dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
Size

15.4MB
MD5

546d52168d730f9e73c5ec2ad736d72e
SHA1

0d05b40db5e023a6d77aaf28c3507bcec2a52fd7
SHA256

dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e
SHA512

5def168dbd627773cff9d079d0a24a49c1a3a81c16de1537af0cd0f9befb83d44eb27280f0a5cf0106f1d564388cfa564e081feeca8930697e0fb339e5294247
SSDEEP

393216:Y0dyfU0fkZpm+9hNN4fSCkKISCAyTkXfLH+LtKmgipYFJ:Y0dwf8pmK/GISSTkjH+LtKXipYz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2068	rename_expert-setup.exe
2588	rename_expert-setup.tmp
1288	Replace.exe

Loads dropped DLL 12 IoCs

pid	Process
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
2068	rename_expert-setup.exe
2588	rename_expert-setup.tmp
2588	rename_expert-setup.tmp
2588	rename_expert-setup.tmp
1316	regsvr32.exe
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DebenuPDFLibraryLite1011.dll	rename_expert-setup.tmp
File created	C:\Windows\SysWOW64\is-D4F1D.tmp	rename_expert-setup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-E3UCB.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-SFJM4.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-R7DSE.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\Rename_Expert.exe	Replace.exe
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-KR571.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-JAHKL.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-2U18G.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\is-GPL3O.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-SB115.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-DHJ5M.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-0O587.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-K69FV.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\is-H7MV0.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-J71QA.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-8QFHC.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\is-9SV4V.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-5QJ6F.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-63D92.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-OHSI0.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-DAKSK.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-VLPQ8.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-OEDMS.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-JEEPB.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-91EVR.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-ASCCK.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\unins000.dat	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-EJ343.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-DUR70.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-4QBPV.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-I949G.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-79H5N.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-EESGV.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-10IAO.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-8QDPS.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-ML0R2.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-MSHPH.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-LQ2CJ.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-MO4KI.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-6N2PJ.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-CFPUA.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-2RKAU.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-LUUAL.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-VGFME.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\ielib32.dll	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-OHIFJ.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-JVV71.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\__tmp_rar_sfx_access_check_259399258	Replace.exe
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\is-78F9R.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-M9TM7.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-K0GV3.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-J1I55.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-DO23Q.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-GQ7C8.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-FVPEC.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-6MU0S.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-AMSIE.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-MCTV2.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\is-66PMG.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-D2L41.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-66M9Q.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\unins000.dat	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\is-V1NBN.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-5A774.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-QNJM6.tmp	rename_expert-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open\command\ = "\"C:\\Program Files (x86)\\Rename Expert\\Rename_Expert.exe\" \"%1\""	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open\command	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary\ = "DebenuPDFLibraryLite1011.PDFLibrary Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\ProgID\ = "DebenuPDFLibraryLite1011.PDFLibrary"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\ = "Rename Expert profile file"	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ = "IPDFLibrary"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\Version = "a.b"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\InprocServer32\ = "C:\\Windows\\SysWow64\\DebenuPDFLibraryLite1011.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open\ = "Open with Rename Expert..."	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\0\win32\ = "C:\\Windows\\SysWow64\\DebenuPDFLibraryLite1011.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RxProfile\ = "RxProfile.File"	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\ = "Debenu Quick PDF Library (Lite Edition) 10.11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ = "IPDFLibrary"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\Version = "a.b"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary\ = "DebenuPDFLibraryLite.PDFLibrary Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\DefaultIcon	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\TypeLib\ = "{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary\Clsid\ = "{91512F04-84F5-4AA4-829D-DB283C9D1625}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\ = "{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\DefaultIcon\ = "C:\\Program Files (x86)\\Rename Expert\\Rename_Expert.exe,0"	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary\Clsid\ = "{91512F04-84F5-4AA4-829D-DB283C9D1625}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Version\ = "10.11"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\ = "{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\ = "DebenuPDFLibraryLite1011.PDFLibrary Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RxProfile	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\HELPDIR	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	rename_expert-setup.tmp
2588	rename_expert-setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1288	Replace.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	rename_expert-setup.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2464 wrote to memory of 2068	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	28
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2068 wrote to memory of 2588	2068	rename_expert-setup.exe	29
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2588 wrote to memory of 1316	2588	rename_expert-setup.tmp	30
PID 2464 wrote to memory of 1288	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	31
PID 2464 wrote to memory of 1288	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	31
PID 2464 wrote to memory of 1288	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	31
PID 2464 wrote to memory of 1288	2464	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	31

C:\Users\Admin\AppData\Local\Temp\dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
"C:\Users\Admin\AppData\Local\Temp\dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe" /silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\is-7M89L.tmp\rename_expert-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7M89L.tmp\rename_expert-setup.tmp" /SL5="$3017C,11018677,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe" /silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DebenuPDFLibraryLite1011.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1316
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
4.2MB

MD5
4a0a1e73b0b6eec9c409aba80603f775

SHA1
5be1d161a7034a0fb27c1f27d59339ff351b8ba5

SHA256
8be1234036700ba798eb15e3793f54773cda4efd214ff0e112e9fcf3b48167c3

SHA512
c8f0156c3d8ceddc0ac9c276085f24859cba8fb2726385757e15eda55396830b34774bd1baf399fad11097a28ea4cfd7d5a3030ef1c669ff659303ec8b7da4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7M89L.tmp\rename_expert-setup.tmp

Filesize
2.9MB

MD5
58c9cfcedf42934c891b05ae74dfbbc7

SHA1
64e99cdf1bd062f059a2fd53802997755b4fa7a0

SHA256
f53216920e583280340716e59e7ed0182854fb6866a051832c06dbfeb042d873

SHA512
b247decbbc22b0288711d58766e5c1b6071e4fbdbdb2636b9a73591494a12c1e1caba8055bdc9c7c67b22eb3e324b81c133ccb182921394ee4336b46da9841b1

Download Submit
C:\Windows\SysWOW64\DebenuPDFLibraryLite1011.dll

Filesize
6.1MB

MD5
5b1cb610caf266684e70d6b8c16c176b

SHA1
f3ec7ef670a7f3b0e65a864c95351b65276c15f6

SHA256
ab82ab9772cb5169a55e368adca03897003a7759ce8a5b0d00da74ee96fd1b2c

SHA512
f3f0ff6cfb72846c23469f7216261713fc67b0401dcb848b6db14ae460b404d12a4e8c0b628feb4856300575f9ee63d06b0aa2d4b17bffd8fa7cb39d8bc9915b

Download Submit
\Program Files (x86)\Rename Expert\Rename_Expert.exe

Filesize
12.9MB

MD5
15a0b5e58b1e5fcaef637875c594e5e4

SHA1
816fa6e4e979b27ee6beda2105fea48694155b25

SHA256
783dc4afef960850e8c3d2b3cdfac2ff450983b435a683df225c0ecfa5fbc199

SHA512
8e95d436bb2fec4fbd9183ce97a16d9b5b444f8c967bb2c5786f1e59425f804599d69b7e31e6963861284fb527797e3916b4e005234d9bfc1fb47778ec51f43b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe

Filesize
11.4MB

MD5
1696bd45406ec9a1136870f1256168d6

SHA1
b9f6ca0805ee227acf4a84fc5a8d57b61e54378b

SHA256
e97ace90e141de6b58b0a96e33fa6e42d645d5d723bd1fef285e0dfd57d903b2

SHA512
abc2d968a695ae7e67be076763546f2114f771d90483f2cb8132348efbe7069842fc84f5606d2dc87b73cf54a8daff71fc7ba12192159d7a4bec9e2643ceaf82

Download Submit
memory/1316-187-0x0000000002320000-0x000000000294F000-memory.dmp

Filesize
6.2MB

Download
memory/2068-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2068-24-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2068-192-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2588-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2588-191-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download