02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a

Analysis

max time kernel
39s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-05-2022 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe
Size

2.3MB
MD5

8a1b42a5ea93de2ca996bb8b4d69e450
SHA1

854de0330e402cfaa30cf65e46b3eb4d7f1ec087
SHA256

02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a
SHA512

f63cbda4a51d9af5d3e5591ad3a037255643a22130e444728b3e2cff043ada6c7b377f3862f755e360d787468bfeb77905389cf5a12eb72080f3f41806a02e03

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

QwXLF8ZfsExCTXQ.exe

pid process

1736 QwXLF8ZfsExCTXQ.exe
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Loads dropped DLL 4 IoCs

Processes:

02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exeQwXLF8ZfsExCTXQ.exeregsvr32.exeregsvr32.exe

pid process

624 02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe
1736 QwXLF8ZfsExCTXQ.exe
1788 regsvr32.exe
1088 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
1736	QwXLF8ZfsExCTXQ.exe

pid	process
624	02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe
1736	QwXLF8ZfsExCTXQ.exe
1788	regsvr32.exe
1088	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

QwXLF8ZfsExCTXQ.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.dll	QwXLF8ZfsExCTXQ.exe
File created	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.tlb	QwXLF8ZfsExCTXQ.exe
File opened for modification	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.tlb	QwXLF8ZfsExCTXQ.exe
File created	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.dat	QwXLF8ZfsExCTXQ.exe
File opened for modification	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.dat	QwXLF8ZfsExCTXQ.exe
File created	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll	QwXLF8ZfsExCTXQ.exe
File opened for modification	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll	QwXLF8ZfsExCTXQ.exe
File created	C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.dll	QwXLF8ZfsExCTXQ.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

QwXLF8ZfsExCTXQ.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{921472ee-59a6-42dc-903d-aae345f57146}	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{921472ee-59a6-42dc-903d-aae345f57146}\	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{921472ee-59a6-42dc-903d-aae345f57146}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{921472ee-59a6-42dc-903d-aae345f57146}\	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{921472ee-59a6-42dc-903d-aae345f57146}	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	QwXLF8ZfsExCTXQ.exe

Modifies registry class 64 IoCs

Processes:

QwXLF8ZfsExCTXQ.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ = "IRegistry"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9\ = "VaUdix"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\InprocServer32\ = "C:\\Program Files (x86)\\VaUdix\\PtGbhnm2ZcPJPR.dll"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472EE-59A6-42DC-903D-AAE345F57146}	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\ = "VaUdix"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ = "IRuntime"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\ = "VaUdix"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\Version = "1.0"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib\Version = "1.0"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ = "IPlaghinMein"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\Version = "1.0"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ = "ILocalStorage"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\CLSID	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\CurVer\ = "P921472ee_59a6_42dc_903d_aae345f57146_.9"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\ProgID\ = "P921472ee_59a6_42dc_903d_aae345f57146_.9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472EE-59A6-42DC-903D-AAE345F57146}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\0\win32\ = "C:\\Program Files (x86)\\VaUdix\\PtGbhnm2ZcPJPR.tlb"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib\Version = "1.0"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\Programmable	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\VersionIndependentProgID\ = "P921472ee_59a6_42dc_903d_aae345f57146_"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472EE-59A6-42DC-903D-AAE345F57146}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472EE-59A6-42DC-903D-AAE345F57146}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ = "ILocalStorage"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9\CLSID	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9\CLSID\ = "{921472ee-59a6-42dc-903d-aae345f57146}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\CLSID\ = "{921472ee-59a6-42dc-903d-aae345f57146}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\ = "VaUdix"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib\Version = "1.0"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\CLSID\ = "{921472ee-59a6-42dc-903d-aae345f57146}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472EE-59A6-42DC-903D-AAE345F57146}\Implemented Categories	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\Programmable\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\InprocServer32\ = "C:\\Program Files (x86)\\VaUdix\\PtGbhnm2ZcPJPR.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_\CurVer\ = "P921472ee_59a6_42dc_903d_aae345f57146_.9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{921472ee-59a6-42dc-903d-aae345f57146}\ProgID\ = "P921472ee_59a6_42dc_903d_aae345f57146_.9"	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P921472ee_59a6_42dc_903d_aae345f57146_.P921472ee_59a6_42dc_903d_aae345f57146_.9\CLSID\ = "{921472ee-59a6-42dc-903d-aae345f57146}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib	QwXLF8ZfsExCTXQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ = "IRegistry"	QwXLF8ZfsExCTXQ.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exeQwXLF8ZfsExCTXQ.exeregsvr32.exe

description	pid	process	target process
PID 624 wrote to memory of 1736	624	02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe	QwXLF8ZfsExCTXQ.exe
PID 624 wrote to memory of 1736	624	02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe	QwXLF8ZfsExCTXQ.exe
PID 624 wrote to memory of 1736	624	02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe	QwXLF8ZfsExCTXQ.exe
PID 624 wrote to memory of 1736	624	02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe	QwXLF8ZfsExCTXQ.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1736 wrote to memory of 1788	1736	QwXLF8ZfsExCTXQ.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe
PID 1788 wrote to memory of 1088	1788	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

QwXLF8ZfsExCTXQ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	QwXLF8ZfsExCTXQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{921472ee-59a6-42dc-903d-aae345f57146} = "1"	QwXLF8ZfsExCTXQ.exe

C:\Users\Admin\AppData\Local\Temp\02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe
"C:\Users\Admin\AppData\Local\Temp\02f8ccce95dbd9194d6d019bc9e26d5635985a181171a2e0c2b3637d68bbbe7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\59f719b2\QwXLF8ZfsExCTXQ.exe
"C:\Users\Admin\AppData\Local\Temp/59f719b2/QwXLF8ZfsExCTXQ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll"
4⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:1088

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.dat
Filesize
7KB

MD5
dd61ecedc809af2b16c44df519bbc44d

SHA1
d7dbf42c14af7edabc862ebd9b736b9d5d57a6ea

SHA256
03b66fef5456decb4c33449edfb8df137784c98069cf2ee0dd3c725bf85169c6

SHA512
68add4aa1c565f1e00d896fb5d064884e4bbe5b4af714a9f7347e53b3d3a29eaa16cd2c0a66d92d00bc69c6775105c82bced213c02fbaa5f42786796f90329fb

Download Submit
C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.tlb
Filesize
4KB

MD5
0fe06b2503ac0e34dcbb7ac744f8905b

SHA1
8850ee13bfdc7e62670b67588f8b88e798f02622

SHA256
ee29d7672ab20bd7c779268d59994217be7d3704396e52785f3da70db8afb02b

SHA512
bf3df6c9dba950e63dc0b1d448e87d1387cfd63233fe9eb04cb72563bc9fb2be8bce133748be07b74e8cf47d374b0fd5641c1d8fd66886c950cad6bc771ee8e9

Download Submit
C:\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll
Filesize
645KB

MD5
19671b861030e20d25efffb4e88367c1

SHA1
6f0d17eecc1ae9e58f654db5b29f403c0c0ab81f

SHA256
af3375b080b07725a8942a91ea9638d1cedb8ed09a036bf92d2987552f1b6cae

SHA512
4a77b37ff710205cad20e58dd0d6d7be38b24d2a1372a4e666e80baa1226713be885bd384ec3ccb4a3913c8f625cc47d123ba45b1f1a3f0e663bf29ecfd9a033

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f719b2\PtGbhnm2ZcPJPR.dll
Filesize
573KB

MD5
78684444c9a78e2d7596e13b86d66dc5

SHA1
416b0b1a975917d06689ffd00e296b4765b20563

SHA256
653350cf81ceb2a428d0496f9cb5731ddaa060e62f0a7f1844183ed5c0e6d04b

SHA512
6a2ee46cf977ef78bd8b4ad8e8441bf40d108669044248d4c0c8a783378bc089792fb7b1297adb70de4aa5e828d0b298cfc679cc442b3b287a3cd4ef0ef8ced1

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f719b2\PtGbhnm2ZcPJPR.tlb
Filesize
4KB

MD5
0fe06b2503ac0e34dcbb7ac744f8905b

SHA1
8850ee13bfdc7e62670b67588f8b88e798f02622

SHA256
ee29d7672ab20bd7c779268d59994217be7d3704396e52785f3da70db8afb02b

SHA512
bf3df6c9dba950e63dc0b1d448e87d1387cfd63233fe9eb04cb72563bc9fb2be8bce133748be07b74e8cf47d374b0fd5641c1d8fd66886c950cad6bc771ee8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f719b2\PtGbhnm2ZcPJPR.x64.dll
Filesize
645KB

MD5
19671b861030e20d25efffb4e88367c1

SHA1
6f0d17eecc1ae9e58f654db5b29f403c0c0ab81f

SHA256
af3375b080b07725a8942a91ea9638d1cedb8ed09a036bf92d2987552f1b6cae

SHA512
4a77b37ff710205cad20e58dd0d6d7be38b24d2a1372a4e666e80baa1226713be885bd384ec3ccb4a3913c8f625cc47d123ba45b1f1a3f0e663bf29ecfd9a033

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f719b2\QwXLF8ZfsExCTXQ.dat
Filesize
7KB

MD5
dd61ecedc809af2b16c44df519bbc44d

SHA1
d7dbf42c14af7edabc862ebd9b736b9d5d57a6ea

SHA256
03b66fef5456decb4c33449edfb8df137784c98069cf2ee0dd3c725bf85169c6

SHA512
68add4aa1c565f1e00d896fb5d064884e4bbe5b4af714a9f7347e53b3d3a29eaa16cd2c0a66d92d00bc69c6775105c82bced213c02fbaa5f42786796f90329fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f719b2\QwXLF8ZfsExCTXQ.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\59f719b2\QwXLF8ZfsExCTXQ.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{921472ee-59a6-42dc-903d-aae345f57146}-log.txt
Filesize
642B

MD5
aeeeacdb6d2cbab04d54660847e5488b

SHA1
3e783dbcdf2100083e25ad56fb157b19b45124eb

SHA256
40a5ad4005359a096aa4848076332adc8b74bc38139523bb43c5098337e37ed1

SHA512
ce79c5c3fef43f97de6acf7b3f35e07025f96b57bdcf1df9a1040e9c147a87107edcffebcc16fd18cbbb8fe083866e9e47857f2114223d5e1edf5edde601beee

Download Submit
\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.dll
Filesize
573KB

MD5
78684444c9a78e2d7596e13b86d66dc5

SHA1
416b0b1a975917d06689ffd00e296b4765b20563

SHA256
653350cf81ceb2a428d0496f9cb5731ddaa060e62f0a7f1844183ed5c0e6d04b

SHA512
6a2ee46cf977ef78bd8b4ad8e8441bf40d108669044248d4c0c8a783378bc089792fb7b1297adb70de4aa5e828d0b298cfc679cc442b3b287a3cd4ef0ef8ced1

Download Submit
\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll
Filesize
645KB

MD5
19671b861030e20d25efffb4e88367c1

SHA1
6f0d17eecc1ae9e58f654db5b29f403c0c0ab81f

SHA256
af3375b080b07725a8942a91ea9638d1cedb8ed09a036bf92d2987552f1b6cae

SHA512
4a77b37ff710205cad20e58dd0d6d7be38b24d2a1372a4e666e80baa1226713be885bd384ec3ccb4a3913c8f625cc47d123ba45b1f1a3f0e663bf29ecfd9a033

Download Submit
\Program Files (x86)\VaUdix\PtGbhnm2ZcPJPR.x64.dll
Filesize
645KB

MD5
19671b861030e20d25efffb4e88367c1

SHA1
6f0d17eecc1ae9e58f654db5b29f403c0c0ab81f

SHA256
af3375b080b07725a8942a91ea9638d1cedb8ed09a036bf92d2987552f1b6cae

SHA512
4a77b37ff710205cad20e58dd0d6d7be38b24d2a1372a4e666e80baa1226713be885bd384ec3ccb4a3913c8f625cc47d123ba45b1f1a3f0e663bf29ecfd9a033

Download Submit
\Users\Admin\AppData\Local\Temp\59f719b2\QwXLF8ZfsExCTXQ.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/624-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1088-68-0x0000000000000000-mapping.dmp

Download
memory/1088-69-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1736-56-0x0000000000000000-mapping.dmp

Download
memory/1788-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads