a57ec96822fe67acb7bb01bd1a1ea90467e7da767d002598f7586b16be5c8c5d

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae1b3980e71fcc5e37094c2f561c434.exe
Size

206KB
MD5

2ae1b3980e71fcc5e37094c2f561c434
SHA1

ceaf2cbddf40409a676e4a9fc0591b0a30aa039b
SHA256

a57ec96822fe67acb7bb01bd1a1ea90467e7da767d002598f7586b16be5c8c5d
SHA512

b63697b73b1b74c8c2fafc0b0aa13356e760d5cbd17a2aeaff36758289726ffd7abe4a1e71bd20c2bd82921638fb085b9e434174ad9bb69e8c94cea810e76e90
SSDEEP

6144:orPiUVPw2PtLd3BqnEG8YV9aKxKfmge1QMNAr:orPiU9rJSnaYV9aKR8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2076	regsvr32.exe
2928	2ae1b3980e71fcc5e37094c2f561c434.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSInet.ocx	2ae1b3980e71fcc5e37094c2f561c434.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	2ae1b3980e71fcc5e37094c2f561c434.exe
File opened for modification	C:\Windows\lsamsn.exe	2ae1b3980e71fcc5e37094c2f561c434.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control 6.0 (SP4)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control 6.0 (SP4)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSInet.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSInet.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSInet.ocx, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSInet.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0 (SP4)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2ae1b3980e71fcc5e37094c2f561c434.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2ae1b3980e71fcc5e37094c2f561c434.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2ae1b3980e71fcc5e37094c2f561c434.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2928	2ae1b3980e71fcc5e37094c2f561c434.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28
PID 2928 wrote to memory of 2076	2928	2ae1b3980e71fcc5e37094c2f561c434.exe	28

C:\Users\Admin\AppData\Local\Temp\2ae1b3980e71fcc5e37094c2f561c434.exe
"C:\Users\Admin\AppData\Local\Temp\2ae1b3980e71fcc5e37094c2f561c434.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 -s C:\Windows\system32\MSInet.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\lsass.exe

Filesize
6KB

MD5
a5bb7793f51767f46ce1c12254149492

SHA1
aadb43df2addc25eddf4cb252641d39790ae72da

SHA256
6cf63146254cdb1b0e2531fa722d474c9e333e552fbb59f4ff383c0ec462e7f6

SHA512
d5d79dc8449f598fc72942de14bac07cec14806d78efae6a2383390095d5c10b85ad815019cdfd78f72da3c823f9f6404036478ef3e5d9d19e64714bfaa9b5b1

Download Submit
\Windows\SysWOW64\MSInet.ocx

Filesize
113KB

MD5
40d81470a19269d88bf44e766be7f84a

SHA1
4030e8e94297bc0aa5139fe241e8cf8f8142d8d4

SHA256
dd1215f01b484e7842763302d42749d516963d9ac74e2fe8825a5eaba34f6229

SHA512
e4a39613cc32885b67f6219281fbf99f50018b5fd2886b5389cfa04dc9dc4ebfc46fca2b9e89586116094fa3a7600c20b2ca0fa3535dd2615739621856506864

Download Submit
memory/2928-20-0x0000000075E90000-0x0000000075E9A000-memory.dmp

Filesize
40KB

Download
memory/2928-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-12-0x00000000751A0000-0x00000000751AC000-memory.dmp

Filesize
48KB

Download
memory/2928-16-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2928-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-22-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-21-0x0000000074DB0000-0x0000000074E0F000-memory.dmp

Filesize
380KB

Download
memory/2928-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-13-0x0000000076C60000-0x0000000076D50000-memory.dmp

Filesize
960KB

Download
memory/2928-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-57-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-58-0x00000000751A0000-0x00000000751AC000-memory.dmp

Filesize
48KB

Download
memory/2928-62-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2928-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-70-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2928-69-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-67-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2928-71-0x0000000076C60000-0x0000000076D50000-memory.dmp

Filesize
960KB

Download