f1705db02e07fd63cdaf95821705d323a2a5007fe83ba36d3b33f7844d920dce

Analysis

max time kernel
170s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16816ef22fb60ed07969338aa0c67971.exe
Size

704KB
MD5

16816ef22fb60ed07969338aa0c67971
SHA1

bb896a28e71447fc80e00d76303bea6f54daeab5
SHA256

f1705db02e07fd63cdaf95821705d323a2a5007fe83ba36d3b33f7844d920dce
SHA512

557e6a97ad88eff887d2a0681dad2f5da131e58777cdf8158fd4f9680f6120b41bb0241c795e2c092fcb2ac8d6e914a4110249e48dd75474c895ae9e482d3d65
SSDEEP

12288:A7Aywe8ein543ZgVyGYJ45jx220y22dfNDnju06/pn95crwsjpzJ/6A:A73ue2ht5jxZ0T2dfNDnCFN95cEsjpVF

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000400000001e7c9-9.dat	acprotect
behavioral2/files/0x000200000001e7dd-17.dat	acprotect
behavioral2/files/0x000200000001e7de-25.dat	acprotect
behavioral2/files/0x000200000001e7df-33.dat	acprotect
behavioral2/files/0x000200000001e7e0-44.dat	acprotect
behavioral2/files/0x000200000001e7e2-57.dat	acprotect

Loads dropped DLL 13 IoCs

pid	Process
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e7c9-9.dat	upx
behavioral2/memory/4772-12-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral2/files/0x000200000001e7dd-17.dat	upx
behavioral2/memory/4772-18-0x00000000217A0000-0x00000000217D4000-memory.dmp	upx
behavioral2/files/0x000200000001e7de-25.dat	upx
behavioral2/memory/4772-27-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral2/files/0x000200000001e7df-33.dat	upx
behavioral2/memory/4772-37-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral2/files/0x000200000001e7e0-44.dat	upx
behavioral2/files/0x000200000001e7e2-57.dat	upx
behavioral2/memory/4772-60-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/4772-71-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral2/memory/4772-74-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral2/memory/4772-77-0x0000000046A30000-0x0000000046A4F000-memory.dmp	upx
behavioral2/memory/4772-78-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/4772-101-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral2/memory/4772-104-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral2/memory/4772-117-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral2/memory/4772-119-0x0000000011000000-0x00000000110A4000-memory.dmp	upx
behavioral2/memory/4772-121-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral2/memory/4772-120-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral2/memory/4772-140-0x00000000217A0000-0x00000000217D4000-memory.dmp	upx
behavioral2/memory/4772-147-0x0000000046A30000-0x0000000046A4F000-memory.dmp	upx
behavioral2/memory/4772-150-0x0000000020000000-0x0000000020046000-memory.dmp	upx
behavioral2/memory/4772-151-0x0000000012BB0000-0x0000000012BEE000-memory.dmp	upx
behavioral2/memory/4772-152-0x00000000217A0000-0x00000000217D4000-memory.dmp	upx
behavioral2/memory/4772-153-0x0000000046A30000-0x0000000046A4F000-memory.dmp	upx
behavioral2/memory/4772-168-0x0000000011000000-0x00000000110A4000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\O:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\T:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\U:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\G:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\I:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\Q:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\S:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\X:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\Z:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\B:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\P:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\Y:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\H:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\W:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\J:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\K:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\M:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\N:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\R:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\V:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\A:	16816ef22fb60ed07969338aa0c67971.exe
File opened (read-only)	\??\E:	16816ef22fb60ed07969338aa0c67971.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RICHTX32.OCX	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\vbalexpbar6.ocx	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\vbaliml6.ocx	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\SSubTmr6.dll	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\CmkRw_IcoClass.dll	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\CmkActiveX2.ocx	16816ef22fb60ed07969338aa0c67971.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	16816ef22fb60ed07969338aa0c67971.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4009CA2-223A-4C4B-BBF9-E3CC79051A68}\TypeLib\ = "{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF9AF309-9018-4B3A-8A76-2415D8CB1C43}\TypeLib\Version = "2.2"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF428F1A-42E9-4DAD-A336-40AF511299AD}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{396F7AD4-A0DD-11D3-93EC-00C0DFE7442A}\TypeLib\Version = "1.0"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99B5C91B-C1B3-4914-BF50-C2B3A7A77322}\ = "_CmkRw_Ico"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5552A74E-E20E-4755-AA2D-B1835014C096}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5552A74E-E20E-4755-AA2D-B1835014C096}\TypeLib\Version = "6a.3"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE9B80B4-265A-4884-AC60-AADF6DE07B70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A5DDD41-9F4F-4EE8-8DCB-3E9C9024D84D}\TypeLib\ = "{77EBD0B1-871A-4AD1-951A-26AEFE783111}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{396F7AC0-A0DD-11D3-93EC-00C0DFE7442A}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D670F823-F6C7-4E00-8DA8-2F2ABF567AEB}\ = "_CmkButtonOs"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE9B80B4-265A-4884-AC60-AADF6DE07B70}\TypeLib\ = "{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68382ADF-F1E9-4371-95BA-19F1C9BEF181}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{387493D1-FDC7-4655-ACCF-D0BED1B0F94C}\ProxyStubClsid	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8599891-E910-4DFB-B269-BD44B8D3D749}\InprocServer32	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CmkActiveX2.CmkPicOp\Clsid	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{388EAA1B-02FA-49E3-B6CE-9C1AEA022DAB}\ProxyStubClsid	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA58A801-E895-4BCA-9F82-D0440426E909}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CmkActiveX2.ocx, 30008"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A5DDD41-9F4F-4EE8-8DCB-3E9C9024D84D}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{628DFC17-BEEF-486E-BDC5-E04B484FD8A6}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68382ADF-F1E9-4371-95BA-19F1C9BEF181}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA58A801-E895-4BCA-9F82-D0440426E909}\ProgID	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Open Property Page Object"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Version	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF428F1A-42E9-4DAD-A336-40AF511299AD}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87157ABB-0232-4B61-9A8D-804A8DA9E490}\TypeLib\ = "{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68382ADF-F1E9-4371-95BA-19F1C9BEF181}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89428572-6E6E-4BC5-9468-B7A2F7C4A722}\ProgID\ = "CmkActiveX2.CmkButtonOs"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF428F1A-42E9-4DAD-A336-40AF511299AD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A8E13D0-B260-415B-8798-3B98264F2BA5}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{396F7ACE-A0DD-11D3-93EC-00C0DFE7442A}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49F5CD6C-437A-45E0-9C99-902012EA33AD}\MiscStatus\1	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5458EB2-B9D6-4613-824D-FC29F468E563}\ = "CmkMouseCommand"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CmkActiveX2.CmkHelpTip	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DED149C-1D82-4670-A12D-FF2342ACB4A0}\MiscStatus\1	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD37CE70-DA4A-4EF0-905E-4436D5D5DB4C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ = "CTimer"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5552A74E-E20E-4755-AA2D-B1835014C096}\TypeLib\Version = "6a.3"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CmkActiveX2.CmkHelpTip\Clsid\ = "{7F333180-59B1-4801-BF55-64F6A2803FF8}"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D670F823-F6C7-4E00-8DA8-2F2ABF567AEB}\ = "CmkButtonOs"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45F4746D-7C89-48C6-A80D-0D41386B7C18}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{045F80D4-B574-4F2B-977A-EACE9E4AB01E}\Control	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76EED002-271B-44F0-B57C-FF8540C2B74C}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0621CF6B-B4C3-46B3-9EB1-CFE78D8FE0E7}\MiscStatus\ = "0"	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF9AF309-9018-4B3A-8A76-2415D8CB1C43}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87157ABB-0232-4B61-9A8D-804A8DA9E490}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1C6E3B0-22CA-4D39-86F1-1CB1219C3052}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68382ADF-F1E9-4371-95BA-19F1C9BEF181}\TypeLib\ = "{E5791DD8-DEF8-4AFD-B9A2-D3073CDB8883}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F333180-59B1-4801-BF55-64F6A2803FF8}\MiscStatus	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DED149C-1D82-4670-A12D-FF2342ACB4A0}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CmkActiveX2.ocx, 30003"	16816ef22fb60ed07969338aa0c67971.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CLSID\ = "{3B7C8860-D78F-101B-B9B5-04021C009402}"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{628DFC17-BEEF-486E-BDC5-E04B484FD8A6}\ProxyStubClsid32	16816ef22fb60ed07969338aa0c67971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B5BE835-1487-42EA-A72A-8EF629C20A4D}\ = "_pcExplorerBarItem"	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{396F7AC8-A0DD-11D3-93EC-00C0DFE7442A}\TypeLib	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE9B80B4-265A-4884-AC60-AADF6DE07B70}	16816ef22fb60ed07969338aa0c67971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4009CA2-223A-4C4B-BBF9-E3CC79051A68}\ProxyStubClsid32	16816ef22fb60ed07969338aa0c67971.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4772	16816ef22fb60ed07969338aa0c67971.exe
Token: SeCreatePagefilePrivilege	4772	16816ef22fb60ed07969338aa0c67971.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe
4772	16816ef22fb60ed07969338aa0c67971.exe

C:\Users\Admin\AppData\Local\Temp\16816ef22fb60ed07969338aa0c67971.exe
"C:\Users\Admin\AppData\Local\Temp\16816ef22fb60ed07969338aa0c67971.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
98KB

MD5
9c7044f6d79bc3c90f18cc8139d8ad7d

SHA1
c25529b195635aabe22d7fcb811abb21664668b1

SHA256
e5cd937738f85ca450d9b33b974dfe878241a18c821bcde0b7912b0a8e0ad12e

SHA512
e10d3d80f9237050929df4dbebfd754a7306cb8f1c59905085b1e91827629a60678e53d4eef1ef330e2106769ca78182166cee4eef87dd219929abcffd33f442

Download Submit
C:\Windows\SysWOW64\CmkActiveX2.ocx

Filesize
133KB

MD5
46cb4c21b83ea126c60b21ddbbdd6d00

SHA1
035df9428fbd233e47b563f5415a8d56983b3884

SHA256
ca722c59d53a83b7143d3f91499f0b7e69d7bd73201ebe394b3f8c0df15699b5

SHA512
39fff01799f5fc2ceefe2dd0c9b2b2d20d59fb0fc24cf7d5f06ba8aa8220677d30429456f5b2a27993da313fb6ded0766dbd77616a5ae1a7d6ac60fdb442cd52

Download Submit
C:\Windows\SysWOW64\CmkRw_IcoClass.dll

Filesize
13KB

MD5
84b565550bd8997ff83aaf4ba14ef0eb

SHA1
f8422c024746cd3f850d45dfb4bb3eaa19eeaa9d

SHA256
715adfd037907933fa3aa6dc6a7fef768ea0ef918e81ecfc978774ebe0b9f248

SHA512
54cbfcfc64c788418f98bd2cb40f3f73b23022079f3845705921ac37a39f8caa517c1a7fa9d21f2304c23a323a589a7957f477c1af25f01f2bdcaa5b7ea01716

Download Submit
C:\Windows\SysWOW64\RICHTX32.OCX

Filesize
138KB

MD5
fe2d05ab41157fe95369363d61303f5d

SHA1
2901359b13046fc1a0f5a58d2ab1085c89661929

SHA256
0f81394b61f82ac71024bd6a48528849907acbc36359f73a6b1b15d70b20ed42

SHA512
bb0d7954ffaf884ac13f676d91d906489bb806911b6461d5b9cb87c28060ea2ff834e8d1c034a3586efd3cdeb9e1d6ae39987363c2c298516f1f29c4d9697ba2

Download Submit
C:\Windows\SysWOW64\SSubTmr6.dll

Filesize
40KB

MD5
dc7a3bc0fc185cd68848dc6f7d7b026b

SHA1
c661cb1198f5e3927a67884e71ca95ff33026224

SHA256
6618b3ab331642449f0b07e4f39abf9fc3bb90ae90b298f1b9ffd58ca5397399

SHA512
22c9b2b7930e9e442699e37f43944f7cb4cd2562ed8319b4341c59475fa8071b501f4908227378b7883930f14c3059f66531bf876b386dea0027151b08006577

Download Submit
C:\Windows\SysWOW64\vbalexpbar6.ocx

Filesize
78KB

MD5
657837561161fc3d120a864c9b9c5222

SHA1
79efed6dc222a2f02dfd8c755cb7ec3891bc83d7

SHA256
456cf26d92738f58ab97d963b724c7dd3da9106ed3f916fae124c84a0a4ae0ab

SHA512
d6e23dea6f087901d008720b1feacaae06d049227e47726d42e7610c401421d9e402baa45d0ec672e0120340a3cfaa9e972cb430f4e4adea5a3ceebcb9cca208

Download Submit
C:\Windows\SysWOW64\vbaliml6.ocx

Filesize
38KB

MD5
58382ca168ae7338147ec1221122ad40

SHA1
6f7c5636d607909fa989d7c857acbd4b555a3238

SHA256
94cb2040a4607129e5caaf028a06d99a3f595bb1d475ee7a71245b234ee0d643

SHA512
7ee1352c8ae31f5b9c8d5faa29a66c25354d56a3f807e7eea9ed227af880ae215396570cdd66c2eace303f281e324b60ee2c226bd460775714db8bacfe6fdcf5

Download Submit
memory/4772-75-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-99-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-18-0x00000000217A0000-0x00000000217D4000-memory.dmp

Filesize
208KB

Download
memory/4772-36-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-37-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/4772-12-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/4772-49-0x0000000046A30000-0x0000000046A4F000-memory.dmp

Filesize
124KB

Download
memory/4772-3-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-2-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-60-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/4772-63-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-71-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/4772-70-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-72-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-73-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-74-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/4772-0-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-77-0x0000000046A30000-0x0000000046A4F000-memory.dmp

Filesize
124KB

Download
memory/4772-78-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/4772-1-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-91-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-27-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/4772-101-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/4772-104-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/4772-117-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/4772-118-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-119-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download
memory/4772-121-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/4772-120-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/4772-122-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-126-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-130-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-140-0x00000000217A0000-0x00000000217D4000-memory.dmp

Filesize
208KB

Download
memory/4772-147-0x0000000046A30000-0x0000000046A4F000-memory.dmp

Filesize
124KB

Download
memory/4772-148-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-150-0x0000000020000000-0x0000000020046000-memory.dmp

Filesize
280KB

Download
memory/4772-151-0x0000000012BB0000-0x0000000012BEE000-memory.dmp

Filesize
248KB

Download
memory/4772-152-0x00000000217A0000-0x00000000217D4000-memory.dmp

Filesize
208KB

Download
memory/4772-153-0x0000000046A30000-0x0000000046A4F000-memory.dmp

Filesize
124KB

Download
memory/4772-154-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-160-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-167-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4772-168-0x0000000011000000-0x00000000110A4000-memory.dmp

Filesize
656KB

Download