b5476446d4f5ac386bdd94987323ed71f70de54016ba19ce31e6e46b43e267ce

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pluginsetupadmin.exe
Size

461KB
MD5

87daf3658c6aa863444532f1f324cca1
SHA1

c0caa342fcbde6a0c6b1566e71bc051117a7c40b
SHA256

c007fefe59aa783e7ea677a6275f87b9675f750a8e31a67c8325440308eed90a
SHA512

050b10619e355fe16fc23bf83b7b38a5237adb80e406d79653c029182bf33a40c3717a12f80ce1e024e2afee305421b3f3947d38a833169576e1c3d0a9ebc551
SSDEEP

12288:7ugClTRuCj6KxXpDKlvuONobWHp9d/MJyKRs:78TRuo6KxZeluooKh/SyKRs

Score

4^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2032	pluginsetupadmin.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\JuleGame\\JLGPLA~1\\NPJLGP~1.DLL"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32\ThreadingModel = "Apartment"	pluginsetupadmin.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JLGPLAYER3.jlgplayer3Ctrl.1\CLSID\ = "{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\ProgID	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\3.0\ = "jlgplayer3 ActiveX Control module"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\TypeLib\Version = "2.0"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32\ThreadingModel = "Apartment"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\TypeLib	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\Control	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\TypeLib	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\MiscStatus\1\ = "655761"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\2.0\FLAGS\ = "2"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\TypeLib	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JLGPLAYER3.jlgplayer3Ctrl.1\CLSID	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\ToolboxBitmap32	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\TypeLib\ = "{77312AEE-9563-4B2C-B87E-4E8FF1528577}"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\3.0\HELPDIR	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\Control	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\ProgID\ = "JLGPLAYER3.jlgplayer3Ctrl.1"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\2.0\0	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\JuleGame\\JLGPLA~1\\NPJLGP~1.DLL"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\ProxyStubClsid	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\JLGPLAYER3.jlgplayer3Ctrl.1\ = "jlgplayer3 Control"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ProxyStubClsid32	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ProxyStubClsid32	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32\ThreadingModel = "Apartment"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ = "_Djlgplayer3Events"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\TypeLib	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\3.0\0\win32	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\JuleGame\\jlgplayer\\npjlgplayer3.dll"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\ = "jlgplayer3 Control"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\MiscStatus	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\JuleGame\\JLGPLA~1\\NPJLGP~1.DLL, 1"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\Control\	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ = "_Djlgplayer3Events"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\Implemented Categories	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\ToolboxBitmap32	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\ = "_Djlgplayer3"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\TypeLib\Version = "2.0"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\TypeLib\ = "{77312AEE-9563-4B2C-B87E-4E8FF1528577}"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ProxyStubClsid	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\JLGPLAYER3.jlgplayer3Ctrl.1\CLSID\ = "{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\TypeLib	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\ = "jlgplayer3 Property Page"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\Version\ = "3.0"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	pluginsetupadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{AFF5BE97-7736-4383-82DA-1543D0520645}\TypeLib\Version = "3.0"	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{77312AEE-9563-4B2C-B87E-4E8FF1528577}	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F959CDDB-6516-4ABD-9D40-CDCFE3D48331}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A1B1EE5-E5AD-48E1-A74A-6DE132B3F8ED}\InprocServer32	pluginsetupadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{77312AEE-9563-4B2C-B87E-4E8FF1528577}\Implemented Categories	pluginsetupadmin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JLGPLAYER3.jlgplayer3Ctrl.1\ = "jlgplayer3 Control"	pluginsetupadmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	pluginsetupadmin.exe

C:\Users\Admin\AppData\Local\Temp\pluginsetupadmin.exe
"C:\Users\Admin\AppData\Local\Temp\pluginsetupadmin.exe"
1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JuleGame\jlgplayer\npjlgplayer3.dll

Filesize
793KB

MD5
eb9729ce37dff44821fc35f71dea8fa0

SHA1
2cf8d4d6b9bad91e9ec26c746fa011b9e97387b1

SHA256
e2dd0098bfe73f5ae6f407a03a11df39baed75e29fcdc67413bbbc6819a1c4a5

SHA512
79e1fd84b4e61a1e20188f4c8d40b1363e0ea5dcbb840e4dbbe8463f0f8c1321c2b6c66f32498e3dbdc8c4ffe95a10659cba16eed445c8113183e9bfb1fb9839

Download Submit
\Users\Admin\AppData\Local\JuleGame\jlgplayer\npjlgplayer3.dll

Filesize
448KB

MD5
f57f2e5e228ebf5267412172bed99dd7

SHA1
2c26c695bd6e746917571d8acbbf146bf59d96e5

SHA256
e23c2bbbd1b377d44a13678a25de985d300bd7d6e751aa14735b3186ff5b9eb8

SHA512
1f6a6709a01a92bde4ab846ebb2524f4feeff83e33019c3cc037e6af99335f3eafbbd3beb8c25c52397f3334bbda8e011b38445425cce01f2e4aa3edffcbbda5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads