864d70dd755dab8431c2465531067cf8130166585e55dd4c4bb7de3df54a1967

Analysis

max time kernel
68s
max time network
69s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MacroRecorderSetup.exe
Size

2.6MB
MD5

50307092df1de5735811933cefad0b85
SHA1

fcf6d604a542d6aebee2e6828966387367b04cbf
SHA256

864d70dd755dab8431c2465531067cf8130166585e55dd4c4bb7de3df54a1967
SHA512

0cf5ece8b4ab2e302136f9bf65c89f6d4d79f5cad7989250b04ffb6c110009db081fc817b653c0bfdd54c6da8e7c1b6cafc0ed157ba72cef9ddd863f3f12dd90
SSDEEP

49152:Aqe3f6QX7FIsEl4404EcVZvUWN6NuFXL+fLLMtj7yWRBywyYkHeBnI:VSijsEl904EcVuWN6yMLAtj2sEwlpVI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2060	MacroRecorderSetup.tmp
672	MacroRecorder.exe

Loads dropped DLL 5 IoCs

pid	Process
2148	MacroRecorderSetup.exe
2060	MacroRecorderSetup.tmp
2060	MacroRecorderSetup.tmp
2060	MacroRecorderSetup.tmp
2060	MacroRecorderSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MacroRecorder\is-12JFE.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-I8O1U.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-14AR0.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\unins000.dat	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\Microsoft.Win32.TaskScheduler.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-QPO90.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-AQ30O.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\unins000.msg	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\Mono.Cecil.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-RM38B.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\MacroLauncher.exe	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\unins000.dat	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-O0617.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-92LT3.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-K35PK.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\Mono.Cecil.Pdb.dll	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\Mono.Cecil.Rocks.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-UL4OA.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-OLTR5.tmp	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-QC9MN.tmp	MacroRecorderSetup.tmp
File opened for modification	C:\Program Files (x86)\MacroRecorder\Mono.Cecil.Mdb.dll	MacroRecorderSetup.tmp
File created	C:\Program Files (x86)\MacroRecorder\is-RDVSL.tmp	MacroRecorderSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MacroRecorderSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MacroRecorderSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MacroRecorder.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.mcr	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder\shell	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder\shell\open	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MacroRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	MacroRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	MacroRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder\shell\open\command\ = "C:\\Program Files (x86)\\MacroRecorder\\MacroRecorder.exe \"%1\""	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	MacroRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder\DefaultIcon\ = "C:\\Program Files (x86)\\MacroRecorder\\MacroRecorder.exe,0"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder\shell\open\command	MacroRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MacroRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	MacroRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.mcr\ = "JitbitMacroRecorder"	MacroRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\JitbitMacroRecorder\DefaultIcon	MacroRecorder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	MacroRecorderSetup.tmp
2060	MacroRecorderSetup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
672	MacroRecorder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	MacroRecorder.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2060	MacroRecorderSetup.tmp
672	MacroRecorder.exe
672	MacroRecorder.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
672	MacroRecorder.exe
672	MacroRecorder.exe
672	MacroRecorder.exe
672	MacroRecorder.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2148 wrote to memory of 2060	2148	MacroRecorderSetup.exe	30
PID 2060 wrote to memory of 672	2060	MacroRecorderSetup.tmp	33
PID 2060 wrote to memory of 672	2060	MacroRecorderSetup.tmp	33
PID 2060 wrote to memory of 672	2060	MacroRecorderSetup.tmp	33
PID 2060 wrote to memory of 672	2060	MacroRecorderSetup.tmp	33

C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\is-CSTAO.tmp\MacroRecorderSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CSTAO.tmp\MacroRecorderSetup.tmp" /SL5="$E0152,1902330,780800,C:\Users\Admin\AppData\Local\Temp\MacroRecorderSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe
    "C:\Program Files (x86)\MacroRecorder\MacroRecorder.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\MacroRecorder\MacroLauncher.exe

Filesize
470KB

MD5
9d024bbd0b1dba4baed68783d74ec47b

SHA1
6034648bdff3ee98bd1b8273124caad67067500b

SHA256
8a0f56a70cb58e004d9a8c158aba2a665e66dc83f0664a6f27445c9687af2442

SHA512
03ab2470fdb9dde9cac4a80016dc6e1387be6d2ff774cb06911b4ba6c4e54b492fb7dd48dbe0e190dd84c4cb1eaae3bf4ab3003a0d0b71a195122f31d8517ea1

Download Submit
\Program Files (x86)\MacroRecorder\MacroRecorder.exe

Filesize
1.1MB

MD5
cd2ff16f2aa3a0525c7e9ed355ba7457

SHA1
0511be4d649c8da29ac8af12f019a8ca01f00ade

SHA256
9e2b3c898821eabc315576f6f274dbdd4e055c60ef3d2325a96caf702fd86ece

SHA512
45dc33d6790c66ad5bad9e6f3d0b0f47ef4b112ed6e55601900f25aa46c171d6ad47a69f4a18e24afff218aab221de21e50d39c8823371e2bd5fae6019ca3299

Download Submit
\Users\Admin\AppData\Local\Temp\is-CSTAO.tmp\MacroRecorderSetup.tmp

Filesize
2.9MB

MD5
5f60fcd65065f14167a21d790ec39d05

SHA1
7930a70c8f96b743fd5a2a3923a6ea99280e53e0

SHA256
0b3a2cfecc43852e4999f817af79722ac0a18b3aaa749d40fa173bcc803fe2a8

SHA512
74b8edd32f3bb40a21cd1ab7c106f330d80318fc61153e4fed01200e2733e79310028b2fe3ebd83b7fc3392bcaba8ccd4aa990ab3ad571fbf779c5be5ff2e463

Download Submit
memory/672-69-0x00000000053F0000-0x00000000053F2000-memory.dmp

Filesize
8KB

Download
memory/672-63-0x0000000000030000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2060-9-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2060-12-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2060-11-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2060-67-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2148-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2148-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2148-68-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2148-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download