b44f3c188ef92605a99fab6f8f57ed846ce1fa1a1fdf50f017befa117f58960e

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DoIt.exe
Size

887KB
MD5

cee34941122951a4414a497f94880b86
SHA1

ead6ff480ca6d0ae4935bafd6954685a46b01b86
SHA256

2c0ff1bb4d365b31dc7718edda04acf3bad1e098119f588ace3887f053e2f0b9
SHA512

ba353d67201bc5857d1c5326ba222493a224000e05574aa9d1033a34a0f129faf020494891a9d3b0017a2b476cb20482a08c85823a7a2e6eb43079ff1c2e5b5b
SSDEEP

12288:f8X4+ysUIJJ96b3pvYeWsw6lVjvFzXhABel2LjQ77xjlx+AYZ8jF4C16yFu/7pMt:f8l8sJ9wxDw66dLjQ7tJPYKF4c6yF8u

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
1988	regsvr32.exe
2680	regsvr32.exe
2000	regsvr32.exe
1488	DoIt.exe
1488	DoIt.exe
1488	DoIt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DoIt.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	DoIt.exe
File opened for modification	C:\Windows\SysWOW64\tabctl32.ocx	DoIt.exe
File opened for modification	C:\Windows\SysWOW64\msinet.ocx	DoIt.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DoIt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	DoIt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2\CLSID\ = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ = "IListSubItems"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ = "IImageList"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\0\win32\ = "C:\\Windows\\SysWow64\\TABCTL32.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX, 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\MiscStatus\1\ = "197009"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID\ = "{DD9DA666-8594-11D1-B16A-00C0F0283628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX, 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2\ = "Microsoft ProgressBar Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ = "Microsoft ImageComboBox Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\ = "SSTabCtl General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\ = "Microsoft Tabbed Dialog Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	DoIt.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1488	DoIt.exe
1488	DoIt.exe
1488	DoIt.exe
1488	DoIt.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 1988	1488	DoIt.exe	31
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2684	1488	DoIt.exe	32
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2680	1488	DoIt.exe	33
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34
PID 1488 wrote to memory of 2000	1488	DoIt.exe	34

C:\Users\Admin\AppData\Local\Temp\DoIt.exe
"C:\Users\Admin\AppData\Local\Temp\DoIt.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\MSWINSCK.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1988
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\MSCOMCTL.OCX
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2684
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\TABCTL32.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2680
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\MSINET.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
204KB

MD5
2bae02cd88d9ef0c03bdab250904f802

SHA1
ff421bffb17f2dafdf028a198ed6e540e0c8dce9

SHA256
76f99cb0983a76385e55dca92577bb53de488aafdf0d6ffcbe03ec5fa85d15c5

SHA512
faed7f90b18bdacc68e44a145e81be967cac163d44cbfef6ec32d36b53c7ae57d3b8e7a5526c0d6f97226c19432c70c390068d505ed69c6f4ceaa9e63dda745e

Download Submit
memory/1488-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1488-0-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1488-18-0x0000000005B40000-0x0000000006BA2000-memory.dmp

Filesize
16.4MB

Download
memory/1488-20-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1488-19-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download