23a4a186a69ab3a019bd7327cbe4337f8413af5023749bb41f1da3d89edbe2b0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 05:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8b7fc9ab67da3b85f48429326b2c87a3.exe
Size

775KB
MD5

8b7fc9ab67da3b85f48429326b2c87a3
SHA1

a5482839f813b3c4c7b3b94236f0f77c0b8b62d4
SHA256

23a4a186a69ab3a019bd7327cbe4337f8413af5023749bb41f1da3d89edbe2b0
SHA512

dcb4a118938466e2009e529e81ccf4be33bc5ea102998eb15396abca5507c1b6787bbd233ba98f8b6cd5eaad968e929a96815167aacfd2ab88390920fc8c4882
SSDEEP

12288:hffJITCQGnlsr85rwy4fQcwOBDulTQwIf0NyFYbQEBGNh1m36fc:hST5Ap58wGzfLYkjb1u6k

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib\Version = "1.0"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify\CurVer	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\VersionIndependentProgID	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\LocalServer32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\TypeLib	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\Version	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\TypeLib\ = "{f36dc8bc-6bd6-4e9b-ad28-91442b379dfb}"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b7fc9ab67da3b85f48429326b2c87a3.exe\""	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\Version\ = "1.0"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib\ = "{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\Programmable	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\ProgID	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8b7fc9ab67da3b85f48429326b2c87a3.exe"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\ = "InstallerLib"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify.1\CLSID	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify.1\ = "Inst Class"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify\CurVer	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\FLAGS\ = "0"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ = "IBoot"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib\ = "{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\FLAGS	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify.1\CLSID\ = "{722f000d-b742-43e6-9f92-10fc9ff9d405}"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\ProgID	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\ = "Inst Class"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\LocalServer32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\0	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\HELPDIR	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify\ = "Inst Class"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\0\win32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\TypeLib	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\VersionIndependentProgID\ = "basic.mummify"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ProxyStubClsid32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify.1\CLSID	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8b7fc9ab67da3b85f48429326b2c87a3.exe:typelib"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\0	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ = "IBoot"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\FLAGS	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ProxyStubClsid32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\ProgID\ = "basic.mummify.1"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ProxyStubClsid32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\basic.mummify.1	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\Programmable	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\0\win32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}\1.0\HELPDIR	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F36DC8BC-6BD6-4E9B-AD28-91442B379DFB}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\VersionIndependentProgID	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ProxyStubClsid32	8b7fc9ab67da3b85f48429326b2c87a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92FBE6AB-1078-48DA-AC74-3261481BF491}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}	8b7fc9ab67da3b85f48429326b2c87a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722f000d-b742-43e6-9f92-10fc9ff9d405}\Version	8b7fc9ab67da3b85f48429326b2c87a3.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\8b7fc9ab67da3b85f48429326b2c87a3.exe:typelib	8b7fc9ab67da3b85f48429326b2c87a3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2856	8b7fc9ab67da3b85f48429326b2c87a3.exe
2856	8b7fc9ab67da3b85f48429326b2c87a3.exe

C:\Users\Admin\AppData\Local\Temp\8b7fc9ab67da3b85f48429326b2c87a3.exe
"C:\Users\Admin\AppData\Local\Temp\8b7fc9ab67da3b85f48429326b2c87a3.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b7fc9ab67da3b85f48429326b2c87a3.exe:typelib

Filesize
8KB

MD5
4c2558d0af7b379fbfc0ddcc8257b35e

SHA1
2ecb212f7efa9f6542bc66f3a9186e737379c606

SHA256
959d352ac519db478f9fbdbfb1720a01bddee827bc68fee8d675fd443b036d6c

SHA512
fc189cd4b9664dd6e7d52dbd365f3c57dd34cd5246f141936349b1bb35ea0c0844b4f770d63b5d94179126f8df6703d0dc38d1d5cee476fe5ad20ef725d4a841

Download Submit
memory/2856-0-0x0000000000330000-0x00000000004E3000-memory.dmp

Filesize
1.7MB

Download
memory/2856-11-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2856-13-0x0000000000330000-0x00000000004E3000-memory.dmp

Filesize
1.7MB

Download