19f91ee8a2acf408d69be07e1c4a99992213e565b9c8bb6d5c52f59f79707da3

Analysis

max time kernel
43s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-10-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoit-v3-setup.exe
Size

12.9MB
MD5

a65b5df1a846fb0bb7ad4b2da19bbbcd
SHA1

b93c659c6f9eca5cdaea8e552c0466cac3ea61d6
SHA256

19f91ee8a2acf408d69be07e1c4a99992213e565b9c8bb6d5c52f59f79707da3
SHA512

34980e23fe4c17c358cd23678c53ff548117479eab9c5cbd9f937a76bb2772e49a60c46e190da88f973ce05338a891609f012936f27de4c71b84f2789955da29
SSDEEP

393216:TDaWWhLNL186VkPwBOf74ycQf2TftfJBYT6IL/owfe:TDaWWdNxpg2icfRC7L/xm

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_ShellGetImageList.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Include\ArrayDisplayInternals.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Extras\Editors\TextPad\autoit_v3.syn	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Excel_ColumnToNumber.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_GetColumn.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_ChooseColor.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_FTP_ProgressDownload[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_VerQueryValueEx.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_LineDDA.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Include\IPAddressConstants.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Extras\Editors\Crimson\Manual Install and Notes.htm	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_ColorConvertHSLtoRGB.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_FileIconInit.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUIToolTip_TrackPosition.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegEnumValue.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\Script.ico	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_GraphicsDrawCurve[2].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlStatusBar_SetParts[3].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTab_HitTest.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTreeView_InsertItem.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_NowDate.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_VerQueryValueEx.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\COM\wscriptshelltest.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\StringSplit[2].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_SortItems.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlMenu_AddMenuItem.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlToolbar_GetColorScheme.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\ObjName[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\StdinWrite.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Excel_RangeInsert[3].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_FTP_ProgressUpload[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Random.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListBox_GetCaretIndex.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlToolbar_IsButtonChecked.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_BrowseForFolderDlg.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_GetClientRect.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\TrayItemGetText.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlButton_Show.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTab_GetCurSel.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_IEHeadInsertEventScript[3].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_GetIdleTime.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlRebar_GetBandForeColor.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTab_DeselectAll.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_BeginPaint.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_DwmIsCompositionEnabled.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_ClipBoard_SetViewer.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_DeleteItemsSelected[2].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTreeView_GetBkColor.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_ShellExecuteEx.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlComboBoxEx_GetItemEx.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTab_DeleteItem.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_IEImgClick[4].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_WaitForMultipleObjects.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Include\GuiTreeView.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Include\WinAPIIcons.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v10_48x48_256.ico	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\FileGetAttrib[3].au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlMonthCal_GetFirstDOWStr.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlSlider_Destroy.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTab_GetItemParam.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Net_Share_ShareEnum.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Include\AVIConstants.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\ObjName.au3	autoit-v3-setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\Template.au3	autoit-v3-setup.exe

Loads dropped DLL 9 IoCs

pid	Process
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe
3108	autoit-v3-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autoit-v3-setup.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	hh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3\PersistentHandler	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX64	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX64\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3_x64.exe\" \"%1\" %*"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX86\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX64\Command	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\ = "AutoIt v3 Encoded Script"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\ = "AutoItX3 Class"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\ = "AutoItX3 Class"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\SciTE\\SciTE.exe\" \"%1\""	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AutoIt3\\AutoItX"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ = "C:\\Program Files (x86)\\AutoIt3\\AutoItX\\AutoItX3.dll"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3\PerceivedType = "text"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\DefaultIcon	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Run\ = "Run Script"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX64	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\DefaultIcon\ = "C:\\Program Files (x86)\\AutoIt3\\Icons\\au3script_v11.ico"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\Programmable	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "PSFactoryBuffer"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX86	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ProgID	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX64\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\Aut2Exe\\Aut2Exe_x64.exe\" /in \"%l\""	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Edit	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Open\ = "Open"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Compile\Command	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX86\ = "Compile Script (x86)"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\DefaultIcon	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID\ = "{1A671297-FA74-4422-80FA-6C5D8CE4DE04}"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\Shell\Run	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ThreadingModel = "Both"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Edit\ = "Edit Script"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3\ShellNew	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ = "AutoItX3 Class"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Run\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX86\Command	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\NumMethods	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\Shell\Run\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer\ = "AutoItX3.Control.1"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\FLAGS	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.a3x	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX86\ = "Run Script (x86)"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\VersionIndependentProgID	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0\win32\ = "C:\\Program Files (x86)\\AutoIt3\\AutoItX\\AutoItX3.dll"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	autoit-v3-setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1508	hh.exe
1508	hh.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1508	3108	autoit-v3-setup.exe	80
PID 3108 wrote to memory of 1508	3108	autoit-v3-setup.exe	80

