0ba0b0e5c14f29977e4c87b2734e04c525a16798aa26d5ec88961fd8702fa88f

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StrategicPlanningFramework.exe
Size

5.1MB
MD5

4dcbff05d511fdb5afac3bcafb11d181
SHA1

3444a992d73accd2530699a5f2608565ff17a6a7
SHA256

96e402b9f0e94f6b6668af3781c2deec863329a03f67e155d710bb219ec8cb92
SHA512

4dff887b7b73c251c50829611aa6762c9dbb5ba7ce1fd5112a8e793115bd79e1d715fae11f62953c1531ecce6275aa931c603701f74e3667a018ec3277b65e7f
SSDEEP

98304:/XFhi4mgGlkNpNPjrluagCRihOqTHwOXipOVGwB1nKXtbbPxzrpoe:/Xm4mBaNLPVuDCRYOGDipOVGwB1nKXtD

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrategicPlanningFramework.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000671089a7d7939f93286b2aaa09b4a7d96b3dc66a16131874829b7e122a80f68a000000000e8000000002000020000000143ea41f83bf2829839a650bb61be08a38ccbae01bda802c6d0beb0ac71aac7990000000f7327fef318b3d40c4ea4d19497d7d394dba4378bef632ceaee67126386fb9088d91c233cafb4b7ef7199a2bea5a2991118179af2326c499f3b8f376fa4f75efc9bed1c814c95120b4d708d1df1affa8f4f44bfd9ee066ca5dcfe88f3220501e615812c1746fce9b29d23c5079b4a0b4ed4319f2a4528e8179d2f7bbbe2fca988451878b7132352ad0b5f0cf4540572440000000a3f930463126500c825ee14c7e9724080e0e7d1cc85035abfb8c8602b6d9f2ef72d4fc8a2048235f18ad2751e3b107b74bd748adb09040ddb843fa5746481888	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d6c8e5f87a263bebdd90018334750de11884aa2a005288a8f718199d91fb1eb8000000000e80000000020000200000002273b355e3651e6103d49e7b8512838d274d9bfc072c532c32f65ea5c094f59c20000000f64a8ede609fe350bc7c3e3662d05a3daaaa8bd8551cf51edf0104a70ce58f58400000009f50bd94f60964adb2aee41c24522804ad50cd80a9fc95175efd5673311e461705f4cf26e8a952f2db02c8985ba3a407f46ce755ed9491df64e52a87594149e4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00ced483015db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434079325"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A20F531-8123-11EF-8320-E61828AB23DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32\ThreadingModel = "Apartment"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\Version = "1.2"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\ProgID\ = "TabDlg.SSTab.1"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\HELPDIR	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\TypeLib	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ = "DSSTabCtlEvents"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\FLAGS\ = "2"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\COMDLG32.OCX"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\ = "Microsoft Tabbed Dialog Control 6.0 (SP6)"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\FLAGS	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\TypeLib\Version = "1.1"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version\ = "1.2"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ProxyStubClsid32	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\COMDLG32.OCX"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Tabctl32.ocx"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\ = "SSTabCtl General Property Page Object"	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\ = "IRichText"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ = "DRichTextEvents"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ = "IOLEObject"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CLSID\ = "{3B7C8860-D78F-101B-B9B5-04021C009402}"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1\CLSID\ = "{BDC217C5-ED16-11CD-956C-0000C04E4C0A}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Version\ = "1.1"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ProxyStubClsid32	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\MiscStatus\1	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.1"	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib\Version = "1.2"	StrategicPlanningFramework.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS\ = "2"	StrategicPlanningFramework.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\HELPDIR\	StrategicPlanningFramework.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	StrategicPlanningFramework.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1832	StrategicPlanningFramework.exe
1832	StrategicPlanningFramework.exe
2720	iexplore.exe
2720	iexplore.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32
PID 2720 wrote to memory of 2856	2720	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\StrategicPlanningFramework.exe
"C:\Users\Admin\AppData\Local\Temp\StrategicPlanningFramework.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
168af81402786471b2d7caa6f8279603

SHA1
45eecd6a40eec5a7a57788e1eaa1623206c585e8

SHA256
28a8533f3f92b17dd1202868abddb058bc133e359b956bdeb6bfbba2a607b843

SHA512
4f77ac12770187d323f763153afc7d19536afc0c9599668a0715a36791965adfe93f4e6e72b63fc9207381d7d2cd26f852165363efc48000a15a73e480cc88f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07115ce39d254eedf536bab8c5e01b90

