f1705db02e07fd63cdaf95821705d323a2a5007fe83ba36d3b33f7844d920dce

Analysis

max time kernel
142s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16816ef22fb60ed07969338aa0c67971.exe
Size

704KB
MD5

16816ef22fb60ed07969338aa0c67971
SHA1

bb896a28e71447fc80e00d76303bea6f54daeab5
SHA256

f1705db02e07fd63cdaf95821705d323a2a5007fe83ba36d3b33f7844d920dce
SHA512

557e6a97ad88eff887d2a0681dad2f5da131e58777cdf8158fd4f9680f6120b41bb0241c795e2c092fcb2ac8d6e914a4110249e48dd75474c895ae9e482d3d65
SSDEEP

12288:A7Aywe8ein543ZgVyGYJ45jx220y22dfNDnju06/pn95crwsjpzJ/6A:A73ue2ht5jxZ0T2dfNDnCFN95cEsjpVF

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012022-10.dat	acprotect
behavioral1/files/0x000b000000015c1b-19.dat	acprotect
behavioral1/files/0x0031000000015c7a-28.dat	acprotect
behavioral1/files/0x0030000000015c83-36.dat	acprotect
behavioral1/files/0x0007000000015dbb-42.dat	acprotect
behavioral1/files/0x0007000000015e82-62.dat	acprotect

Loads dropped DLL 14 IoCs

pid	Process
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012022-10.dat	upx
behavioral1/memory/2100-13-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral1/files/0x000b000000015c1b-19.dat	upx
behavioral1/memory/2100-22-0x00000000217A0000-0x00000000217D4000-memory.dmp	upx
behavioral1/files/0x0031000000015c7a-28.dat	upx
behavioral1/memory/2100-31-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral1/files/0x0030000000015c83-36.dat	upx
behavioral1/memory/2100-40-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral1/files/0x0007000000015dbb-42.dat	upx
behavioral1/memory/2100-49-0x0000000046A30000-0x0000000046A4F000-memory.dmp	upx
behavioral1/files/0x0007000000015e82-62.dat	upx
behavioral1/memory/2100-77-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral1/memory/2100-88-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral1/memory/2100-99-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral1/memory/2100-117-0x00000000217A0000-0x00000000217D4000-memory.dmp	upx
behavioral1/memory/2100-126-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral1/memory/2100-127-0x0000000046A30000-0x0000000046A4F000-memory.dmp	upx
behavioral1/memory/2100-144-0x00000000217A0000-0x00000000217D4000-memory.dmp	upx
behavioral1/memory/2100-164-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral1/memory/2100-166-0x000000000D7E0000-0x000000000D7EB000-memory.dmp	upx
behavioral1/memory/2100-167-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral1/memory/2100-185-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral1/memory/2100-186-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral1/memory/2100-190-0x000000000D7E0000-0x000000000D7EB000-memory.dmp	upx
behavioral1/memory/2100-191-0x0000000011000000-0x000000001100B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\O:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\Q:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\S:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\H:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\K:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\W:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\A:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\B:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\I:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\T:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\V:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\Y:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\E:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\G:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\L:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\M:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\N:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\P:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\R:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\U:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\X:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\Z:	16816ef22fb60ed07969338aa0c67971.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CmkActiveX2.ocx	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\RICHTX32.OCX	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\vbalexpbar6.ocx	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\vbaliml6.ocx	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\SSubTmr6.dll	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\CmkRw_IcoClass.dll	16816ef22fb60ed07969338aa0c67971.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	16816ef22fb60ed07969338aa0c67971.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A8E13D0-B260-415B-8798-3B98264F2BA5}\ProxyStubClsid	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib\Version = "1.0"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B0E963-1717-4189-949E-C16293CF83B9}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45F4746D-7C89-48C6-A80D-0D41386B7C18}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF9AF309-9018-4B3A-8A76-2415D8CB1C43}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{396F7AD4-A0DD-11D3-93EC-00C0DFE7442A}\TypeLib\Version = "1.0"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C1889DF-D187-48B9-A2A6-5C3FBE0784CB}\TypeLib\ = "{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B151C3E4-A15A-4004-B5AA-0B8E6548F475}\ = "CmkPicComCd"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ = "_CTimer"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib\ = "{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD37CE70-DA4A-4EF0-905E-4436D5D5DB4C}\TypeLib\ = "{77EBD0B1-871A-4AD1-951A-26AEFE783111}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD37CE70-DA4A-4EF0-905E-4436D5D5DB4C}\TypeLib\Version = "2.2"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0621CF6B-B4C3-46B3-9EB1-CFE78D8FE0E7}\MiscStatus\1\ = "229777"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5552A74E-E20E-4755-AA2D-B1835014C096}\ = "_CmkPicComCd"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89428572-6E6E-4BC5-9468-B7A2F7C4A722}\ = "CmkActiveX2.CmkButtonOs"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4009CA2-223A-4C4B-BBF9-E3CC79051A68}\ = "__CmkPicCom"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{387493D1-FDC7-4655-ACCF-D0BED1B0F94C}\ = "__CmkButtonOs"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{045F80D4-B574-4F2B-977A-EACE9E4AB01E}\ToolboxBitmap32	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbalExplorerBarLib6.cExplorerBars\Clsid	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{396F7AC8-A0DD-11D3-93EC-00C0DFE7442A}\ProxyStubClsid32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8599891-E910-4DFB-B269-BD44B8D3D749}\InprocServer32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA58A801-E895-4BCA-9F82-D0440426E909}\MiscStatus\1\ = "229777"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ProxyStubClsid32	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4A4E112-DACB-4DEF-8E8A-972D88089833}\ = "vbalExplorerBarLib6.cExplorerBarItems"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ABF5374-DE25-4F2F-BB4F-E8B54B3A0C2A}\ProgID	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}\6a.3\0\win32\ = "C:\\Windows\\SysWow64\\CmkActiveX2.ocx"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID\ = "MSComDlg.CommonDialog"	16816ef22fb60ed07969338aa0c67971.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{396F7AC9-A0DD-11D3-93EC-00C0DFE7442A}\ToolboxBitmap32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ = "GSubclass"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88D49DD9-6DF8-489E-9673-D9A9E1A278F2}\TypeLib\ = "{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88D49DD9-6DF8-489E-9673-D9A9E1A278F2}\ProxyStubClsid	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF9AF309-9018-4B3A-8A76-2415D8CB1C43}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbalExplorerBarLib6.pcExplorerBarItem	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{396F7AC8-A0DD-11D3-93EC-00C0DFE7442A}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{396F7AC8-A0DD-11D3-93EC-00C0DFE7442A}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68382ADF-F1E9-4371-95BA-19F1C9BEF181}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DED149C-1D82-4670-A12D-FF2342ACB4A0}\ProgID	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{628DFC17-BEEF-486E-BDC5-E04B484FD8A6}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55E89D87-08DD-4A27-95C4-9AEB48E62972}\ = "_CmkHd"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0621CF6B-B4C3-46B3-9EB1-CFE78D8FE0E7}\TypeLib\ = "{77EBD0B1-871A-4AD1-951A-26AEFE783111}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45F4746D-7C89-48C6-A80D-0D41386B7C18}\ProxyStubClsid32	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49F5CD6C-437A-45E0-9C99-902012EA33AD}\ToolboxBitmap32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5552A74E-E20E-4755-AA2D-B1835014C096}\ = "CmkPicComCd"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF9AF309-9018-4B3A-8A76-2415D8CB1C43}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A5DDD41-9F4F-4EE8-8DCB-3E9C9024D84D}\TypeLib\ = "{77EBD0B1-871A-4AD1-951A-26AEFE783111}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD37CE70-DA4A-4EF0-905E-4436D5D5DB4C}\ProxyStubClsid32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBAB9FC8-CF35-40D2-A3E0-F359D12A57BD}\Forward\ = "{DF428F1A-42E9-4DAD-A336-40AF511299AD}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{396F7AD0-A0DD-11D3-93EC-00C0DFE7442A}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87157ABB-0232-4B61-9A8D-804A8DA9E490}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DED149C-1D82-4670-A12D-FF2342ACB4A0}\InprocServer32\ThreadingModel = "Apartment"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{396F7AD4-A0DD-11D3-93EC-00C0DFE7442A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{396F7ACE-A0DD-11D3-93EC-00C0DFE7442A}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\ = "Microsoft Common Dialog Control, version 6.0 (SP6)"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76EED002-271B-44F0-B57C-FF8540C2B74C}\TypeLib\ = "{77EBD0B1-871A-4AD1-951A-26AEFE783111}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B0E963-1717-4189-949E-C16293CF83B9}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CmkActiveX2.ocx, 30005"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3921933-6407-4DF3-9719-19D88CD55E97}\InprocServer32\ThreadingModel = "Apartment"	16816ef22fb60ed07969338aa0c67971.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe
2100	16816ef22fb60ed07969338aa0c67971.exe

C:\Users\Admin\AppData\Local\Temp\16816ef22fb60ed07969338aa0c67971.exe
"C:\Users\Admin\AppData\Local\Temp\16816ef22fb60ed07969338aa0c67971.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\errorPageStrings[2]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
98KB

MD5
9c7044f6d79bc3c90f18cc8139d8ad7d

SHA1
c25529b195635aabe22d7fcb811abb21664668b1

SHA256
e5cd937738f85ca450d9b33b974dfe878241a18c821bcde0b7912b0a8e0ad12e

SHA512
e10d3d80f9237050929df4dbebfd754a7306cb8f1c59905085b1e91827629a60678e53d4eef1ef330e2106769ca78182166cee4eef87dd219929abcffd33f442

Download Submit
C:\Windows\SysWOW64\CmkActiveX2.ocx

Filesize
133KB

MD5
46cb4c21b83ea126c60b21ddbbdd6d00

SHA1
035df9428fbd233e47b563f5415a8d56983b3884

SHA256
ca722c59d53a83b7143d3f91499f0b7e69d7bd73201ebe394b3f8c0df15699b5

SHA512
39fff01799f5fc2ceefe2dd0c9b2b2d20d59fb0fc24cf7d5f06ba8aa8220677d30429456f5b2a27993da313fb6ded0766dbd77616a5ae1a7d6ac60fdb442cd52

Download Submit
C:\Windows\SysWOW64\CmkRw_IcoClass.dll

Filesize
13KB

MD5
84b565550bd8997ff83aaf4ba14ef0eb

SHA1
f8422c024746cd3f850d45dfb4bb3eaa19eeaa9d

SHA256
715adfd037907933fa3aa6dc6a7fef768ea0ef918e81ecfc978774ebe0b9f248

SHA512
54cbfcfc64c788418f98bd2cb40f3f73b23022079f3845705921ac37a39f8caa517c1a7fa9d21f2304c23a323a589a7957f477c1af25f01f2bdcaa5b7ea01716

Download Submit
C:\Windows\SysWOW64\RICHTX32.OCX

Filesize
138KB

MD5
fe2d05ab41157fe95369363d61303f5d

SHA1
2901359b13046fc1a0f5a58d2ab1085c89661929

SHA256
0f81394b61f82ac71024bd6a48528849907acbc36359f73a6b1b15d70b20ed42

SHA512
bb0d7954ffaf884ac13f676d91d906489bb806911b6461d5b9cb87c28060ea2ff834e8d1c034a3586efd3cdeb9e1d6ae39987363c2c298516f1f29c4d9697ba2

Download Submit
C:\Windows\SysWOW64\SSubTmr6.dll

Filesize
40KB

MD5
dc7a3bc0fc185cd68848dc6f7d7b026b

SHA1
c661cb1198f5e3927a67884e71ca95ff33026224

SHA256
6618b3ab331642449f0b07e4f39abf9fc3bb90ae90b298f1b9ffd58ca5397399

SHA512
22c9b2b7930e9e442699e37f43944f7cb4cd2562ed8319b4341c59475fa8071b501f4908227378b7883930f14c3059f66531bf876b386dea0027151b08006577

Download Submit
C:\Windows\SysWOW64\vbalexpbar6.ocx

Filesize
78KB

MD5
657837561161fc3d120a864c9b9c5222

SHA1
79efed6dc222a2f02dfd8c755cb7ec3891bc83d7

SHA256
456cf26d92738f58ab97d963b724c7dd3da9106ed3f916fae124c84a0a4ae0ab

SHA512
d6e23dea6f087901d008720b1feacaae06d049227e47726d42e7610c401421d9e402baa45d0ec672e0120340a3cfaa9e972cb430f4e4adea5a3ceebcb9cca208

Download Submit
C:\Windows\SysWOW64\vbaliml6.ocx

Filesize
38KB

MD5
58382ca168ae7338147ec1221122ad40

SHA1
6f7c5636d607909fa989d7c857acbd4b555a3238

SHA256
94cb2040a4607129e5caaf028a06d99a3f595bb1d475ee7a71245b234ee0d643

SHA512
7ee1352c8ae31f5b9c8d5faa29a66c25354d56a3f807e7eea9ed227af880ae215396570cdd66c2eace303f281e324b60ee2c226bd460775714db8bacfe6fdcf5

Download Submit
memory/2100-88-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/2100-126-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/2100-40-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/2100-22-0x00000000217A0000-0x00000000217D4000-memory.dmp

Filesize
208KB

Download
memory/2100-49-0x0000000046A30000-0x0000000046A4F000-memory.dmp

Filesize
124KB

Download
memory/2100-13-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/2100-3-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-67-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2100-77-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/2100-78-0x0000000004880000-0x0000000004918000-memory.dmp

Filesize
608KB

Download
memory/2100-87-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-0-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-89-0x0000000004EA0000-0x0000000004F16000-memory.dmp

Filesize
472KB

Download
memory/2100-90-0x0000000004F30000-0x00000000050CE000-memory.dmp

Filesize
1.6MB

Download
memory/2100-99-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/2100-116-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-117-0x00000000217A0000-0x00000000217D4000-memory.dmp

Filesize
208KB

Download
memory/2100-31-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/2100-127-0x0000000046A30000-0x0000000046A4F000-memory.dmp

Filesize
124KB

Download
memory/2100-144-0x00000000217A0000-0x00000000217D4000-memory.dmp

Filesize
208KB

Download
memory/2100-165-0x0000000005590000-0x0000000005690000-memory.dmp

Filesize
1024KB

Download
memory/2100-164-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/2100-166-0x000000000D7E0000-0x000000000D7EB000-memory.dmp

Filesize
44KB

Download
memory/2100-167-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/2100-168-0x0000000005590000-0x0000000005690000-memory.dmp

Filesize
1024KB

Download
memory/2100-2-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-1-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-184-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-185-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/2100-186-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/2100-190-0x000000000D7E0000-0x000000000D7EB000-memory.dmp

Filesize
44KB

Download
memory/2100-191-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2100-192-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2100-206-0x0000000005590000-0x0000000005690000-memory.dmp

Filesize
1024KB

Download