e36b94a491c88617a191d567c22d5f1738c9a072f5582dde5a84974db76fac57

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c285477a656d8d4a23ac78b7c077cb8c.exe
Size

1.1MB
MD5

c285477a656d8d4a23ac78b7c077cb8c
SHA1

04f9551f357894f0dd4611bbce35aff4582074b8
SHA256

e36b94a491c88617a191d567c22d5f1738c9a072f5582dde5a84974db76fac57
SHA512

70f382f0ec86eeef7eac68b1ad82c7341d41fa0f7987f3f6a3ebec6a9dd142a6eef1d50a8e196628715964a9201ff509229ab566110b8b97a61079c81f680148
SSDEEP

24576:RBXLgAleBQqq7U5jOdJpqhNEN2pL5tgT+Ue12vknYJ4xEFCmuGA:zXuX56XpqcN05t6+F1hw1A

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1296	c285477a656d8d4a23ac78b7c077cb8c.exe
1296	c285477a656d8d4a23ac78b7c077cb8c.exe
1296	c285477a656d8d4a23ac78b7c077cb8c.exe
1296	c285477a656d8d4a23ac78b7c077cb8c.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\comdlg32.ocx	c285477a656d8d4a23ac78b7c077cb8c.exe
File created	C:\Windows\SysWOW64\comctl32.ocx	c285477a656d8d4a23ac78b7c077cb8c.exe
File created	C:\Windows\SysWOW64\richtx32.ocx	c285477a656d8d4a23ac78b7c077cb8c.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}	c285477a656d8d4a23ac78b7c077cb8c.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\ = "RichText Apppearance Property Page Object"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ThreadingModel = "Apartment"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1\ = "Microsoft Rich Textbox Control, version 6.0"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1\CLSID\ = "{3B7C8860-D78F-101B-B9B5-04021C009402}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ProgID	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ = "Microsoft Rich Textbox Control, version 6.0"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories	c285477a656d8d4a23ac78b7c077cb8c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	c285477a656d8d4a23ac78b7c077cb8c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\ = "Microsoft Common Dialog Control 6.0 (SP3)"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX, 1"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID\ = "MSComDlg.CommonDialog.1"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1\CLSID	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ = "IOLEObjects"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID\ = "MSComDlg.CommonDialog"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Version	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\TypeLib	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib\Version = "1.2"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\TypeLib	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\HELPDIR\	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	c285477a656d8d4a23ac78b7c077cb8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ProxyStubClsid32	c285477a656d8d4a23ac78b7c077cb8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	c285477a656d8d4a23ac78b7c077cb8c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1296	c285477a656d8d4a23ac78b7c077cb8c.exe

C:\Users\Admin\AppData\Local\Temp\c285477a656d8d4a23ac78b7c077cb8c.exe
"C:\Users\Admin\AppData\Local\Temp\c285477a656d8d4a23ac78b7c077cb8c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\comdlg32.ocx

Filesize
137KB

MD5
d76f0eab36f83a31d411aeaf70da7396

SHA1
9bc145b54500fb6fbea9be61fbdd90f65fd1bc14

SHA256
46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c

SHA512
9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d

Download Submit
C:\Windows\SysWOW64\richtx32.ocx

Filesize
198KB

MD5
722435ba4d18f1704b43e823a12e489a

SHA1
48f3c6e2e14e397055b667e2c8baa85177eb6d44

SHA256
7d59a8cc7a5c16b3b0e0e67c65cf98c45158909f95ca3a5c96b946fdee42c095

SHA512
38fe59c3b38fb7593a695554ead9e56febc068057b8e1c4bb27b6af21f5f2e15ddcfabda2707a72edcedeaa8b0f172a05408b88ae8efff3d259277af03f7de04

Download Submit
memory/1296-0-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/1296-29-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download