Analysis
-
max time kernel
20s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 10:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45fbda8dcf7d68ac3ced36afe512052e.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
45fbda8dcf7d68ac3ced36afe512052e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
45fbda8dcf7d68ac3ced36afe512052e.exe
-
Size
140KB
-
MD5
45fbda8dcf7d68ac3ced36afe512052e
-
SHA1
8f91626d71ffce512d0fe76927914205e3f801ad
-
SHA256
d2e573203edafedb47f6bbdecdf538a2a2c3e763cb25178604c49691b5233c2e
-
SHA512
452a5fbf61296f4069a02ed84bdbb99c606bbcc70cd878cfa83d248788fd72b6fb8f54af1fda54df47e76c877ddd72e3d52065b3e884d82a938c74b2e2d8983e
-
SSDEEP
3072:0EamHrX3oZYw+yL6M8XT8viIQi88phTD27ZLbFTKSPi5Uj+BnYTRavcrhcXyOke:XX4234ZQ70pJ5eYYTAct+
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5012 51b105.exe -
Loads dropped DLL 1 IoCs
pid Process 5012 51b105.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSWINSCK.OCX 45fbda8dcf7d68ac3ced36afe512052e.exe File opened for modification C:\Windows\SysWOW64\MSINET.OCX 45fbda8dcf7d68ac3ced36afe512052e.exe File opened for modification C:\Windows\SysWOW64\51b105.exe 45fbda8dcf7d68ac3ced36afe512052e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 47 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment" 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0" 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497" 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control, version 6.0" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908} 51b105.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} 51b105.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908} 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSINET.OCX, 1" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32 51b105.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0" 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet" 51b105.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" 51b105.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version 51b105.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSystemtimePrivilege 3264 45fbda8dcf7d68ac3ced36afe512052e.exe Token: SeSystemtimePrivilege 3264 45fbda8dcf7d68ac3ced36afe512052e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 5012 51b105.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3264 wrote to memory of 5012 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 103 PID 3264 wrote to memory of 5012 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 103 PID 3264 wrote to memory of 5012 3264 45fbda8dcf7d68ac3ced36afe512052e.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\45fbda8dcf7d68ac3ced36afe512052e.exe"C:\Users\Admin\AppData\Local\Temp\45fbda8dcf7d68ac3ced36afe512052e.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\51b105.exeC:\Windows\system32\51b105.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5012
-
-
C:\Windows\SysWOW64\gggg25.exeC:\Windows\system32\gggg25.exe2⤵PID:3500
-
-
C:\Windows\SysWOW64\ddddy4.exeC:\Windows\system32\ddddy4.exe2⤵PID:5060
-