11ebc6a2e6e193bf070d3fbaba70fa498920db08a7b18451d9ac43eb0001cce1

Analysis

max time kernel
172s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23fc115d20ed6b9263afc53c73030d71.exe
Size

777KB
MD5

23fc115d20ed6b9263afc53c73030d71
SHA1

3d5eb02a2f99e0cc2838525944b61aca8824e542
SHA256

11ebc6a2e6e193bf070d3fbaba70fa498920db08a7b18451d9ac43eb0001cce1
SHA512

835e2b192e0a425077234fbdde4c9b13ff00378184754da9767d3accb178fc2663d4c79285daaa7856befd5c80ab983434dbc319a56dc61defa4a06653dc48f3
SSDEEP

12288:igdnyuNx+GdTUx31iQ6QupiNq5D+rGKOo67Wsr047JSMQEBGNh1m3qe6:FHTq31j6DpiE5iKKOr700JS9jb1uqL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23fc115d20ed6b9263afc53c73030d71.exe"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib\ = "{C71D6101-97A3-493F-9E97-09B05D199A12}"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ = "IBoot"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier.1	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib\Version = "1.0"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\Version	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\HELPDIR	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\HELPDIR	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\23fc115d20ed6b9263afc53c73030d71.exe\""	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\ProgID\ = "outgrin.zingier.1"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23fc115d20ed6b9263afc53c73030d71.exe"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib\ = "{C71D6101-97A3-493F-9E97-09B05D199A12}"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\0\win32	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier\CurVer\ = "outgrin.zingier.1"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\FLAGS	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\ProgID	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\ = "InstallerLib"	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ProxyStubClsid32	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier\ = "Inst Class"	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\LocalServer32	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\Programmable	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\LocalServer32	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\ = "Inst Class"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ProxyStubClsid32	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\Version	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier\CurVer	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\0	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier.1\CLSID	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\TypeLib	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ = "IBoot"	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ProxyStubClsid32	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier.1\ = "Inst Class"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\Version\ = "1.0"	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\FLAGS	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\0\win32	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\VersionIndependentProgID\ = "outgrin.zingier"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\TypeLib\ = "{c71d6101-97a3-493f-9e97-09b05d199a12}"	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23fc115d20ed6b9263afc53c73030d71.exe:typelib"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier\CurVer	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\ProxyStubClsid32	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\VersionIndependentProgID	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C71D6101-97A3-493F-9E97-09B05D199A12}\1.0\0	23fc115d20ed6b9263afc53c73030d71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA14EB0E-A66B-49BB-A580-F0EDC3EFD67C}\TypeLib\Version = "1.0"	23fc115d20ed6b9263afc53c73030d71.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\outgrin.zingier.1	23fc115d20ed6b9263afc53c73030d71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8297b7fe-5de1-4415-aa05-05cd8f57bc9f}\Programmable	23fc115d20ed6b9263afc53c73030d71.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\23fc115d20ed6b9263afc53c73030d71.exe:typelib	23fc115d20ed6b9263afc53c73030d71.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2296	23fc115d20ed6b9263afc53c73030d71.exe
2296	23fc115d20ed6b9263afc53c73030d71.exe

C:\Users\Admin\AppData\Local\Temp\23fc115d20ed6b9263afc53c73030d71.exe
"C:\Users\Admin\AppData\Local\Temp\23fc115d20ed6b9263afc53c73030d71.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23fc115d20ed6b9263afc53c73030d71.exe:typelib

Filesize
8KB

MD5
b67c1b008ea3ac9ec924fa9c53b99046

SHA1
c4c1b0253c17b85b8db073e99663e779edd8ee9b

SHA256
0be83cadc34db187cfda1212f77e9c88592a6fc2da644cb92938e792b08cfda3

SHA512
ca511501ab31892c33b0516b74b629f4d567721a417d5ae6a71922dc0331f1acbd381f2d5daef7f02767e6c62a818ffe16c4b985e53ea392c86e25185ed779ff

Download Submit
memory/2296-0-0x0000000000330000-0x00000000004E3000-memory.dmp

Filesize
1.7MB

Download
memory/2296-7-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2296-14-0x0000000000330000-0x00000000004E3000-memory.dmp

Filesize
1.7MB

Download