Analysis Overview
SHA256
15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd
Threat Level: Shows suspicious behavior
The file 90039c975ddc2e891b50aae18bed6a65 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Registers COM server for autorun
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 19:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 19:55
Reported
2024-02-04 19:57
Platform
win7-20231215-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\anD | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\suRf | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe
"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
Network
Files
\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
| MD5 | 6223a19e77e3b9b4f633e8863ee1cf40 |
| SHA1 | ee5ec9cffb59790d553f5a3394ad5808e1e37446 |
| SHA256 | d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46 |
| SHA512 | 66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3 |
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat
| MD5 | 99df1dab85dd4b568804cf7123ecef54 |
| SHA1 | 199ab77160bb3030b6ff57517b5cf318b1831cc9 |
| SHA256 | 9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890 |
| SHA512 | 31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea |
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll
| MD5 | 9afeb7fa65aa31c6b871237d14a8fb94 |
| SHA1 | 58f99ae9ea22f56f28b6c5fa798bda3109f297f6 |
| SHA256 | 4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a |
| SHA512 | 311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855 |
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb
| MD5 | 9f260bfcd1ef83627ceb2792ee3324f5 |
| SHA1 | 078164529ae639e5ff9cf0e4003a82259c2aace8 |
| SHA256 | 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526 |
| SHA512 | 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f |
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll
| MD5 | 410bb7e2c88f92de31b83a173e173e2d |
| SHA1 | ff40233a038f80b7b1513431d6a9632e8f0e39f0 |
| SHA256 | afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3 |
| SHA512 | d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e |
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
| MD5 | b7d14322bc6b822de16a153dc5e34040 |
| SHA1 | cafb8bc8aca7111fe839280f736738f3b70ab593 |
| SHA256 | 5e049f178e4bd2f6e601fe49bdefff3de22c462e453ce5190b82d6ff1cc52faf |
| SHA512 | 4bff139773793b42d24f7cdef8f5ed56cf61ddd7343e9d43c57496ce377ce7eb44c6747d270468f533150016dda77e49702f3e4a1f5400af7ae24a7dd099130a |
C:\ProgramData\surf and! keep\kBYeWZe3g.exe
| MD5 | 820d41b154e6466dc756d30ad829fd51 |
| SHA1 | e8ce26a9cbd4a18ee6bf4ebae9a01637bd565538 |
| SHA256 | ddedb38251054e73cb662b2e1d17a6e4d8b9a4f384b6221be4151df5c3b3fcaa |
| SHA512 | cca505d3a72a724b9bf89f4ae8eb54ad077bf9d64422b4f297bc8970a08876c311a9ca1ad11d8484d077375ab41a03241191294888566f8f591ed1fe39fae5c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 19:55
Reported
2024-02-04 19:57
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File opened for modification | C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| File created | C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\anD | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.tlb" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\suRf | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.dll" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1" | C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe
"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65.exe"
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat
| MD5 | 99df1dab85dd4b568804cf7123ecef54 |
| SHA1 | 199ab77160bb3030b6ff57517b5cf318b1831cc9 |
| SHA256 | 9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890 |
| SHA512 | 31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea |
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll
| MD5 | 279c06692e5e3c4f0f721ddc93bfd0a5 |
| SHA1 | 41ddffae4264c0e8123fd3864ee44854894677fc |
| SHA256 | ae7ac0becbac553ddb8469dc56770936ff97c3c3accb8d885ef50f836b003825 |
| SHA512 | 64b11c5a8cbc497ce7aedd3c2b4767a0c64aa3cf1097fe85c0c512fb185382c527f1d62ce19d7466850035530aa6114fcab63750f21c5e5a789f5a3368ad34ea |
C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll
| MD5 | 57c41d10552557b925bdd0c523161c1a |
| SHA1 | 6cebab7b290181d0b61cb96c3aa5d625f0971bfb |
| SHA256 | dcdcb0fca076fd8f5906cb27653ad635d5040026242c7ce17941a2f696d18b8c |
| SHA512 | bc213630403e665349273953b1e18fe834f4dca6d79167fcba67c9dcca9756b724d2e0f0caae80e2a506759ce2c90f696309d9bfcddfffb9e31edf11a444e4f0 |
C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll
| MD5 | cbc445228891ba682bc932fc7142dacd |
| SHA1 | 2e6df4dc184540402ae81c1bc2fde9e78737cb0a |
| SHA256 | daeff7218d1d22217795d62bad9619067d90f1eba7986b9d8fc3b71a36a79893 |
| SHA512 | 78549bf59db25fb80ffba62f9f46832297760cd03fa2b1cadb554e882775a66855fbd53e443478890e7d13a1d793ba9af3798e8bf74259d9af1f34bd604ba806 |
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb
| MD5 | 9f260bfcd1ef83627ceb2792ee3324f5 |
| SHA1 | 078164529ae639e5ff9cf0e4003a82259c2aace8 |
| SHA256 | 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526 |
| SHA512 | 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f |
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
| MD5 | 8b8b5b2eb26dff0659a209daf4611d43 |
| SHA1 | e0f885a12d718fd54112ff6ab7a950882c6538ca |
| SHA256 | 77816b68ade0e21f66e7050966d73f47a9cbf28c2e30d9f2b2ccf6fae1feb3b2 |
| SHA512 | c91fb2f261182af159f6cd0546dc2b121c3a21de7624d9a718628630d9fd8f425b32c80387d1edf187bb54596a603575ad411957c27555f1b8661169e1272c00 |
C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll
| MD5 | 15a6fc66fc3b9fb1f962b09a04fab823 |
| SHA1 | f41314269fa5497f651fe55a427134e12fee41cd |
| SHA256 | f0ec3742e50532832876419f03f61ad308c66a65974c685656319bfabf2a4ebc |
| SHA512 | 503c6b01405358a4255a7744f917f144b89df72537eb4791e85f5cd07dd62b47bc7800a60a7867f452f34676a64a63380c34290b799bfc09ce74c7df774168f1 |
C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll
| MD5 | a0dbdc390ac67b5670a35314bbca2958 |
| SHA1 | 3d5c789618e6ebeea53f6299a4ff6ae86c1bd8d4 |
| SHA256 | 6f16c3ab95ed07fdffe0fbdd7093ef6198da0013d9289fa1d2e2d8d15ca21cb3 |
| SHA512 | 218b727e7992a9b6b0f04bf08ebb837c716e73085de04e42b6f9f393c05e97e542932dd7a3d68444018c1dafe626c4f2d1c14990b56d3d6e64f1ed1a9e909be2 |
C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll
| MD5 | eedfb1623ee8ba8708969a5e4935bb23 |
| SHA1 | 2f9259d69e67e07c74d88d4d81adceae8cdf2715 |
| SHA256 | bfc152d164f73c76e40103bafaba03918118679b69bb01c63f2441c1d8f941cf |
| SHA512 | 5c393c44bb4d4c253722e3563b839c120f94b6624ccd4878117e381e1730ee2d32a0523f3c7ad8d6531b44d325e2dedef9aedcf5449a07c5bf6925a3076b97bb |
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll
| MD5 | 14ad7e54bf311780ca11f96a7af68fa0 |
| SHA1 | 9f987cd3f39514d77ec74aaae90084e4861a5f3a |
| SHA256 | 25074e139bb605fa9d829cfd5654277792e478afdac19829807981a94f360a75 |
| SHA512 | 48d89db6c72d425a92cb4e658d4808d4d9ea889d992c02ee1e78efc414d8c8318e88ea6c028b54c4b820427292e45a8e8477d939a6a7cdc0b3d22809ca00abf5 |
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
| MD5 | f091ad9720910b91eb012bdd6cd1afcf |
| SHA1 | 9b92fa6a8a34bd7ac43291d1ea5d08307471b77d |
| SHA256 | 8209f34a5747be2c17192264650940ed582298e80010f06f7e1be506a2e791d2 |
| SHA512 | 9afaad5ad5cabfa93ce49342b6c6b4b1ce21e976d9486c2e7f69c056a19c256c0f1bd34e3518ad8d4ec0903cd53f37ea796fb09e096db45e840f57b45b706b8b |