SHA1
9bd026b055aae49c63d878ab80a1e95fc6fdc4cf

SHA256
bb73e67a6f89575c2bd735fc4576c3d391418dccb1cdd122c3584b48a65c62d2

SHA512
c8dfc201b30a5638a81832977330f5a04b20cab4dc6964148c264db93d257792aeeb38c4a37db3aaee2f0851db75f5251fbadcbe2e9aa92ec810f7cd02167849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b317bba18e04496027d371676d1a98b2

SHA1
28618163f7b4bedb0d498f6944bc2f6854f72a37

SHA256
a987cd955383de93b555b43d0ef834555e448f8011fa617a847738cc1243b3ea

SHA512
fbf72e442b24679c7a3cbd59c4ccbc2a881e8e166602ffd87d66afb9c4a5ac3e2b5c5e2437e4a49d3486c4bb1f13994414950830c5ff5a7cd1f1f5c3b250065e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
890e97ab5095772c018249fdecff6177

SHA1
3e836fdf26a9979b32b190dcb3606a2fd4004a04

SHA256
e58de05fcc12eca306a4acce683264f2eeb23baf8240298cbc79872dc4245011

SHA512
76013c31ae1e47d708ad5539d77732846dc2d2fc3217fe1064bb721a3c7441e7ee3d3675d8afaa16ba729169f1f1ccba89e9276161843a9577e0d9086aa3c377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09401bbbda3e3a6222f671ea120afb18

SHA1
42c7a8c734ba4c2675ba046826e6e6b3187e2ef7

SHA256
d0eef92e55e8546ff081ddb9b28d795c655d6dd090f2c7cbcffc5952dab6f970

SHA512
b9ad28a01859d2e0cfefcba86ef954ae6faf8281d4c8b6253920737e4d62da7303c28d189a328809a091547b091a69b2728847f5e1561e3a579086601931b563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efedd3f193fd23578ac5fc38276af8dd

SHA1
f493f53bf6ca0a166a66c0a585aa5d4ebb389a17

SHA256
e3db6508b341942b3304887019e11308f43e523f83ae3e8c5285d29303361a45

SHA512
52be231bb5e327b80a092cb8b01dfc737235321a3e6838f73d25eb73a6c901c720e3287a1c15c758165f79be8a7947e690aa09f9d6ad403fc0234e38dd5ecf91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8628f20d061ea2cc1ca3fbff76cdc29e

SHA1
71995c192b08324950aa3177d7da98a6642b2ce8

SHA256
030029e89d3572dd350fcf172dfe08428d5d4d5c5458da9a7d3ad4a0eef6f21f

SHA512
5d63a79b538da062b02f180e6dbb234a145028a6344208e7712ead5e58ee3f1a63cb3d8851709f54ea9f0d24c16ce79680f0b72778126237483aa2223a2b1d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e511fc3e64ac614f906a131aa78f321

SHA1
b40468ee6ad36c204b42c15a5eedb632bc3946ef

SHA256
1e4ca3f0707c762f9cc6024976015b39f03b4f05dab7c4761fd36360680e74bc

SHA512
49b29d9aee87e76866df942aa09752f6cc3f706d0b21ec5ba0c02e4e1894ef7aa7f5e34a49ccc5ae6d37f93bc87ac2dc46cb0e7d6fbae42a9b2d4537805a6b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce54a762ec1e5f468bee27f31d1a4fc6

SHA1
253972e2f002606396ed0b2c8c1b7696227a995a

SHA256
fa4f0cdecc6179957ad535ee5a7bb536a8a5343b73885baf992e3c512233495e

SHA512
aa8abbb2d3763a225d10fb3fd9e3906c50f4ca8fc1504d434ee37184b386b5fd70b1d1ece50eb5effa4b0aa5d101ddb985c3ea23101acdcb0d1f2ad265b6b1c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d52ad09325a6daae2f5508936e3ee646

SHA1
5e653fab08ab6cde3ff138cf4979350810465033

SHA256
5bec2a95b3fbb5621cd2c008dd651badf9a6e81c1e46695475ceb7a7a7d4aad2

SHA512
4ba35ea7e00ef277f3288803cd7ffe25d1a5693b721ece33d64681b5271b472bf855fd71ead5e8a164aba4389a65c9cc27f688f961f292370b96d84309bac602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52384ef15bb7852ecf52829c8b2f80a1

SHA1
19da751e912a2a58a2ec01c919b8a886e07feb0b

SHA256
54c381c805e44701450fb513b9f3d00a738be181a6982a7aec10ef1490079f47

SHA512
eed4022a4681897dbf80e7e8fab37c2e871d62aa671cbc41fea6bc16d92be4e21499b74008da9a2cda4a03c33f51a0929e279b83c306b0cbaa1ac32237dfabcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d47c30b2181dc73ea61e1dcb37790dc5

SHA1
909cf2932610565fed5adb9bfaf5a89e9c9b3256

SHA256
fe13fa4a2c64d1f25af122b6183601210aaa2b699ee5adac3c5b63871ed2028a

SHA512
f8019897bc79a429c0193502faec8ac1af5311690bace0d17c1ada839d2df2ebcdf181cf68f438428599e459195c927576a1130bbaa192d7bb0f6b05a3f68c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7a6078beac4314280528ce289702ed0

SHA1
641cad5305caf8aa1da12c8c904f8024c53fcfe8

SHA256
9c5ce6586b1a06600bb89418012f0f2e339ae8aad22cd6a39379236546af002b

SHA512
44e1a9770543ceefac0c054217033f397ef540f38229e0aca2d702d0eea87f7a13bba12cdd880b911dfc048afd30871a31ca85c5a2e1affcfd7352b9bc2add8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beb9c1e7a340e9eee623f745adac566d

SHA1
d26e5359a7e5904fe30e174a28dd7e5f4264340e

SHA256
f5a9916ab073979a8fb3c5123ddd7d6acd06be1b84c069282556073f284cb259

SHA512
c92a54f719bc4b09283855e7ce09ff01048f7d127862eadf7a9c2df86eb259df83de38aeb1ee2bca89c8ebfaff70a5ae590c60c030ce9108273d986defa50a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf7210a34f832a98262d3ed5c8fd1f6f

SHA1
5f1f4f636a244dbfd9444d4c9f52fba3d64edc2b

SHA256
9ee40291b6c07b1f37c42cde2c18d345e689a772e081f943cede444a08e3a04d

SHA512
60d228e2b5ffdef55efbd0815edb1713531dab1a5cb49928c6e6764674d5ba4132aa159e9f9b051d6b059cd61d886ed5d91b6af1c4d33cb415460bab59ddacf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
268784780130056acf52c4779b521646

SHA1
cd4148c0ab3af3819b5f6d987fb64b9264b1dbcb

SHA256
5c4589acabc254257adff1f3c403f512b522180ef8d7858fbde551b9ea3090dc

SHA512
4c5940005f67dcbcbb6cc775782b76c28bd105eddc7c91ca670b9c3e8b8a974278aaf1b72d13ee1d065c3b20298ff73aabea8bdb9627021619a05683b1bcef04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21f98455954737c2ce0c0eec6754f049

SHA1
d0ebb794164e6d601d66b07f93819bdf9385cdfd

SHA256
1b12a9219946edd50ca90b118178f2bb26713961b4e7c9b9240c038711ad077a

SHA512
515dedc2a9a3cf088b50536e9eb23f1d5807f03247456fd8206370004292f67c79fa8d449a11c4abc8618b952baa865f9c7bb2b66a2e1f315825da46cabe61f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
604c2de6d1a1d8f8f3b59e1ae51a6892

SHA1
3f1a9943fcfbb7543058d92e76101f353784f600

SHA256
0e5ec7442377c77d0d12bf868033402de9aec5aa6820e3aa9432714374f1120f

SHA512
baee836f9af04d45840a7e7dc459f40eb37cb5c1290dc46066539e4f88d68a623acdd8457066673a167133fab9aa950a71d81d39e4bc5d8c2f419c35520ecb6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15034c8019d4eb539725bbd08c192832

SHA1
b6c518088c675f68b4ee7f3dfe9afc4e7fbf6bfd

SHA256
0bdb56557d6ed6ce1698d6a4ab42eb566418d0fb4f6a3c9ecd170b4994538ab8

SHA512
000c987f901c10842c4bf00a47fe63ae36325f0fec85c337ebc75392ba521e913f3068b844ad3cc5e15989adb2702b57e21ff1d5dc5dcf6130ffc6ba3e884f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2EDF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F8F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1832-3-0x0000000003E30000-0x0000000003E32000-memory.dmp

Filesize
8KB

Download