679a262683269630fd0a597ca8a8495766d6a2950c406e12c821c9b19c290d23

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.3MB
MD5

76f62b8e582b16c9a0e944e6e0ec4416
SHA1

e1da6c8e9eca8013267a34b2a7522326b33dd442
SHA256

679a262683269630fd0a597ca8a8495766d6a2950c406e12c821c9b19c290d23
SHA512

6e60df2b5ecd59dfa5485f64c42e7a1fba59760f132fa5e2685a72ab380c3661c65ff8b9ba5ec0eb81b5d9fb6737322f7954b9fc91f44f78dfb1848ae76111d5
SSDEEP

49152:ve7OO75f2R6Hjz40wOUNvzsaSSq7tceaMget9WD5W5VN+JCuyz9p7kuc7ioYRpuj:IfAEHbwOGz5ytu/scOoYOQat4O

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ThreadingModel = "Apartment"	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ThreadingModel = "Apartment"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClocX\Lang\Ukrainian.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaB.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman\romanminute.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Sounds\alert.mp3	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\VioletteKugler.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\negro2.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Sounds\clockbell.mp3	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\bahnhofsuhr.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\cowboy2.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman\romanhour.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring.wav	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\NewDefault.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\aquamade.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2hour.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAqua.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Naranja.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokje.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Arabic.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Amarillo.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Holzuhr.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\woodone\woodhour.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Polish.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\CloQ.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Neon.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\domeclock\domemin.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Greek.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Thai.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Metalluhr.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\secondhand-7.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\greenmarble\marblemin.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Deutsch.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hungarian.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\LongClock.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanblack\romanblackhour.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Negro.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\apple.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\English.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jagua3rClock.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\GuldKugler.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hebrew.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\IvyLace.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyClock.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Octopye2.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Nvidia2.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar2Clock.bmp	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth2.ini	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Lang\Portuguese.lng	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Apple.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Bahnhofsuhr.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Casio.png	tmp.exe
File created	C:\Program Files (x86)\ClocX\Presets\Unreal.png	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ThreadingModel = "Apartment"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID\{1FCDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32\ThreadingModel = "Apartment"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}"	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\CLSID\{2ECDA66F-9E91-6F6C-A4D0-C20C85B559DE}	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1ACDA66F-9E91-6F6C-A4D0-C20C85B559DE}\InProcServer32	tmp.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe
2064	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy143D.tmp\Checker.dll

Filesize
41KB

MD5
f523a939094cc8681a3636db2c8ff809

SHA1
608d175fa2c86b724f8137fead60aca3fc364265

SHA256
82ab2915f0c86cbdc4acc8ce4efd85af374b19d0d9f5c06006b20ba7bff56383

SHA512
520551b6840cfcd397d879b7b5947c3c730f6e0accc5a138eabbfe1faa11724f8c041b9af194c42b2bd36cc872b6ec271e1d5f504cbb58214508c5592ef75e1f

Download Submit
\Program Files (x86)\ClocX\ClocX.exe

Filesize
413KB

MD5
fb54c095dad246c7b831525353618c45

SHA1
0afce2d9c974598d1bc058fb35c39d584e366b3f

SHA256
e9956994641f8c04fb2f4913d4d6d688c9780af38f1c02dc3ef368cbe7c86459

SHA512
dda484cbba87e4bad5ddca852bfe769050ebd34f7c48b8cccbd40495664d42d8dd707e433edb696de5ca5aafebcf845e297aeb4521345e6d347fa28280e228c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy143D.tmp\Zip.dll

Filesize
22KB

MD5
54fcbe77a5cacfb745f46efcf8061089

SHA1
a7e84b43ee6b203c4c41908fd35dc738670b920c

SHA256
b50991371af9073e3852f8c719ce65dc228d5feb747c89db5e04bed1dec2cdb6

SHA512
502e9b918c19f0f3469c2c36e4f246821b95d2c414b4bf702a8fc12c2ec71d1510a65b87bdf0258d75746384f18f6f26396b47dc5b38e19fdefc4c51e3421258

Download Submit
memory/2064-13-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2064-17-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2064-18-0x0000000004310000-0x0000000004F38000-memory.dmp

Filesize
12.2MB

Download
memory/2064-22-0x0000000000540000-0x000000000057A000-memory.dmp

Filesize
232KB

Download