125b72c1278eb5447c6e1bd0ff146fb1e24ad1e783954bb45850102ff0511710

Resubmissions

22/01/2024, 23:53

240122-3xe39sefh2 7

Analysis

max time kernel
2s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lecture1.exe
Size

188KB
MD5

122e3ae9475052e416f3e0736f16a30d
SHA1

b19d1ca3d8ddcffc84ae6be8306cf50fba5d7775
SHA256

12d2f3baa485c5ec40bef2ae1c5a9afc885f895e8e915d32433b6882439a99d9
SHA512

ed9e1ea23c8646e2ee715a3dc9f23cf8cbb54864371dbf734466fa751bd06fadcd7bb674bb82e2a76c8385c46a98a8bf3b91be8a81d619399cb71059bffad094
SSDEEP

1536:RDtNKbhY9FNAxQKg+R0Rh77YFBVoyBEv5pVTwVcl:MbytAFgx2FBuyeVTqY

Score

7^/10

bootkit persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler	reg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F059-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757306-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F055-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97A2762C-403C-4953-A121-7A75ABCE4373}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6E13360-30AC-11D0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E65CBC0-926D-11D0-8E27-00C04FC99DCF}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F057-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E967-E47C-11CD-8701-00AA003F0F07}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435fdba0-964c-43a7-8aff-cc94e21b2249}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4375351E-7052-40DF-B4D3-6095E7F8811B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A683C92-BA84-11CF-8110-00A0C9030074}\InprocServer32\11.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E169-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E989-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E435A-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E961-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E4356-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F023-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27CE30A0-91FF-101B-AF4E-00AA003F0F07}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BED0-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E187-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ecf51f8-cfb1-458d-9485-f5a231afd22f}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22c6c651-f6ea-46be-bc83-54e83314c67f}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757320-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5C71A93-FA82-4672-8B6A-E2C0FF64FF9D}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BFFECCA7-4069-49F9-B5AB-7CCBB078ED91}\InprocServer32\4.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBC}\InprocServer32	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Lecture1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dotm\Word.TemplateMacroEnabled.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Macro.1\shell\Open\ddeexec\application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AtWorkRendering	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9160E22-BDF3-4D8A-818C-D99D10EC7BEF}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\DAO.Index.120	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.BlankProjectTemplate.14\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\Implemented Categories	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\faxcover.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075735F-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.BlankProjectTemplate.14	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SysFxUi.DLL	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEF3-D33A-4a4b-BF23-BBEF4663D017}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Plugin	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dsp\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pnf	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mad	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ogm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BCSSync.Remoter.1	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0b6faa6c-afa9-4c9f-92a9-d1b9e13e49e7}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gxf	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.potx\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mspaint.exe\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xps\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6E13344-30AC-11D0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.View.1\shell\Design\ddeexec\application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020D75-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7c61d0a6-af7e-483a-b705-d2c5c2264656}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpg\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.ACCFTFile\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\4.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.oc_\PersistentHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.aiff\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.secstore	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F2FD001-0148-474e-843E-D6D37A848D62}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxa\OpenWithProgids	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	Lecture1.exe
Token: SeDebugPrivilege	3028	Lecture1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2748	3028	Lecture1.exe	29
PID 3028 wrote to memory of 2748	3028	Lecture1.exe	29
PID 3028 wrote to memory of 2748	3028	Lecture1.exe	29
PID 2748 wrote to memory of 2788	2748	cmd.exe	30
PID 2748 wrote to memory of 2788	2748	cmd.exe	30
PID 2748 wrote to memory of 2788	2748	cmd.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Lecture1.exe
"C:\Users\Admin\AppData\Local\Temp\Lecture1.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\reg.exe
    reg delete HKCR /f
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-0-0x0000000001300000-0x0000000001336000-memory.dmp

Filesize
216KB

Download
memory/3028-1-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-2-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/3028-3-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-4-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads