5e2b7ee91606a8a2327f731f4d863c505daa70a9eb10ca0700529f6aa4fd61a8

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.exe
Size

116KB
MD5

f487bfd5c24ff804331e83be0bf4f6f7
SHA1

8d68a0ee4ec13d61a983444b2e608e41097079f2
SHA256

f7570fa917828242bc49cc74f49f24974e5877dfbc8c17652771e333ae839349
SHA512

18fd94acdcbdcfc97183e8f4c5c0e3af27da78f19edbceed9305f5b87304923d009a414d8d7aba4ad0db7e23142b5c46f11a578b8002ace8dc94e38d4e27f3ec
SSDEEP

3072:Wx4GxucJcqKhU+9cCi50C+imV5ooLQR6o0:HpO+9D6+iBIo0

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2204	Install.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\DRIVERS\x64\acpdf210.dll	Install.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\acpdf210.dll	Install.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\acpdfui210.dll	Install.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\acfpdf.txt	Install.exe
File created	C:\Windows\SysWOW64\cdintf210.dll	Install.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	Install.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.CDIntfEx\Insertable	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\TypeLib\ = "{4856F146-7516-11D3-BBE5-D53DCBD65107}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\TypeLib\Version = "2.1"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\ = "IDIDocument"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.CDIntfEx\CLSID\ = "{68B34268-7559-11D3-BBE5-D53DCBD65107}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\ToolboxBitmap32	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\Control\	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\ProgID	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\Version	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\TypeLib\Version = "2.1"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\ = "IDIDocument"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.CDIntfEx	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.Document	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4475F8B8-1316-4853-82E6-C6149A7BA4C3}\InProcServer32\ = "C:\\Windows\\SysWow64\\CDINTF~1.DLL"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\TypeLib\ = "{4856F146-7516-11D3-BBE5-D53DCBD65107}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\TypeLib\Version = "2.1"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\TypeLib\ = "{4856F146-7516-11D3-BBE5-D53DCBD65107}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.Document\CLSID\ = "{4475F8B8-1316-4853-82E6-C6149A7BA4C3}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4475F8B8-1316-4853-82E6-C6149A7BA4C3}\ProgID	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\Version\ = "2.1"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.Document\ = "CDIntfEx.Document"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4856F146-7516-11D3-BBE5-D53DCBD65107}\2.1\FLAGS	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\TypeLib\ = "{4856F146-7516-11D3-BBE5-D53DCBD65107}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\MiscStatus	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4856F146-7516-11D3-BBE5-D53DCBD65107}\2.1\ = "Common Driver Interface Control"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4856F146-7516-11D3-BBE5-D53DCBD65107}\2.1\HELPDIR	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\ = "Common Driver Interface Control"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.CDIntfEx\Insertable\	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.Document\CLSID	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\InprocServer32	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CDINTF~1.DLL, 1"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\InprocServer32\ThreadingModel = "Apartment"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4475F8B8-1316-4853-82E6-C6149A7BA4C3}\ = "CDIntfEx.Document"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4856F146-7516-11D3-BBE5-D53DCBD65107}\2.1	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\TypeLib\ = "{4856F146-7516-11D3-BBE5-D53DCBD65107}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\ProxyStubClsid32	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D307A698-F048-4AFC-9170-572440CD523F}	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\InprocServer32\ = "C:\\Windows\\SysWow64\\CDINTF~1.DLL"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\Control	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDIntfEx.CDIntfEx\CLSID	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\TypeLib\Version = "2.1"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\ProgID\ = "CDIntfEx.CDIntfEx"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\TypeLib\ = "{4856F146-7516-11D3-BBE5-D53DCBD65107}"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\ = "ICDIntfEx"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\ = "_DCDIntfEvents"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\ProxyStubClsid32	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\ProxyStubClsid32	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\MiscStatus\1\ = "132243"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\TypeLib	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D307A698-F048-4AFC-9170-572440CD523F}\TypeLib	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68B34268-7559-11D3-BBE5-D53DCBD65107}\Insertable\	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4856F146-7516-11D3-BBE5-D53DCBD65107}	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4856F146-7516-11D3-BBE5-D53DCBD65107}\2.1\HELPDIR\ = "C:\\Windows\\system32"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68B34269-7559-11D3-BBE5-D53DCBD65107}\TypeLib	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067B6CE2-DE85-435E-8E99-F52727F57E26}\ = "_DCDIntfEvents"	Install.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2204	Install.exe
2204	Install.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\cdintf210.dll

Filesize
1.0MB

MD5
d537827b24dffe10bc17c9dffe465338

SHA1
20f98e0934aff2fb851052b9c32745b1f9b6d288

SHA256
fd0353032a8b86dd113750b0c7be5f599d5e97a38b937b205ac279c5014c65ae

SHA512
32560626c47049a5b94ee474100de707d4213a6957e1b822dca3d822f62ed715dc74264f363671a99e82380b5d6c901c7b3b935a7df350a36a0a9059993d8d83

Download Submit