Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe
Resource
win7-20241010-en
General
-
Target
bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe
-
Size
1.9MB
-
MD5
1c2240ab88c65121ed052a218fa75c50
-
SHA1
f6d49211c3944b83f60a8fb2ea1ec1bef48d17ba
-
SHA256
bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457e
-
SHA512
b4e6bf889dc80f233a36857b9443ded5e44b67ccc867f338f1c268e8c1f28bb778e30b9493778545e5377be1ae3c6569054737159be352b221759773d87d4506
-
SSDEEP
49152:+mlFvQqwTRxeW9oqnczOz8Z2pQ0+1uW102xTzVs2Os5la0tsM1:1dwTRcWGOOCan5rOs7td1
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000012262-2.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000a000000012262-2.dat acprotect -
Loads dropped DLL 47 IoCs
pid Process 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe -
resource yara_rule behavioral1/memory/2272-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/files/0x000a000000012262-2.dat upx behavioral1/memory/2272-211-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.tmp bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX UnInstall.exe bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\ENG.ini bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\KOR.ini bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files\Common Files\System\symsrv.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.conf bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\images\Logo.bmp bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.dat bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX Uninstall.exe bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NpkiCard.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\IssuerOid_Eng.conf bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GccCard.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\IssuerOid.conf bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016cab-209.dat nsis_installer_1 behavioral1/files/0x0007000000016cab-209.dat nsis_installer_2 -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation\Enabled = "1" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1\ = "FileIO Class" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\VersionIndependentProgID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\ = "MagicLineMBX 1.0 Type Library" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\1\ = "131473" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\InprocServer32\ = "C:\\PROGRA~2\\DREAMS~1\\MAGICL~1\\MAGICL~1.DLL" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32\ = "C:\\PROGRA~2\\DREAMS~1\\MAGICL~1\\MAGICL~1.DLL, 102" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\Version = "1.0" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ = "FileIO Class" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\1 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CurVer\ = "admctrl.FileIO.1" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX.1\CLSID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\Version = "1.0" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\ = "0" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX.1\ = "MagicLineMBX Class" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Control bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\HELPDIR bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\VersionIndependentProgID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Programmable bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Version bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX\CurVer bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\LocalizedString = "@C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll,-101" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ = "IFileIO" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\Version = "1.0" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\ = "FileIO Class" bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2272 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD55c446cd4955399c94fe38437d67670a0
SHA1157324884d1c20f796b250bb79ab45c5a754d0ba
SHA256e76369c872d3cc0cb5a71bbb3a05cdfe908b54497cafe75a5ce628bf086773d3
SHA5122a1c51d7bf5db1211cc7e4292d13f272fd31a7851d295c1b7f7f2e2ab1d2111fb5cafbe99c3fe921dd8ea2e4ffdc1ff9ed80f62045d9a7b7678d77befbeca48d
-
Filesize
1.0MB
MD5f44c463727629428543da74af7c4aa56
SHA1c3925c5326c83366fedb5d899616c23b1eb35686
SHA2568e68aefd40b8bb12a5479cb1c45cae6a228a0c52f200a668a3088eeb0e0637dc
SHA512861cca7892ba39ecef3bfd8fcfe6bb3d2a84de13282c60e191dbe95cbb66a0246692ed9f59c5ff7e36aa8f0e4fd93d74d108045099cc26c30600359b3ae5e7ca
-
Filesize
1.9MB
MD5e5874a2edf0ed6578b89f606263ef61a
SHA1932470e5189664eae901bb3130e10ca605c948c4
SHA256092e9a4f7b350698a6c60ff7b9deb973644161221b14a73875ef9e952ddb96d2
SHA512dae2260472fb33700d032038d808f05a4c4b666afe3cfb0a2fda5e0a09ca93305fc4331c570b001a770a6d9b95a379c3b53ad57dadb7c1688ca656a0c2a4ac8e
-
Filesize
86KB
MD57629e9d7490c8fbb60fbff721fd39bed
SHA19d0cddb60bd1fda9a31c04d0eecc797ecc4b3f46
SHA25664d3a1ac747e04e1ea14868c50407a8775fabfc002b87b67ef0a57f2d1b70da2
SHA512c2fc9b85d32fba6173d8a1f5d413a061ef2df189fd980434f008c6cfe759a41a8ae57f6642f5e0c4cbd15e6d5275092438db419e1b7f08c40be37d4512f783f3
-
Filesize
246KB
MD52631dc6e62f2d1a82af9cc59a55cb562
SHA1ebd7b0ae4c61a9dcb0bf1629188901ef7fd811e1
SHA2561604537aea8265f97c55d896c9f35d02ba59d96e83e3a7337382c1491d752f80
SHA5126b2fa8e4ade8ba27feb8f64e9c92f91fe190ddd54cb7cb67aa589184ab4a64d7be99f717de602bc3dfe9a76d83583f9176a315193e302710d0d6ab0029112874
-
Filesize
332KB
MD56faa15d2e2bac763d9d8a5374913140a
SHA11eca4d6d8a040ec53dab57767db52e5919dc8ffb
SHA25605faa0e47f950cca98e01e1ddf56c3bc6be85bec8fa344cef7febbb30cf5bfb9
SHA512cdb52b69131d43cf491605ed4790c318364cee2a654b5d7adf878eebbc1c690c96418034d07cf98375a23100c30b68e8cbf6d7c9da9795ef41b88c2ab1b330e4
-
Filesize
459KB
MD5751432e6a01e4d33654c866c6022d532
SHA1213f06b7c34c798db19f82be84f9fc5700f53cd7
SHA2560d59e145424288b8ac04fe788604c1bd5f5340ffb325cf3937c249a11b34e48c
SHA512cc7693dae35578bd4e1703e30007b7df4c0bcc71ff73b46cee6b1e4e7185c28d9fcdb46f73b397bc1b011570ee92943954ed5098bc514b6241e67d502a7fd528
-
Filesize
222KB
MD5548d42f4f74ccca097de9ecbaa067f3f
SHA17b1a12b3339a052797f42043be335c5a32efe4a4
SHA256a6e6b0b3c6e27e16370fa5dde7544c07c9315fa2a2269514de44000df33e3822
SHA512b1b8bc55422ec31aeb0a44456821e4b1a9c2a08bcbd397f4c4eaa4a282f6f4b9a050c671c228ea6cf122eac883031c1e5d35c779bc2f291186ebe42ca50281a2
-
Filesize
299KB
MD5bd3e1fc747aaff04f84a1caa756d71f1
SHA1028e123c771a318d39a29d31034191953503c2f3
SHA256fb2fac601ef045db90a2931abd103ee4018a8c7d4303a4125ad85c28fe4a075c
SHA512d719a68320d65d157ae14c2ded4b318edfc1ee371b68d76854973a8f744b8f0903008f1f1d246c137c4fb07078e63b2c2cad2513269a45d577a129c25ce8eb96
-
Filesize
70KB
MD5925e8fed4e272cfb552d3a6eafc23b34
SHA1e83def94a9cdf40c59cdbd8232cb69db82f15aa1
SHA2564827fb95efa780faf0b5c8a63e6aae6fe0eacd6ddc6d1b2dc3161e246b207aeb
SHA512e2d33e4ea78e36a11466a5fc953a6bb81bb9bc43b7b02da7f483dc2269d4b6b1f9d60088a928baa727ad40d82cf2140ca33d0c570d70dcda51b5a11df19f8593
-
Filesize
136KB
MD5ec0f6b05f7321ee8c6b4d2c8da487c67
SHA148b2eb1aa2572f4b7ed5f3de3e119fcb72f40d2e
SHA2560a668e0e6b85202d298ed10c7f17bf07ec778ec323bc63e7dd89fb757346f71f
SHA512d563e4c0ccd459db004c0e5518c706c115cd966d5c4ddb0e1bd64582e69c53146b67dc7b71920521c3837398073db4cb2d0eed577aedcd556adf3db07ae35dab
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab