PLAY.EXE_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\CRY.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\WINK.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\BOMB.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\LOL.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\WOW.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DOOROPEN.WAV_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DRUMUP.WAV_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\MSGRCFG$.HTM_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8HELPER.EXE	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8HTML.DLL_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\CONFUSED.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\SNARL.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DRUMDOWN.WAV_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\IDEA.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\KISSLIPS.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\KISSLIPS.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\PHONE.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File opened for modification	C:\Program Files\Excite\PrvtMsgr\iMSetup.exe	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\DRUMUP.WAV	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8IDLE.DLL_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\ARRRGH.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\BRB.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\WAVE.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\UNINSTAL.INF	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8IMPIPE.EXE_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\BOMB.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\UNINSTAL.INF_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8IMPIPE.EXE	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8PLAY.EXE	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\GONG.WAV	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\ARRRGH.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\SURPRYZ.VPA	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\WAVE.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\X8MSG.DLL_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\BRB.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\LOL.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\Gestures\SURPRYZ.VPA_	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\iMSetup.exe	1f6a1932bcc5565d3f252d2c607ae9f0.exe
File created	C:\Program Files\Excite\PrvtMsgr\bin\GONG.WAV_	1f6a1932bcc5565d3f252d2c607ae9f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1EF8172-1596-40f2-AC85-AD58765FD981}\InprocServer32\ThreadingModel = "Apartment"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90624-6464-4344-A83B-337846F2BD32}\ProxyStubClsid32	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.HTMLPanel\CurVer	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90624-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-excite-launch\Extension = ".x8"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.HTMLPanel.1	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.HTMLPanel\CLSID	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.MessagePanel\CLSID	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.x8\Content Type = "text/x-excite-launch"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90625-6464-4344-A83B-337846F2BD32}	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90622-6464-4344-A83B-337846F2BD32}\VersionIndependentProgID	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90624-6464-4344-A83B-337846F2BD32}\TypeLib\ = "{AFC90620-6464-4344-A83B-337846F2BD32}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1EF8170-1596-40F2-AC85-AD58765FD981}\1.0\0	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90624-6464-4344-A83B-337846F2BD32}\TypeLib\Version = "1.0"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\x8file\EditFlags = 00000100	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1EF8172-1596-40f2-AC85-AD58765FD981}\Version	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90624-6464-4344-A83B-337846F2BD32}\TypeLib\Version = "1.0"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90626-6464-4344-A83B-337846F2BD32}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90621-6464-4344-A83B-337846F2BD32}\ = "IExciteChatHistory"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90621-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1EF8172-1596-40f2-AC85-AD58765FD981}\ = "Excite HTML"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1EF8172-1596-40f2-AC85-AD58765FD981}\VersionIndependentProgID	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1EF8172-1596-40f2-AC85-AD58765FD981}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-excite-launch	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1EF8170-1596-40F2-AC85-AD58765FD981}	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90623-6464-4344-A83B-337846F2BD32}\ProxyStubClsid32	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8171-1596-40F2-AC85-AD58765FD981}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8173-1596-40F2-AC85-AD58765FD981}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\x8file\shell\open	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.x8	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1EF8171-1596-40F2-AC85-AD58765FD981}\TypeLib\ = "{A1EF8170-1596-40F2-AC85-AD58765FD981}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8171-1596-40F2-AC85-AD58765FD981}\TypeLib\ = "{A1EF8170-1596-40F2-AC85-AD58765FD981}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90621-6464-4344-A83B-337846F2BD32}	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1EF8172-1596-40f2-AC85-AD58765FD981}\Programmable	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.ExciteChatRoomPlugin.1\ = "Excite Chat Room Plugin"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90624-6464-4344-A83B-337846F2BD32}\ = "IExciteChatRoom"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1EF8173-1596-40F2-AC85-AD58765FD981}\ = "_IExciteHTMLPanelEvents"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90625-6464-4344-A83B-337846F2BD32}\Programmable	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFC90620-6464-4344-A83B-337846F2BD32}\1.0\ = "Messenger 1.0 Type Library"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.HTMLPanel\ = "Excite HTML Panel"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90621-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90623-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90627-6464-4344-A83B-337846F2BD32}	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFC90620-6464-4344-A83B-337846F2BD32}\1.0\0\win32\ = "C:\\Program Files\\Excite\\PrvtMsgr\\bin\\X8MSG.DLL"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFC90626-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8171-1596-40F2-AC85-AD58765FD981}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8173-1596-40F2-AC85-AD58765FD981}\ = "_IExciteHTMLPanelEvents"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.ExciteChatRoomPlugin\CurVer	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.ExciteChatRoomPlugin\CLSID\ = "{AFC90625-6464-4344-A83B-337846F2BD32}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90625-6464-4344-A83B-337846F2BD32}\MiscStatus\ = "0"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.ExciteChatHistoryPlugin.1\CLSID	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8173-1596-40F2-AC85-AD58765FD981}	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90627-6464-4344-A83B-337846F2BD32}\ProgID	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.ExciteChatRoomPlugin\ = "Excite Chat Room Plugin"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90623-6464-4344-A83B-337846F2BD32}\TypeLib\ = "{AFC90620-6464-4344-A83B-337846F2BD32}"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.HTMLPanel\CurVer\ = "ExcitePrivateMessenger.HTMLPanel.1"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1EF8170-1596-40F2-AC85-AD58765FD981}\1.0\ = "HTML 1.0 Type Library"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90622-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90625-6464-4344-A83B-337846F2BD32}\TypeLib	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC90622-6464-4344-A83B-337846F2BD32}\MiscStatus	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC90621-6464-4344-A83B-337846F2BD32}\ProxyStubClsid32	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1EF8171-1596-40F2-AC85-AD58765FD981}\TypeLib\Version = "1.0"	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1EF8173-1596-40F2-AC85-AD58765FD981}\ProxyStubClsid32	1f6a1932bcc5565d3f252d2c607ae9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcitePrivateMessenger.ExciteChatRoomPlugin	1f6a1932bcc5565d3f252d2c607ae9f0.exe

C:\Users\Admin\AppData\Local\Temp\1f6a1932bcc5565d3f252d2c607ae9f0.exe
"C:\Users\Admin\AppData\Local\Temp\1f6a1932bcc5565d3f252d2c607ae9f0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Excite\PrvtMsgr\bin\X8HTML.DLL

Filesize
76KB

MD5
84215d7f6c2b22932e990c15b431e429

SHA1
9761dd867829d5f38be36dbde85074ef004037c4

SHA256
69381af70a51b34c75e7f467d8c0472c7c9b30d920ca6ec48475465775a49e0c

SHA512
614044f19e7050ec22157efea37d92135f0e658af30fa2644cbcc218d99df03c4b155851c0aa56510b4ebc8fdbdd44393ed1aea2a71bb3f05706e8db54da18d0

Download Submit
\Program Files\Excite\PrvtMsgr\bin\X8IDLE.DLL

Filesize
28KB

MD5
8bfb73f284450a735b756668fa4758b9

SHA1
33420fdbf2cec8072d0c76d8c448efe40757dee7

SHA256
98a8468edf830da73b48940b41b86257b3e58548f95f0a01f4c4027225f1d674

SHA512
522a3273bcfc7b51eca8f369de51d1da3781585599d940b5229b95fc6b97a17b9182e332b720c307c4542087e48bd9a890087e8fbb37f6e42effbaa5c7c523bb

Download Submit
\Program Files\Excite\PrvtMsgr\bin\X8MSG.DLL

Filesize
356KB

MD5
dcd070d53188542449a91aa9796d2e72

SHA1
9a9b455d0e99fb642308f145b50f99984dc31370

SHA256
d6237dfb7ade0557c77e20d0d9ff7f47aead1a278c7eaa4a0f6ec23a57e41a9f

SHA512
40daad172582e3c3d91f902948534df0c06de513b305e653c9d3876729328b41f7f0fdc3c8ae818724a19cee252334d1e55d90b75f8ca9b073484f7382ef3e4e

Download Submit
\Program Files\Excite\PrvtMsgr\bin\X8PLAY.EXE

Filesize
116KB

MD5
ef83e084b775537917c6a7b138acba8c

SHA1
e41f46783a2761bc663ae1b062db3a2831e9734a

SHA256
7459f49bf8d88bf48f4ee0576a02577f426bcc6bf3d15b7ea893951035543b30

SHA512
81119b6dfa6f1077ce1fd79f9bc73963f8d2b42b7514924c1869b1891fa8188d6e382267c6c82565de790f2fbc05176f5c74621d2cdd52abf176ffd4963a58dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads