af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advbattoexeconverter.exe
Size

804KB
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
232	setupinf.exe
436	aB2Econv.exe

Loads dropped DLL 5 IoCs

pid	Process
228	advbattoexeconverter.exe
228	advbattoexeconverter.exe
228	advbattoexeconverter.exe
228	advbattoexeconverter.exe
436	aB2Econv.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Command	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\aB2Econv.exe \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\battoexe16.ico"	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Command	setupinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\aB2Econv.exe \"%1\" \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE	setupinf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RICHTX32.OCX	advbattoexeconverter.exe
File opened for modification	C:\Windows\SysWOW64\RICHTX32.OCX	advbattoexeconverter.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gew10.fst	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon10.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon6.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex10.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex1.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex4.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex5.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp1a.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gex1.gew	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gx3.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\_ci_gentee	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon4.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gx1.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex15.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp1.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\setupinf.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex13.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp7.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\doc.htm	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gewizold.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon11.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon3.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon7.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp3.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gx3.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gew11.fst	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex15.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex16.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bat2exe.dll	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp4a.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gex1.gew	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon1.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex14.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp2.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon11.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon13.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex8.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex4.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex6.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp5.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gew11.fst	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gx5.gw	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex12.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex3.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\gx2.gw	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex12.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp5.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\blfp.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\feedback.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon3.ico	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.exe	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex8.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex16.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\license.txt	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex10.bat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp3.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\feedback.exe	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\icons\icon6.ico	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp2.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\setupinf.exe	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp4.dat	advbattoexeconverter.exe
File created	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex17.bat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\bfchlp.dat	advbattoexeconverter.exe
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\advex14.bat	advbattoexeconverter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ProgID\ = "RICHTEXT.RichtextCtrl.1"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\0\win32\ = "C:\\Windows\\SysWow64\\richtx32.ocx"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Compile with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\aB2Econv.exe \"%1\" \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Open with Advanced BAT to EXE\Command	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\ThreadingModel = "Apartment"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CLSID\ = "{3B7C8860-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Control	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ = "IRichText"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	advbattoexeconverter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\ = "RichText General Property Page Object"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\HELPDIR\	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Open with Advanced BAT to EXE\Command\ = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\aB2Econv.exe \"%1\""	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32\ = "C:\\Windows\\SysWow64\\richtx32.ocx"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ = "DRichTextEvents"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Version	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\Open with Advanced BAT to EXE	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\VersionIndependentProgID	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\ = "RichText Apppearance Property Page Object"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\InprocServer32	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Compile with Advanced BAT to EXE	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\MiscStatus\1	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE\Icon = "C:\\Program Files (x86)\\Advanced BAT to EXE Converter v4.61\\ab2econv461\\battoexe16.ico"	setupinf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\Open with Advanced BAT to EXE	setupinf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ = "DRichTextEvents"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\InprocServer32\ = "C:\\Windows\\SysWow64\\richtx32.ocx"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\ = "Microsoft Rich Textbox Control 6.0 (SP6)"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\ = "Microsoft Rich Textbox Control 6.0 (SP6)"	advbattoexeconverter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\InprocServer32\ = "C:\\Windows\\SysWow64\\richtx32.ocx"	advbattoexeconverter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	advbattoexeconverter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
232	setupinf.exe
436	aB2Econv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 232	228	advbattoexeconverter.exe	96
PID 228 wrote to memory of 232	228	advbattoexeconverter.exe	96
PID 228 wrote to memory of 232	228	advbattoexeconverter.exe	96

C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe
"C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\setupinf.exe
  "C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\setupinf.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:232

C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\aB2Econv.exe
"C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\aB2Econv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\aB2Econv.exe

Filesize
592KB

MD5
4f5f276df265153c6c3bda4b10c838e5

SHA1
373f6f9eecffb1c3327d87e7356034fe91cd6732

SHA256
22b70fbdfe95b036540759ea2da2c80d43e8b332e0e600bb867bebce8bfbae04

SHA512
35837f2245c038fd0a54d0a9e3349ed0dab5e74aff8dfe81b8a514236f7584bdc2802e8e0dfca97a00fec8c1f548788a87abe6603a8f1c889e110ec95c3b89de

Download Submit
C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\ab2econv461\setupinf.exe

Filesize
24KB

MD5
e5a61dd0ef9ea21188d2977ddf523c4b

SHA1
7cf00022f60eb995fdc42b371e0c447d3b6f842a

SHA256
1cf5593456a7c5fbddddc86dcd3e22db87f083b6c2158b30f8ef217be3b28bb5

SHA512
42fb3e56f921b79303d38a943815acab2f3f73f820f677d00360f192c33288159198dad8b56a68d2de2647381c53f268f0a5e032722830aafbbb0b654b8517cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\1Default.bmp

Filesize
1KB

MD5
0895d223fa59a94bed73d25d1cb5af70

SHA1
298a895d164f2c17d2e287ad32d27d8d01d0c275

SHA256
53228a7c924889d300c7ffe9baa1879ee94bd9b4286e84b7b29f870e9567b82d

SHA512
6fbe9ed82d10b5f42cefff5e65bdd8f4d2ae6f685cc1161de398c026cf5bf00d703da725fbe67cd52c1802b781b3eba6b1fb07ad421793a050895d7c63756dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll

Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\guig.dll

Filesize
20KB

MD5
f78ee6369ada1fb02b776498146cc903

SHA1
d5ba66acdab6a48327c76796d28be1e02643a129

SHA256
f1073319d4868d38e0ae983ad42a00cdc53be93b31275b4b55af676976c1aa3f

SHA512
88cff3e58cf66c3f2b5b3a65b8b9f9e8ac011e1bd6025cadadb0f765f062cb3d608c23c2d3832f89ada0b7681170dce1ee4a0b8b873e84135756d14ba8c69fa9

Download Submit
C:\Windows\SysWOW64\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads