0c760dc5e36c4a50915575b71a903f804a58528af063adeab0122b1dacebe762

Analysis

max time kernel
25s
max time network
27s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe
Size

21.8MB
MD5

281de22d5f870e7ce255cb31cd8d8867
SHA1

43c6221bc905f272e9bae18fdc60f7cf05a87b55
SHA256

0c760dc5e36c4a50915575b71a903f804a58528af063adeab0122b1dacebe762
SHA512

f04daa0d2edcbed911fa4b666e7ad6103d3504f5f0b32823d3952f7696abbd4225fdc2d549a65f0c5c8b1a6f15abdd712e26e9b88512f49920c821d0c4002046
SSDEEP

393216:7MRrytp2ZOPBv1PDQLfVkwj/5rkbr8u+y+EeQaS5xegXqEVnSU0uOY+lcx:k2eAJtDQDaYzFMaCO1lQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp

Loads dropped DLL 4 IoCs

pid	Process
2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe
1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
1180	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-CMFUI.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-62U1L.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-R20UP.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-1N3HT.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-AIIOK.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-QPMSO.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-HAV47.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-3F70D.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_mask_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\CORE_RL_harfbuzz_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\CORE_RL_zlib_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-LOTCI.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\is-JKFN3.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-P6V40.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_info_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_miff_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-ODCVO.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-S8UCM.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-MA6N8.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-BDSOD.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_yuv_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\is-S611J.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-TDC1M.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-23GSN.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-60F62.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-0BF8M.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-CD7DS.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-EOATA.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-APJ9L.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-DMQ54.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-CEKBQ.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\is-B5J9B.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-1Q2SJ.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-KF7AO.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-63UDC.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-FD0QL.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-KG3B3.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-N0VPU.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_dpx_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_pcx_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-JRVG8.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-E8TFS.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-0R04U.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-S2I43.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\CORE_RL_freetype_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_icon_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_clipboard_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_cube_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-4MBKS.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-U6GU4.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-9B9TA.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-NKK59.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\IM_MOD_RL_vid_.dll	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File opened for modification	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\magick.exe	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\modules\coders\is-J631I.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-PTSVQ.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-NPA7C.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-614MH.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-D6VHJ.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-CA6NE.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\is-7HUQU.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\is-N0A7Q.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\patterns\is-LILEH.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
File created	C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\api\is-UO2JP.tmp	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DBA66AB1-E0F5-11EE-82E1-DE62917EBCA6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\DefaultIcon\ = "C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\ImageMagick.ico,1"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpc\ = "Magick.MPCFile"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\DefaultIcon\ = "C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\ImageMagick.ico,1"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.miff	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mvg\OpenWithProgids	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\ = "Magick Vector Graphics File"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\DefaultIcon	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\shell	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell\edit	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.miff\ = "Magick.MIFFFile"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msl\OpenWithProgids\Magick.MSLFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msl	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\shell\open	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mvg	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mvg\OpenWithProgids\Magick.MVGFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpc	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mvg\ = "Magick.MVGFile"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpc\OpenWithProgids	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\DefaultIcon	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell\edit\command\ = "\"C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\imdisplay.exe\" \"%1\""	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\shell\open\command\ = "\"C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\imdisplay.exe\" \"%1\""	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\shell\open\command	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\shell\open\command\ = "\"C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\imdisplay.exe\" \"%1\""	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\ = "Magick Persistent Cache Image"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\shell\open	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.miff\OpenWithProgids\Magick.MIFFFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msl\ = "Magick.MSLFile"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell\edit\command	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\DefaultIcon\ = "C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\ImageMagick.ico,1"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\shell\open\command	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpc\OpenWithProgids\Magick.MPCFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell\open\command\ = "\"C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\imdisplay.exe\" \"%1\""	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\shell	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\shell\open\command	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.miff\OpenWithProgids	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\ = "Magick Scripting Language Script"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\ = "Magick Image File Image"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell\open\command	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile\shell	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\DefaultIcon	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MPCFile\shell\open\command\ = "\"C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\imdisplay.exe\" \"%1\""	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\DefaultIcon\ = "C:\\Program Files\\ImageMagick-7.1.1-Q16-HDRI\\ImageMagick.ico,1"	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MIFFFile\shell\open	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\DefaultIcon	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msl\OpenWithProgids	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MSLFile\shell\open	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magick.MVGFile	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
904	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
904	iexplore.exe
904	iexplore.exe
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 2176 wrote to memory of 1624	2176	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe	28
PID 1624 wrote to memory of 904	1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp	30
PID 1624 wrote to memory of 904	1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp	30
PID 1624 wrote to memory of 904	1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp	30
PID 1624 wrote to memory of 904	1624	ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp	30
PID 904 wrote to memory of 1900	904	iexplore.exe	32
PID 904 wrote to memory of 1900	904	iexplore.exe	32
PID 904 wrote to memory of 1900	904	iexplore.exe	32
PID 904 wrote to memory of 1900	904	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe
"C:\Users\Admin\AppData\Local\Temp\ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\is-C0F2I.tmp\ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C0F2I.tmp\ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp" /SL5="$30144,21951580,831488,C:\Users\Admin\AppData\Local\Temp\ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\index.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\ImageMagick.ico

Filesize
21KB

MD5
89c21bfb0c4b517257adbd993f0108e2

SHA1
86b387e8fb11042e7145d080365d8b3dddae5b78

SHA256
d28bd1f9c03f4a52f4c8968132cd319d7351bc95e6399965852d998378dd4419

SHA512
a708d1a944c86dece1f509e81f3d4a7e5577fbc285f86d2f697b9b28bf08e4d65e951dae6551aa7fb35552664d9f66b097ef61b46b46620952ede462b8a4ef8a

Download Submit
C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\images\wizard.jpg

Filesize
61KB

MD5
5a71383b206bd0264198ad1d607344c0

SHA1
9372a3b532f396079c07dfe30050452115d36d04

SHA256
beb8266543113d7f123686237cc7ceb5818d9e1d8c9081882e7f289dfe096bbe

SHA512
69a0b9eaeb4469f22e8f82799283f7722cf590f7b7c2cbf381e4827dde2beeebc308723586a5c4f5e81703a7a470d9d32a1ec85de566f2c7b33e6782fd507f1a

Download Submit
C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\index.html

Filesize
18KB

MD5
f84ce1fbb04015cac2d1aaa6566c76c1

SHA1
a8e40358a09c688229df86d81a0278d20f5d9ec7

SHA256
429735cf85a3c7fc7c8fb5e65f7cda4048c290a48539e5a00de6361bf4a33194

SHA512
ea60042c9e767a1422fdd58e8662b3ac341ef44402a6aa429944c327ce9f43927d83d7e4867f8d2404930f29128dc237aeeb1c39c76705056d52563d7d374ca1

Download Submit
C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\Magick++\is-KARE9.tmp

Filesize
315B

MD5
2e2d81f7c8edf668436bc79de0a2ad48

SHA1
745b6f3fab23c7ffd794cdd5ffbc0ca1a91191b1

SHA256
e286c9c8db7c7ebf82a5448bfe1abc029efc3ed48d42ab35529eb247790b22ff

SHA512
b3828a988f52b9a57d8c017366d70eb721a6db914bda582c8d0a83fd1dcad6e595ff0432913bcb37acd4f725ebe47cb57e5314f3489acf71ae59d8883c5c67d0

Download Submit
C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\assets\magick.css

Filesize
228KB

MD5
68960d180fcba43ae0305cfbd79e8c22

SHA1
fa90af78c06d2af187f4b70ca77884c73c96fc5e

SHA256
79ab6749341b7e97c9e9781a86bf158035d93d8cf20af7986121c4083d46058e

SHA512
093db1f8faa1e5f97f5942507d30d517ec6765600cd16a3ae07b34e162377a562f27966732531da9d93a697df11745b05b81b4f396707eb0e9990c59bc8d9d27

Download Submit
C:\Program Files\ImageMagick-7.1.1-Q16-HDRI\www\assets\magick.js

Filesize
78KB

MD5
2b5f300c724ea5eecaef0743949cb919

SHA1
10b9010f0c56ce982d0a74e47d3eb92a1693dbcd

SHA256
243278db80c76a9853019087e9429d86e64dafd302ea3e474e781e2db8bbbcfb

SHA512
822657605dafe4ae1d4ee02a4476863e1a5dab4c2bd30807bf819bfa82a95dcaee0fa4c544bd159408893b9951d84f5336b5e6506a48152c15aa06636556d1f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F0A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar70C6.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C0F2I.tmp\ImageMagick-7.1.1-29-Q16-HDRI-x64-dll.tmp

Filesize
3.0MB

MD5
82755aeee605ff4e182d0bd6c44d22d5

SHA1
71be02e217e2b0413a295c92f3a300458d75cd97

SHA256
9b9f2ebeac646bf524e167d5f67606a7b18d23061560779c40b7b18ac6dd0f4a

SHA512
2d2e739931a72305bbe7f75f7354ce17e2337cc6ba17f56cd83d16aff26dc41698deb635b291f44dc5300dfaf6f4e3d4d5491245331945b53753610dc62d3b1d

Download Submit
\Program Files\ImageMagick-7.1.1-Q16-HDRI\imdisplay.exe

Filesize
171KB

MD5
07ec717c21e2af30a9c04b02db4aa659

SHA1
88612d3ada219c58b7ec902df89e776ded44b3ca

SHA256
961413ae7a10049822899a81a8ccd9a6b60fe408dd9579422f0ca0d2db105bef

SHA512
03d0ac59947e0c7519b8f8f08383f0ca4d6324d1303008d4f0175f3ac50e3380ee1ebb833b288de2f42571cee73905e32287766966f7cfcec5a9661bbc314b0a

Download Submit
memory/1624-11-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1624-1082-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1624-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2176-1083-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2176-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2176-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download