137e1ec5f48f65adb6f3f0fdb73793bc0ac45362cc81582802c6c7ee098d30c1

Analysis

max time kernel
121s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 08:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13cbb53cef5baa5944f90dfe3ffe1973.exe
Size

152KB
MD5

13cbb53cef5baa5944f90dfe3ffe1973
SHA1

f363ce2fdb3264b4c38b32ce287a5943e9820086
SHA256

137e1ec5f48f65adb6f3f0fdb73793bc0ac45362cc81582802c6c7ee098d30c1
SHA512

1f35c35fd8ec96adb7107c23fda70beaa055d949800fe2241feac26ec4d31a0791c78bd7f7b42f114d5b877087c4f6eaa5c740f2b2ff95252bf30eb2f44deaaf
SSDEEP

3072:IBYZIyDBpKbdRmTzrt9bqa1BQYT3IjGYVuxqa0e6w+S9KVK:jl7cXmTz3bqKBjbIaYIUNSoK

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1288-0-0x0000000000CA0000-0x0000000000D02000-memory.dmp	upx
behavioral1/memory/1288-2-0x0000000000CA0000-0x0000000000D02000-memory.dmp	upx

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\ = "Boot Class"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\CLSID	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\ = "IBoot"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\Programmable	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\CLSID\ = "{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\VersionIndependentProgID	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\Version	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\ = "Boot Class"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\ProgID	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\VersionIndependentProgID\ = "AmiBs.Boot"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\13cbb53cef5baa5944f90dfe3ffe1973.exe\""	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\CLSID	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\CurVer	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\13cbb53cef5baa5944f90dfe3ffe1973.exe"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\TypeLib	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\LocalServer32	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib\Version = "1.0"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\LocalServer32	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\ProxyStubClsid32	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS\ = "0"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\ = "Boot Class"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\CurVer\ = "AmiBs.Boot.1"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\TypeLib\ = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\Version	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\ProxyStubClsid32	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\Version\ = "1.0"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\ = "IBoot"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\CurVer	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\ProgID	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\ProgID\ = "AmiBs.Boot.1"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib\Version = "1.0"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\Programmable	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\ = "BootStrapperLib"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CE44CA0-188E-4B18-9B74-C9AF88493573}\TypeLib\ = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\VersionIndependentProgID	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2C86D54-DFE6-4E92-BC48-5A5019BE4E9F}\TypeLib	13cbb53cef5baa5944f90dfe3ffe1973.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0	13cbb53cef5baa5944f90dfe3ffe1973.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1288	13cbb53cef5baa5944f90dfe3ffe1973.exe
1288	13cbb53cef5baa5944f90dfe3ffe1973.exe

C:\Users\Admin\AppData\Local\Temp\13cbb53cef5baa5944f90dfe3ffe1973.exe
"C:\Users\Admin\AppData\Local\Temp\13cbb53cef5baa5944f90dfe3ffe1973.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-0-0x0000000000CA0000-0x0000000000D02000-memory.dmp

Filesize
392KB

Download
memory/1288-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1288-2-0x0000000000CA0000-0x0000000000D02000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads