6f44d701c78387822d9dc0043b94bd6c25f0107925f2c1f16a25cec9d3b17394

Analysis

max time kernel
167s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1c2bf52e7ed1e7c1d608486fb381be.exe
Size

109KB
MD5

0b1c2bf52e7ed1e7c1d608486fb381be
SHA1

94a0362a478725be552d4d98e186ca427ce949a2
SHA256

6f44d701c78387822d9dc0043b94bd6c25f0107925f2c1f16a25cec9d3b17394
SHA512

68d2b5da779308919452d4ff6d99aeaf5400e393e06142afb5644611a15c269a50886866d2f8611f4ebfd25a580fe66a35aaedd13ae1c1e9ba8f29854ea17ebe
SSDEEP

3072:CZVTpKa1Nx6YN8z/38HPsigr8edbuasEReoDl:CZFV1Nx94/3+0igQQ5sIeoD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HookMenu.ocx	0b1c2bf52e7ed1e7c1d608486fb381be.exe
File created	C:\Windows\SysWOW64\HookMenu.ocx	0b1c2bf52e7ed1e7c1d608486fb381be.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0\HELPDIR	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ = "__XpMenu"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\TypeLib	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\VERSION	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0\0	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\InprocServer32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\Control\	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\TypeLib	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\TypeLib\Version = "1.0"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\ = "HookMenu.XpMenu"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\InprocServer32\ = "C:\\Windows\\SysWow64\\HookMenu.ocx"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\HookMenu.ocx, 30000"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0\FLAGS	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\TypeLib	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\TypeLib\Version = "1.0"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\ = "_pagBitmaps"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\TypeLib	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\TypeLib\Version = "1.0"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\ProgID\ = "HookMenu.XpMenu"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\MiscStatus	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\ = "_pagBitmaps"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HookMenu.XpMenu	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F6-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ = "XpMenu"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0\ = "HookMenu Control 1.4"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0\FLAGS\ = "2"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\TypeLib\Version = "1.0"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\MiscStatus\1	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\VERSION\ = "1.0"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F6-0563-11D8-AA80-000B6A0D10CB}\ = "HookMenu.pagBitmaps"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\ = "XpMenu"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5E116E1-0563-11D8-AA80-000B6A0D10CB}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\HookMenu.ocx"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5E116F2-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}\TypeLib	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HookMenu.XpMenu\Clsid\ = "{F5E116F3-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\ProxyStubClsid32	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F4-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5E116F3-0563-11D8-AA80-000B6A0D10CB}\MiscStatus\ = "0"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5E116F5-0563-11D8-AA80-000B6A0D10CB}\TypeLib\ = "{F5E116E1-0563-11D8-AA80-000B6A0D10CB}"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HookMenu.XpMenu\ = "HookMenu.XpMenu"	0b1c2bf52e7ed1e7c1d608486fb381be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HookMenu.XpMenu\Clsid	0b1c2bf52e7ed1e7c1d608486fb381be.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90
PID 4556 wrote to memory of 5064	4556	0b1c2bf52e7ed1e7c1d608486fb381be.exe	90

C:\Users\Admin\AppData\Local\Temp\0b1c2bf52e7ed1e7c1d608486fb381be.exe
"C:\Users\Admin\AppData\Local\Temp\0b1c2bf52e7ed1e7c1d608486fb381be.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\0b1c2bf52e7ed1e7c1d608486fb381be.exe
  C:\Users\Admin\AppData\Local\Temp\0b1c2bf52e7ed1e7c1d608486fb381be.exe
  2⤵
  PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HookMenu.ocx

Filesize
140KB

MD5
5801ae076b6ae99b1a15764a37d9df42

SHA1
6860fc7ca698cddc81521286fe6ed050b8f99f36

SHA256
0d3e192b387e9abc117442a604e32ed1f823362a9bfbc93c9c29f0447aa205be

SHA512
1465c0befa6b473d707b2783c53753ae79d023f143a6da074c93e0a876d29a2fafbfdfcac21da6f5fdde1d8cd937ebb918e7e712e97d62862dbd7792e1e3bf63

Download Submit
memory/4556-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4556-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5064-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5064-12-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/5064-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5064-14-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download