Analysis
-
max time kernel
140s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-09-2024 17:49
Behavioral task
behavioral1
Sample
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe
Resource
win10v2004-20240802-en
General
-
Target
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe
-
Size
2.3MB
-
MD5
cee0d7092ec83373078d0045a0c74c40
-
SHA1
74359367f95990e189e485cac12532a5bf1053bb
-
SHA256
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77
-
SHA512
73f48e633735acc4098a5b85be4792db8c979ab5ba39eb6d67e971064f8d6b903c71e86cef027a0d96d50f5dd2eddc89f257a77a3007bdee82af683df6461ad0
-
SSDEEP
49152:xJxNHabdDlGc/za1rlFQFigZL+l63UBU3EWttCwYXn6CQqilfG1M3FB:xOLa1ZFU6l0YU3l3QCjgMVB
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx acprotect -
Loads dropped DLL 1 IoCs
Processes:
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exepid process 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4844-0-0x0000000000400000-0x00000000006F2000-memory.dmp upx C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx upx behavioral2/memory/4844-8-0x0000000074EA0000-0x00000000753A0000-memory.dmp upx behavioral2/memory/4844-20-0x0000000000400000-0x00000000006F2000-memory.dmp upx behavioral2/memory/4844-22-0x0000000074EA0000-0x00000000753A0000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exedescription ioc process File created C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe File created C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe -
Processes:
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (int) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (int) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe -
Modifies registry class 64 IoCs
Processes:
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\ 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\ 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED} 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exepid process 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe 4844 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe"C:\Users\Admin\AppData\Local\Temp\99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5230c8f87850fd67b6b3024da50f360bb
SHA1f3a629ece2b85aee9a88b3caebc54ac66053330a
SHA2563b30b5a1a4561ce2ef9b7fd0f2aa97e533f35c2bdbdb534995cc44066ae0f90a
SHA5125dfdedebe4a0e3843d68a3d93a44e54979f8a637902f499c278b5bb91c3a61561f3ed5de510c54405dd4f093128b9b69e175f6b63f9be2b000bbe381f6a2c3eb