Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 07:06
Behavioral task
behavioral1
Sample
4fe6a78b3acc6e4f636891bc5e4bd982.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4fe6a78b3acc6e4f636891bc5e4bd982.exe
Resource
win10v2004-20231215-en
General
-
Target
4fe6a78b3acc6e4f636891bc5e4bd982.exe
-
Size
4.6MB
-
MD5
4fe6a78b3acc6e4f636891bc5e4bd982
-
SHA1
d7f76fe8d5529a535885b1a34045790b3c74b37d
-
SHA256
c2c66ec47fc9c969de74cbb8ae050243e5c51e8033811cb04bd3b975d0037d1b
-
SHA512
ea313e8e2de3c3467b1b0aa2752cd7c6e53e7e7df7a64935035e012fe4904e64f8f391d30ebc8dfb268cd886f7855b0d2fa88915a1b502a946fd16588d4bca21
-
SSDEEP
98304:Xg1glG4ajy2toG3AMzo3kDS0TD8QqKiuW3Am1HF3F/DudFUy6pmTK:X84H0jBigCD2FAm+
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe -
resource yara_rule behavioral1/memory/3044-0-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-14-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-30-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-31-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-34-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-37-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-40-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-43-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-46-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-49-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-52-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-55-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-58-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-61-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-64-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-67-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect behavioral1/memory/3044-70-0x0000000000400000-0x00000000008A9000-memory.dmp vmprotect -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049} 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0} 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B} 4fe6a78b3acc6e4f636891bc5e4bd982.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32 4fe6a78b3acc6e4f636891bc5e4bd982.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine 4fe6a78b3acc6e4f636891bc5e4bd982.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe 3044 4fe6a78b3acc6e4f636891bc5e4bd982.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe"C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3044
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5929f56b46242fa68a616374a5403689b
SHA145b4ade1f0cc2bf13e74d9801eee5c7abee3c3b2
SHA256767b2e735693a9455a23b19e7a94643fd6095fa1158cbe22f612d657ebbb670d
SHA51281c69649efff9d320533bcb3256d42c671877e1d48f9df99134c514aa2d888d11ded13b9d3447949881513e376cf4644b41b997cad2a9ffb51f4f45ca3cdc641
-
Filesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622