232c7166552282895881433a8948cbfc1d7798629db39ce014a8d36c2353e427

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106610232a6c094912b27dd1383e31f2.exe
Size

294KB
MD5

106610232a6c094912b27dd1383e31f2
SHA1

0e2c699cc2326f7dab1c534b8ce496cdbe46dd06
SHA256

232c7166552282895881433a8948cbfc1d7798629db39ce014a8d36c2353e427
SHA512

b9fcdebb1a11baa09eab99399f19b87924148661636ab58e4314d37747cbc05bc413171acf603289bd1347f5e482357b5fd6c3866a10123662cd7b5530a856ea
SSDEEP

6144:kzG8n6K2nWfZQKIG6bYDXVI7sYpWnZA+/FpxdhJ:g1IIZybYLy7zAlNdX

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	lsass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\lsass = "C:\\Windows\\lsass.exe"	lsass.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	106610232a6c094912b27dd1383e31f2.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.Slider.2"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\MiscStatus\ = "0"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\VersionIndependentProgID	106610232a6c094912b27dd1383e31f2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}\InprocServer32	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}\InprocServer32	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\InprocServer32\ThreadingModel = "Apartment"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\VersionIndependentProgID	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CurVer\ = "MSComctlLib.Toolbar.2"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Version\ = "2.0"	106610232a6c094912b27dd1383e31f2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Version	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx, 10"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\ = "Microsoft ImageList Control 6.0 (SP6)"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Version	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ = "IProgressBarEvents"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}\InprocServer32	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\ToolboxBitmap32	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ImageListCtrl"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\TypeLib	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\InprocServer32	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}\InprocServer32	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib	106610232a6c094912b27dd1383e31f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CLSID	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CLSID\ = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\CLSID\ = "{BDD1F04B-858B-11D1-B16A-00C0F0283628}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\MiscStatus\1\ = "131473"	106610232a6c094912b27dd1383e31f2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}	106610232a6c094912b27dd1383e31f2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\InprocServer32	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	106610232a6c094912b27dd1383e31f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	106610232a6c094912b27dd1383e31f2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2672	lsass.exe
2672	lsass.exe
2672	lsass.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2672	1916	106610232a6c094912b27dd1383e31f2.exe	28
PID 1916 wrote to memory of 2672	1916	106610232a6c094912b27dd1383e31f2.exe	28
PID 1916 wrote to memory of 2672	1916	106610232a6c094912b27dd1383e31f2.exe	28
PID 1916 wrote to memory of 2672	1916	106610232a6c094912b27dd1383e31f2.exe	28

C:\Users\Admin\AppData\Local\Temp\106610232a6c094912b27dd1383e31f2.exe
"C:\Users\Admin\AppData\Local\Temp\106610232a6c094912b27dd1383e31f2.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\lsass.exe
  C:\Windows\lsass.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lsass.exe

Filesize
20KB

MD5
0ec6700b788a4df3cf55751b2a86dc2b

SHA1
9b25d49467e260982aa4dc0a90e4f10c5972ee7b

SHA256
d7a323d2443477a6a387552e01f75de2bb4dff522ea1588b0827f1adc2223b35

SHA512
3e80b1a1050dd8987c9eb46675e60df5e638612d05550db4f2898116840807c0c335c6f28e69e8686859f35ade86d43806431f99b2d4403e95dbba1bea1e2e62

Download Submit
memory/1916-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2672-32-0x0000000003A00000-0x0000000003E12000-memory.dmp

Filesize
4.1MB

Download
memory/2672-37-0x0000000004150000-0x0000000004497000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads