Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe
Resource
win10v2004-20241007-en
General
-
Target
1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe
-
Size
78KB
-
MD5
daa0498fa402a7c8564847ac48be78df
-
SHA1
d7fd3531dc44705aa406ed8b437a8c4759e4bef9
-
SHA256
1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
-
SHA512
83711de1fbd8f5976138651950be591e14a1529d6e2839f748a992ec823e533daa2550fe2a7b36de2c994483d801311ebd4c2b392f60b891ed532337dc4a980c
-
SSDEEP
1536:Z3xz2PuWyliXoauLbtNh6rsIIlezK+QNcUqqqq7m:NWroauLbtNh6rsIKgQemm
Malware Config
Signatures
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE$ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\7-Zip\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe$ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Windows Security\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asp regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.html regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asa regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\VBSFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4488 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4488 wrote to memory of 3508 4488 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe 85 PID 4488 wrote to memory of 3508 4488 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe 85 PID 4488 wrote to memory of 3508 4488 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.Axv
Filesize78KB
MD5daa0498fa402a7c8564847ac48be78df
SHA1d7fd3531dc44705aa406ed8b437a8c4759e4bef9
SHA2561bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
SHA51283711de1fbd8f5976138651950be591e14a1529d6e2839f748a992ec823e533daa2550fe2a7b36de2c994483d801311ebd4c2b392f60b891ed532337dc4a980c