C:\Users\Admin\AppData\Local\Temp\autoit-v3-setup.exe
"C:\Users\Admin\AppData\Local\Temp\autoit-v3-setup.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\hh.exe
  "C:\Windows\hh.exe" -mapid 1000 "C:\Program Files (x86)\AutoIt3\AutoIt.chm"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AutoIt3\AutoIt.chm

Filesize
6.9MB

MD5
ead459341e28c7baed87220409defd03

SHA1
c584a20d05d1276951244a88868acd8db8ce3f6e

SHA256
5e364bf4e210106ac194c27fbb9e180192f965e66c36b1d08e5e4d7ae6f0360d

SHA512
313a61eda7b14eb1f2472792313dec6d3a25d24495e6c741ec5dfb7ff7008bf893e76fa66fd2d03a154cd4ed0e564322973507514886963a766876872ebdb137

Download Submit
C:\Program Files (x86)\AutoIt3\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll

Filesize
709KB

MD5
5bacfb9950a2e5cc6406f3ed03b3aa1d

SHA1
16eb30debf314c9f342a183b37442cc349f3e648

SHA256
a26fddee7674f74730d28d553220566bac64c4f877c5f33b5be6899202307845

SHA512
b927545809635e9d0b6929b77a268269aa54c7b34b1f0fed0631d380f3eb155dd6d010d569183b39efac58b0f13404f02de9d953b470a4e6ed833f600248c0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioDefaultOpen.ini

Filesize
666B

MD5
f206c218d309e5860cfa2ec8c4241b13

SHA1
b516eb68e49ce81e53f00accf8a6615a2236085d

SHA256
7019178b31439834c268006e52bd5efa4d7f585c0ccad6ea5ebed2c19d74b6bc

SHA512
1e467f5cedcdcc3baf40a105cf9c6002c6219c1d686c507584d6ab7e7c0161ade34f2ae04e0ca8781b190440abecfb48c83919e31ec91103db58f4096d7a246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioDefaultOpen.ini

Filesize
744B

MD5
b04693254f1fd0b01e0d773b8e82d2de

SHA1
b59362e0ffce3257164ec364e095386842c5f95d

SHA256
9757286a1482cb8a060696d466d4553d59eaf9b0d914791b956aec8864c55ba2

SHA512
4c53bc64b0818fed850601eb835f14b768329c95a147b7169bcb633d6768a7f28c3931aae997346b105a5d86b80d449c15741c0a951e74d077c528552b924436

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioDefaultOpen.ini

Filesize
780B

MD5
6adfe37a158d14e79403bf5efb586769

SHA1
b1830d3b1057a13e0e74d193fc1b0aa16020035b

SHA256
76d69b65cac84effa6e6eada21ce3c67f8465f4adbf80bcc2207e2bf6f13d933

SHA512
1debb86ef7311a58d9f53b9144116de6809305e6dad37071db1b2977769bce5e4a91c9fc5d47aba4c9a44ab642e1b09555e6c25c5a9121edccdbc260cde8459e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioSpecial.ini

Filesize
1KB

MD5
c81614a5a1c0fa7bac2499e5de63eb1c

SHA1
f2a8d69ecdbe6af505eaa332e50b6c21a2f45755

SHA256
9d27d72f1ebc987a654af814760f06f7d21a8014ed0024e68b3fb88158682559

SHA512
90001af81053419ecf5eed1efa913a6543d5f0b1eb1cc8c12317113d6e48ef35a7a6b328801007ec66f01a536641bf77440b7b39f4aee65b96ea4c8535657fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioSpecial.ini

Filesize
1KB

MD5
2e2fae307fea45c089be463687aea26a

SHA1
0dd767595c805ff5f55bd347d9eadfde46c0d76f

SHA256
77761839fa32d18dfe343e9cb8c9f335866547b68db242814974daf87821e8a8

SHA512
c9d63c64e0254a76c07160c07c134c70efd0c05672c0ff41ce77c0dc13101d82ff03733bd9e02636db338b84e7549d32d34ab7f8bec70c9e3d2b8a9fdc8bd3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioX64Options.ini

Filesize
1KB

MD5
5d7f62f8a866750ef251e10ad24cf7ef

SHA1
bd8ddf635fe3fa79c4b1470908390779bebebf5f

SHA256
a730cb3105755eb3451275972fb13a3e4e000ec27419d6a7379d675abff103b1

SHA512
ab9a8c942beca69861578a673187b7b344b95ecd66c1ec32055669b49a36ec5b8ba928e5fc7e76adbbaea9ae3d1b516aa39a2cd7f5e56694e057ed459e6e4ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl88D9.tmp\ioX64Options.ini

Filesize
1KB

MD5
aab350739436db5f482776c19dec83af

SHA1
4014ff43663c04779484329f4e0437bb8cad0c76

SHA256
4a16a075b741f8684f6b80e04faf27ebecadfd4aefff80fd9d10616d954bbc93

SHA512
455900fc0b33ede0ca64ace1bffc1e3262d8e991183470bbbb79529014a5f597fe68cd33d4cb2ba508507fbdda81aede9c74e14c14736adca1218531fde2ab27

Download Submit