49ac18e53f2a2078cf8ea7e0914445b957484b60732eaba4ece40bbbedd05578

Analysis

max time kernel
5s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b4be18ca97cb45183e53e0238a5bc7.exe
Size

320KB
MD5

25b4be18ca97cb45183e53e0238a5bc7
SHA1

f7f85e9861c547bd61574f960dbfe68f95555b50
SHA256

49ac18e53f2a2078cf8ea7e0914445b957484b60732eaba4ece40bbbedd05578
SHA512

22d44ac280b5d11f5983dbcaeb4ec8e2068e56e7a90045ccdcde948e253d8c8a9249958f83f27248b738c54a7a0ffe5b3b02e14633d34cd62b37d2b479304121
SSDEEP

6144:QAeabNPccvg2N9rljS6/Vt6MwJD0i/pv8ZaROiixeq6N3sUjgHTvzfHuPwXKjKkL:AapVvg2N9R5+voeq6N3sv6OkB9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dnEmzzKG.OsenXPForm\Clsid	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ = "OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\FLAGS\ = "0"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ = "__OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\LocalServer32	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\TypeLib\ = "{2146C4BD-2E11-4952-8AE8-1295FE31C553}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\TypeLib\Version = "1.0"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\ProgID\ = "dnEmzzKG.OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\25b4be18ca97cb45183e53e0238a5bc7.exe, 30000"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\TypeLib\ = "{2146C4BD-2E11-4952-8AE8-1295FE31C553}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dnEmzzKG.OsenXPForm\ = "dnEmzzKG.OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\TypeLib	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Control	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ = "_OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ProxyStubClsid32	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ = "__OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\ToolboxBitmap32	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ProxyStubClsid	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Implemented Categories	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\25b4be18ca97cb45183e53e0238a5bc7.exe"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\TypeLib	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CD210-9031-411A-86D4-102E2E228853}	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\ProgID	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\0\win32	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ProxyStubClsid32	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\TypeLib\Version = "1.0"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\ = "dnEmzzKG.OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\MiscStatus\ = "0"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\FLAGS	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\HELPDIR	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\TypeLib\ = "{2146C4BD-2E11-4952-8AE8-1295FE31C553}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\MiscStatus\1	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\VERSION\ = "1.0"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\0	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dnEmzzKG.OsenXPForm	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\TypeLib\ = "{2146C4BD-2E11-4952-8AE8-1295FE31C553}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Control\	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\MiscStatus\1\ = "131473"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\VERSION	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ProxyStubClsid	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\TypeLib	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\ProxyStubClsid32	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5773FB6A-3127-4094-8DD8-76C2C4CE6F40}\TypeLib	25b4be18ca97cb45183e53e0238a5bc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CD210-9031-411A-86D4-102E2E228853}\TypeLib	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\ = "OsenXPForm"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2146C4BD-2E11-4952-8AE8-1295FE31C553}\1.0\ = "dnEmzzKG"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\TypeLib\ = "{2146C4BD-2E11-4952-8AE8-1295FE31C553}"	25b4be18ca97cb45183e53e0238a5bc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755233FD-DE55-4724-85A0-78CD170AA9C9}\TypeLib\Version = "1.0"	25b4be18ca97cb45183e53e0238a5bc7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1560	25b4be18ca97cb45183e53e0238a5bc7.exe

C:\Users\Admin\AppData\Local\Temp\25b4be18ca97cb45183e53e0238a5bc7.exe
"C:\Users\Admin\AppData\Local\Temp\25b4be18ca97cb45183e53e0238a5bc7.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1560
- C:\Users\Admin\meijuq.exe
  "C:\Users\Admin\meijuq.exe"
  2⤵
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\meijuq.exe

Filesize
4KB

MD5
d10775fd4ebdb5d543acd9e3901576d0

SHA1
c35a58f0b9f0ff6dd9d4c81f01288d8632125265

SHA256
b74ca9b7fa7f0f220135a857ab71a0b952f4a432967ba18c22740998831dc006

SHA512
7976cf7203321e194bdf31b3933652609112b753422972590c53e601f366adfc1cf3e0ca289d1e09db34db9a11a94a7211333c0b4409fde2e44014c12da5c1bf

Download Submit
C:\Users\Admin\meijuq.exe

Filesize
4KB

MD5
c5d6f1d96688b51a770ce8edffafc854

SHA1
3bdb31454c34cdae834cbc78fd6439498a577f77

SHA256
c73a3f443f75a11a8a19429e5fff75de96d7f7273df4d29c64a4f99e98d7669e

SHA512
680194a5c6df553282e345a26dd0192fd5ca5c9a97a534f1b3e900244bba53a129dd671f534281f7295a74a7d2bfa4cef6f42e57fada4dbafffccde75f532238

Download Submit
C:\Users\Admin\meijuq.exe

Filesize
9KB

MD5
4d882d878783e223ef1ad484469937fc

SHA1
83c9eeaa8c54e0a7ee429990153548e2fcec6b17

SHA256
a81021cd50882d8c4febedd395fc601af2d0fb6b7411dc74c609c82e831d8849

SHA512
899897171745ce97e95826e56a9f366d8a33ca9b8595aae65be16a200547b7c424f16a91e6ac7310f7ffd11f07b127c222c6f838edfd4d8be191e6989257ebfd

Download Submit