ec7e2d1b4f44c8609f7d3f1739147a2f4a332538357bdaeb782828abf18dc88f

Analysis

max time kernel
160s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44b86bf0423e84aaa3930b25bf01a2a9.exe
Size

124KB
MD5

44b86bf0423e84aaa3930b25bf01a2a9
SHA1

2bdf37db2e02f09061334c9081cc2ee92ff809c7
SHA256

ec7e2d1b4f44c8609f7d3f1739147a2f4a332538357bdaeb782828abf18dc88f
SHA512

082d798ea4310ff355a0611e3d0611e59bcfc4fda0b9139456dcf75b3e423260d03c3062c1fb911696899cccda4b21e32d4978dbd962b2706ca608ec1384f3a7
SSDEEP

3072:v9hYL2lNz9Msq5IyGQJjWw7eKDR6CfzY0Vk9:lKL2Fq5IQdCKDR60k0Vk

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\44b86bf0423e84aaa3930b25bf01a2a9.exe = "c:\\users\\admin\\appdata\\local\\temp\\44b86bf0423e84aaa3930b25bf01a2a9.exe:*:Enabled:SMPN"	44b86bf0423e84aaa3930b25bf01a2a9.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44b86bf0423e84aaa3930b25bf01a2a9.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe"	44b86bf0423e84aaa3930b25bf01a2a9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe"	44b86bf0423e84aaa3930b25bf01a2a9.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\z:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\u:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\t:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\r:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\q:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\e:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\p:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\m:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\i:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\g:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\w:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\v:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\s:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\n:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\l:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\k:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\y:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\x:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\o:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\j:	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened (read-only)	\??\h:	44b86bf0423e84aaa3930b25bf01a2a9.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\wdfmgr.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File created	\??\c:\windows\lsassv.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File created	\??\c:\windows\msrpc.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\msrpc.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File created	\??\c:\windows\regedit2.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\regedit2.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr	44b86bf0423e84aaa3930b25bf01a2a9.exe
File created	\??\c:\windows\wdfmgr.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File created	\??\c:\windows\calc.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\mui\rctfd.sys	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\lsassv.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\calc.exe	44b86bf0423e84aaa3930b25bf01a2a9.exe
File opened for modification	\??\c:\windows\mui\olefx.dll	44b86bf0423e84aaa3930b25bf01a2a9.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "7480"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "12890"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "17691"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "24348"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\plugins\\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "6326"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "18613"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "18639"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "30199"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9028"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9789"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\microsoft shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\inf\\aspnet_state\\000E\\aspnet_state_perf.ini"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "29063"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "31306"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\z2ud2i1e.default-release\\safebrowsing\\social-tracking-protection-twitter-digest256.vlpset"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "17511"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~et-EE~7.1.7601.16492.cat"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "4925"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\weather.js"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "9728"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\System.DirectoryServices.Protocols.dll"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\de-DE\\chkntfs.exe.mui"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "5173"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Welcome Center.lnk"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14144"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "14447"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.mum"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "3840"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "15602"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\diagnostics\\system\\Power\\ja-JP\\RS_Adjustwirelessadaptersettings.psd1"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "26150"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "8801"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "15723"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "29216"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\features\\org.eclipse.emf.ecore_2.10.1.v20140901-1043\\license.html"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ASP.NETWebAdminFiles\\AppConfig\\App_LocalResources\\AppSetting.ascx.fr.resx"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "25782"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\FORMS\\1033\\APPT.CFG"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\NL7Data0011.DLL"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\assembly\\GAC_MSIL\\System.Core.resources\\3.5.0.0_fr_b77a5c561934e089\\System.Core.Resources.dll"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "18636"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "19259"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR45F.GIF"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\PUBSPAPR\\PDIR5B.GIF"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16074"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "19074"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "6444"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ASP.NETWebAdminFiles\\App_LocalResources\\home1.aspx.ja.resx"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "25767"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\SysWow64\\compstui.dll"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files\\Internet Explorer\\en-US\\F12Resources.dll.mui"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "16532"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "21335"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "31163"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Common Files\\System\\msadc\\it-IT\\msadcer.dll.mui"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\ja-JP\\js\\slideShow.js"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FNum = "21740"	44b86bf0423e84aaa3930b25bf01a2a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\FLast = "c:\\Windows\\servicing\\Packages\\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat"	44b86bf0423e84aaa3930b25bf01a2a9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	44b86bf0423e84aaa3930b25bf01a2a9.exe

C:\Users\Admin\AppData\Local\Temp\44b86bf0423e84aaa3930b25bf01a2a9.exe
"C:\Users\Admin\AppData\Local\Temp\44b86bf0423e84aaa3930b25bf01a2a9.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msrpc.exe

Filesize
124KB

MD5
0168e00e34a0bfad998180f60664b5b7

SHA1
fa7ba0af48e437ac36ee131134acfce6f9877c33

SHA256
d9068dc0ddfedf3059122f447b92970e9739016b09153de642894e255d6cc74f

SHA512
6ad46081ab755732e44376c2a3fb808908ed11e7e1d619e540c6c076845f2290ad3f7453dba2562ac5d6266f471e91b5da44b9c0628509013ad67f3a093d7d95

Download Submit
memory/2796-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-5-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-30-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads