Analysis Overview
SHA256
b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725
Threat Level: Likely malicious
The file b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Modifies system executable filetype association
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 14:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 14:00
Reported
2024-11-12 14:02
Platform
win7-20241023-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983} | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mswae32.exe" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983} | C:\Windows\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mswae32.exe" | C:\Windows\spoolsv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\spoolsv.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" | C:\Windows\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" | C:\Windows\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" | C:\Windows\spoolsv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mswae32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mswae32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File created | C:\Windows\SysWOW64\concp32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\concp32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File created | C:\Windows\SysWOW64\vcl32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcl32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spoolsv.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 | C:\Windows\spoolsv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 | C:\Windows\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983} | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\ax = ed83c948d524ebdf78c8f3620c00986d | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983} | C:\Windows\spoolsv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 | C:\Windows\spoolsv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f | C:\Windows\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" | C:\Windows\spoolsv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB02097E-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" | C:\Windows\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2092 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | C:\Windows\spoolsv.exe |
| PID 2092 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | C:\Windows\spoolsv.exe |
| PID 2092 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | C:\Windows\spoolsv.exe |
| PID 2092 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | C:\Windows\spoolsv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe
"C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe"
C:\Windows\spoolsv.exe
C:\Windows\spoolsv.exe
Network
Files
memory/2092-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\concp32.exe
| MD5 | 0971ee2eafb3fd3ac6640fb92e874087 |
| SHA1 | e4e94c662a32246315a016686d805a8fd12f4b28 |
| SHA256 | ff9005af2266d3b2cbd009ee7ded001cbb395624d7d160ffdb01209f80f1f0b1 |
| SHA512 | 752f8844205a6974d73178dec3496b66c38abf2867541e75ace38f4325755e638cb8085f89e4a97dcf10e43acc826fd11276c44173e6495bf6beb55df042f98e |
memory/2092-13-0x0000000001B70000-0x0000000001BA5000-memory.dmp
memory/2092-15-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\spoolsv.exe
| MD5 | 5800b62cdb2c9f6d24b4fd9418034057 |
| SHA1 | 3141e6883b0f01e9f4d9c229cf9306f3575d5fd1 |
| SHA256 | 47b1c1846049609634d388ba5ba895232148737564c8bd4a530ba67cea5ed13b |
| SHA512 | f622518d7fa24bd6f9e767df97ec216ef2c5461e2e4a698e8588dcf5f3843d375948120df6d4c68d5b6ff91ad7acfcf07081f576c32bbbc1b1937ccb1ad0afb6 |
memory/2732-16-0x0000000000400000-0x0000000000435000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 14:00
Reported
2024-11-12 14:02
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50FC559-8B9A-11D5-EBA1-F78EEEEEE983} | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50FC559-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msgyg32.exe" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msgyg32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msgyg32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File created | C:\Windows\SysWOW64\concp32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\concp32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File created | C:\Windows\SysWOW64\vcl32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcl32.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50FC559-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50FC559-8B9A-11D5-EBA1-F78EEEEEE983}\ax = c895db9977af5353f6861299e8dcf05b | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50FC559-8B9A-11D5-EBA1-F78EEEEEE983} | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50FC559-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe
"C:\Users\Admin\AppData\Local\Temp\b891aef085939935dab9c2073d7fd8855a72e283df16b282c88e4eec034a5725.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 700
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2372-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\concp32.exe
| MD5 | a2d32f09221bb4dd5d47594f7ba2fbc9 |
| SHA1 | 3d0625d7c3fb1092bb50234d54381cd758f43521 |
| SHA256 | a332730c97b319fc2b55152a271b7fbebed8fc2deac4c870b651f4026b6da228 |
| SHA512 | dc6704af6117ee4851d533815d450d3da97c61d0cae4b29fa8826168be4be98adf9a5489e2808196dde68b9fb3cb51b580ee58db2097a9a4cf859791f9396309 |
memory/2372-7-0x0000000000400000-0x0000000000435000-memory.dmp