975930d15ab1639e8bf92f0e4de63566a0e0cadac76a5d328ebdf2337536f34f

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batchpurge/PURGE.exe
Size

53KB
MD5

2df3efb77e2c9b3dc60335d89bbd1c11
SHA1

1ba7ec1994eae466938eeaf4da526399503091f9
SHA256

b2c040c0dfa67653c567f68faa1a631f492933b95e7710954f63a4538773101b
SHA512

8a79010f0c5de6353f3dfab3fdefe942881114da28d7313ea196270f92fa1155ac8e000ba0cdc52bf93aba407d17bb656f0daf4d8386c6eca1c5321413cf6dd9
SSDEEP

768:d64Y7WpIoZhvXIpaFaKlLfRhTPQ8ULXGqksRZta2HYuSxwgx4ha52v2EL+guTPeX:84Y7Wdz/IstLfLbcLXGORfa26Y5+q

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPCmd.xpcmdbutton\Clsid\ = "{9076B41A-F995-44DA-9B9F-8601255C7D48}"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}\ProxyStubClsid32	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\ = "__xpcmdbutton"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\MiscStatus\ = "0"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\TypeLib\ = "{8ED8CCC1-8472-46D0-93E7-F66929B98442}"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version\ = "1.2"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}\ = "_xpcmdbutton"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\ProgID\ = "XPCmd.xpcmdbutton"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID\ = "MSComDlg.CommonDialog.1"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED8CCC1-8472-46D0-93E7-F66929B98442}\2.0\HELPDIR	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}\TypeLib	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\ProxyStubClsid32	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\TypeLib\ = "{8ED8CCC1-8472-46D0-93E7-F66929B98442}"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\TypeLib	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\VERSION	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED8CCC1-8472-46D0-93E7-F66929B98442}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\batchpurge"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID\ = "MSComDlg.CommonDialog"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\batchpurge\\comdlg32.ocx"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\Control\	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\batchpurge\\comdlg32.ocx"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED8CCC1-8472-46D0-93E7-F66929B98442}\2.0\0	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\ = "__xpcmdbutton"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}\ProxyStubClsid	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\Implemented Categories	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ = "Microsoft Common Dialog Control, version 6.0"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED8CCC1-8472-46D0-93E7-F66929B98442}\2.0	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ThreadingModel = "Apartment"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\batchpurge\\XPCMD.OCX"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}\TypeLib	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{193A209F-16A6-410B-B9AD-5DEC573F7C58}	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9076B41A-F995-44DA-9B9F-8601255C7D48}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\batchpurge\\XPCMD.OCX, 30000"	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC4E055C-5AB4-4DB8-9FAF-1140E088C0B2}\ = "xpcmdbutton"	PURGE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ED8CCC1-8472-46D0-93E7-F66929B98442}\2.0\0\win32	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	PURGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS\ = "2"	PURGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	PURGE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4172	PURGE.exe
4172	PURGE.exe

C:\Users\Admin\AppData\Local\Temp\batchpurge\PURGE.exe
"C:\Users\Admin\AppData\Local\Temp\batchpurge\PURGE.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4172-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4172-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads