702fa5fe5e0e4ee1dbaefb9534e6d221730c02f498cb02d19053d6f9fe8ab523

Analysis

max time kernel
53s
max time network
36s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MKZ_Injektor.exe
Size

220KB
MD5

c9286240206dc9c20fa4c0a2cc22ffe0
SHA1

a0721b382b62e56c0364b3653b3d38140138c1c1
SHA256

9fe33c923d36bf3e06bde190e7f327217782955d7106e14910048947b08b86a5
SHA512

348d0feb59ec1957487c2850accacadf2b7daf20c78dc060ae37c2bf1cdf995d0e4978d164c90bf0f116fd791763dab7f9268ef6e91b3cb476092b9ce9abd54b
SSDEEP

3072:EtBqMBirTYgMJ0sRWznBOHSYzOZvMTLYNKtUh9Dw3zedEt00edkvgOO:kqMc3MJzIzw9zMMLCQUTMYEt09d3O

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	MKZ_Injektor.exe
File opened (read-only)	\??\K:	MKZ_Injektor.exe
File opened (read-only)	\??\S:	MKZ_Injektor.exe
File opened (read-only)	\??\X:	MKZ_Injektor.exe
File opened (read-only)	\??\J:	MKZ_Injektor.exe
File opened (read-only)	\??\O:	MKZ_Injektor.exe
File opened (read-only)	\??\T:	MKZ_Injektor.exe
File opened (read-only)	\??\W:	MKZ_Injektor.exe
File opened (read-only)	\??\M:	MKZ_Injektor.exe
File opened (read-only)	\??\P:	MKZ_Injektor.exe
File opened (read-only)	\??\R:	MKZ_Injektor.exe
File opened (read-only)	\??\A:	MKZ_Injektor.exe
File opened (read-only)	\??\E:	MKZ_Injektor.exe
File opened (read-only)	\??\H:	MKZ_Injektor.exe
File opened (read-only)	\??\I:	MKZ_Injektor.exe
File opened (read-only)	\??\L:	MKZ_Injektor.exe
File opened (read-only)	\??\V:	MKZ_Injektor.exe
File opened (read-only)	\??\Z:	MKZ_Injektor.exe
File opened (read-only)	\??\B:	MKZ_Injektor.exe
File opened (read-only)	\??\N:	MKZ_Injektor.exe
File opened (read-only)	\??\Q:	MKZ_Injektor.exe
File opened (read-only)	\??\U:	MKZ_Injektor.exe
File opened (read-only)	\??\Y:	MKZ_Injektor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MKZ_Injektor.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\glxpbuttonz.ocx, 30000"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\1	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\Clsid	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "_UserButtonz"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\glxpbuttonz.ocx"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\Version = "1.0"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\TypeLib	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ProgID	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Control	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ = "UserButtonz"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ToolboxBitmap32	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\ = "0"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\HELPDIR	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\Version = "1.0"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Control\	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\ = "glxpbuttonz.UserButtonz"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\FLAGS\ = "2"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\VERSION	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\Clsid\ = "{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "UserButtonz"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\VERSION\ = "1.0"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\Version = "1.0"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0\win32	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ = "__UserButtonz"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\InprocServer32	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "_UserButtonz"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\Version = "1.0"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	MKZ_Injektor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ProgID\ = "glxpbuttonz.UserButtonz"	MKZ_Injektor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\ = "glxpbuttonz"	MKZ_Injektor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	MKZ_Injektor.exe
2376	MKZ_Injektor.exe

C:\Users\Admin\AppData\Local\Temp\MKZ_Injektor.exe
"C:\Users\Admin\AppData\Local\Temp\MKZ_Injektor.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2376-4-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2376-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2376-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2376-5-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2376-8-0x0000000004630000-0x0000000004942000-memory.dmp

Filesize
3.1MB

Download
memory/2376-10-0x0000000004630000-0x0000000004942000-memory.dmp

Filesize
3.1MB

Download
memory/2376-11-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download