28ecec9ba057bd899d6bb8557f82af4db6c120534467c0a868bcd12d8b1fd718

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d781e9b7d87b9148b0896ee045290f5.exe
Size

522KB
MD5

1d781e9b7d87b9148b0896ee045290f5
SHA1

ffe074fb07206701a47a61c39b10d495b8c330f2
SHA256

28ecec9ba057bd899d6bb8557f82af4db6c120534467c0a868bcd12d8b1fd718
SHA512

71114e003f5572dff94328291a9e0b3ba008aa8a06d807366fa448757f9333c632073793c439bdbf9ad812f81f4a97e6c05caa17170cf18edd8bdc08381e7849
SSDEEP

12288:nV+mzUobg/rsLjRE+ISnMOjSS8gEb8ZhgiAcocrlDI:n83R/rsLjRE+IkMOjSOThbAPcq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	1d781e9b7d87b9148b0896ee045290f5.exe

Executes dropped EXE 1 IoCs

pid	Process
3332	1.exe

Loads dropped DLL 4 IoCs

pid	Process
3332	1.exe
3332	1.exe
3332	1.exe
3332	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.UpDown\CLSID\ = "{603C7E80-87C2-11D1-8BE3-0000F8754DA1}"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\ProgID\ = "MSComCtl2.FlatScrollBar.2"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.FlatScrollBar\ = "Microsoft Flat Scrollbar Control 6.0 (SP4)"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.UpDown\CurVer	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}\ProxyStubClsid32	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\comdlg32.ocx"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}\ = "Date and Time Picker General Property Page Object"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.Animation\CLSID	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Control	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\Implemented Categories	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Version	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\MiscStatus\1	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}\TypeLib	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\comdlg32.ocx"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\ProgID	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE387539-44A3-11D1-B5B7-0000C09000C4}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\MiscStatus	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.Animation	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}\TypeLib	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32\ThreadingModel = "Apartment"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.UpDown	1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E4565-87C3-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\VersionIndependentProgID	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\MSCOMCT2.OCX, 1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3332	1.exe
3332	1.exe
3332	1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 3332	4064	1d781e9b7d87b9148b0896ee045290f5.exe	87
PID 4064 wrote to memory of 3332	4064	1d781e9b7d87b9148b0896ee045290f5.exe	87
PID 4064 wrote to memory of 3332	4064	1d781e9b7d87b9148b0896ee045290f5.exe	87

C:\Users\Admin\AppData\Local\Temp\1d781e9b7d87b9148b0896ee045290f5.exe
"C:\Users\Admin\AppData\Local\Temp\1d781e9b7d87b9148b0896ee045290f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

Filesize
160KB

MD5
7832e8fd678bff4bb9adaef7acb8524f

SHA1
3b7acfcbb2805810ca3a741c0bf44ad7489525e8

SHA256
14d6211432e2892f46eaf0b08aef565d486fa43699c4c81ece20642663eada59

SHA512
a867d8b390ff8cf6451dd3920fba76d043f6c3e29995c1a28284a7df42328ef78c74f90abad12b3e06c7ec8484ed7eec7ef40b3730e6d59d4368546cd0096889

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSCOMCT2.OCX

Filesize
632KB

MD5
c1b4af41a0370e4081d59ac99bcc929d

SHA1
c0c55de97f41a24bf50b2d08eb428371bb4a3cce

SHA256
2b7a1f905486736eda8b51add1bc2590c2a6d9d5a9ab7565335d989f39c0eb8e

SHA512
0bb987af80ab3b598f2d3008a6005484d2d4d082958e757aed3fd1cd5cca543f02d7b475e2c030e28e320d327dce4b4009894f51b7ab8f03acf54314d86d38b4

Download Submit
memory/4064-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download