0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-05-2022 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe
Size

2.3MB
MD5

7720cd5e47c1bbb776b08b99d92e3270
SHA1

3e3f9d255f819620c94cae97975037e0a763260d
SHA256

0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b
SHA512

d4d08eb402b053642262c76b23fde8d5e2b51f6265948b4091d7e3a859bdd843ea8001b033a917a565fb335f562f4450a74e4ced0eeb93276ec17c43d707ba9b

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

reuK6g5cd5Sg6N2.exe

pid process

1928 reuK6g5cd5Sg6N2.exe
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Loads dropped DLL 4 IoCs

Processes:

0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exereuK6g5cd5Sg6N2.exeregsvr32.exeregsvr32.exe

pid process

1648 0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe
1928 reuK6g5cd5Sg6N2.exe
1172 regsvr32.exe
2032 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
1928	reuK6g5cd5Sg6N2.exe

pid	process
1648	0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe
1928	reuK6g5cd5Sg6N2.exe
1172	regsvr32.exe
2032	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

reuK6g5cd5Sg6N2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.dll	reuK6g5cd5Sg6N2.exe
File created	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.tlb	reuK6g5cd5Sg6N2.exe
File opened for modification	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.tlb	reuK6g5cd5Sg6N2.exe
File created	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.dat	reuK6g5cd5Sg6N2.exe
File opened for modification	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.dat	reuK6g5cd5Sg6N2.exe
File created	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll	reuK6g5cd5Sg6N2.exe
File opened for modification	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll	reuK6g5cd5Sg6N2.exe
File created	C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.dll	reuK6g5cd5Sg6N2.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

reuK6g5cd5Sg6N2.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{890b17ff-7f24-435c-97bd-1b65753f2d43}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{890b17ff-7f24-435c-97bd-1b65753f2d43}	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{890b17ff-7f24-435c-97bd-1b65753f2d43}\	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{890b17ff-7f24-435c-97bd-1b65753f2d43}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{890b17ff-7f24-435c-97bd-1b65753f2d43}\	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

reuK6g5cd5Sg6N2.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_.9\CLSID\ = "{890b17ff-7f24-435c-97bd-1b65753f2d43}"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_.9\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\Version = "1.0"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\FLAGS\ = "0"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ = "IRegistry"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib\Version = "1.0"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_\ = "VaUDix"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ProxyStubClsid32	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_\CLSID	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\ = "VaUDix"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890B17FF-7F24-435C-97BD-1B65753F2D43}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_.9\ = "VaUDix"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ = "IRuntime"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\VersionIndependentProgID\ = "P890b17ff_7f24_435c_97bd_1b65753f2d43_"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890B17FF-7F24-435C-97BD-1B65753F2D43}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890B17FF-7F24-435C-97BD-1B65753F2D43}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib\Version = "1.0"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_\CurVer\ = "P890b17ff_7f24_435c_97bd_1b65753f2d43_.9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\ProgID	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\0\win32	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\Version = "1.0"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_\ = "VaUDix"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\ProgID\ = "P890b17ff_7f24_435c_97bd_1b65753f2d43_.9"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ = "ILocalStorage"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890B17FF-7F24-435C-97BD-1B65753F2D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\ProgID\ = "P890b17ff_7f24_435c_97bd_1b65753f2d43_.9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890B17FF-7F24-435C-97BD-1B65753F2D43}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P890b17ff_7f24_435c_97bd_1b65753f2d43_.P890b17ff_7f24_435c_97bd_1b65753f2d43_.9	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\0	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\InprocServer32\ = "C:\\Program Files (x86)\\VaUDix\\lCe2JamnbBZVzN.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43}\VersionIndependentProgID	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32	reuK6g5cd5Sg6N2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{890B17FF-7F24-435C-97BD-1B65753F2D43}\Implemented Categories	reuK6g5cd5Sg6N2.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exereuK6g5cd5Sg6N2.exeregsvr32.exe

description	pid	process	target process
PID 1648 wrote to memory of 1928	1648	0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe	reuK6g5cd5Sg6N2.exe
PID 1648 wrote to memory of 1928	1648	0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe	reuK6g5cd5Sg6N2.exe
PID 1648 wrote to memory of 1928	1648	0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe	reuK6g5cd5Sg6N2.exe
PID 1648 wrote to memory of 1928	1648	0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe	reuK6g5cd5Sg6N2.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1928 wrote to memory of 1172	1928	reuK6g5cd5Sg6N2.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 2032	1172	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

reuK6g5cd5Sg6N2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	reuK6g5cd5Sg6N2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{890b17ff-7f24-435c-97bd-1b65753f2d43} = "1"	reuK6g5cd5Sg6N2.exe

C:\Users\Admin\AppData\Local\Temp\0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe
"C:\Users\Admin\AppData\Local\Temp\0d1bf123be9f1401101d0d769f7f7d48be89e13cce3b6c43dba30f68fc20aa8b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\reuK6g5cd5Sg6N2.exe
"C:\Users\Admin\AppData\Local\Temp/6e8a1b0b/reuK6g5cd5Sg6N2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll"
4⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.dat
Filesize
7KB

MD5
1ececa63a666b0dd13b495ca92fa692b

SHA1
23c1dcf740b3a72147bf81c67be77fadd5581550

SHA256
434f5ee8a1b963c4f1078d86ea521687d193f896221448374fc457d72683c410

SHA512
1ba516379c1b5ac034847fcf22337db2f1753fb76e5e08b7c6be059fe94b19a43623d824c59ced677de48ce9aa53bfd275891650dbed7ca5ec047ee8bb21aacf

Download Submit
C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.tlb
Filesize
4KB

MD5
0fe06b2503ac0e34dcbb7ac744f8905b

SHA1
8850ee13bfdc7e62670b67588f8b88e798f02622

SHA256
ee29d7672ab20bd7c779268d59994217be7d3704396e52785f3da70db8afb02b

SHA512
bf3df6c9dba950e63dc0b1d448e87d1387cfd63233fe9eb04cb72563bc9fb2be8bce133748be07b74e8cf47d374b0fd5641c1d8fd66886c950cad6bc771ee8e9

Download Submit
C:\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll
Filesize
645KB

MD5
f1d5fc4488d1a83dc1b50cd0a03e9a4e

SHA1
4cced3bca48fd00858df9e76f4fbff05da82575b

SHA256
128a355220799bbea2587e47eeb23f47b711a7adba937858871f5f7c888b3466

SHA512
1f0064675fe37629a6c5701a00eacac03ee5988cbce8e2571dd64c4c6ab09951fcfc64becea0ebbc737e9ba9b78c719f7a4518fc7278e272f24e0470b6d05677

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\lCe2JamnbBZVzN.dll
Filesize
573KB

MD5
46bbf1449337d4bc81236f1b130427ec

SHA1
685a825e6bb59ae55ab87883a21f31565dcb7de2

SHA256
c5fdc4493eba83af39e8f4e8360b49af8995f0c5eda2949159a7427097b0e5f2

SHA512
c7f4ee5e5067db83d2b51521b308a4dea2e84995072544c386b558b4d8e777007c9e2b63a0308af148f740f1e43726c65317fb496c2d274fff5a183abbc5c716

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\lCe2JamnbBZVzN.tlb
Filesize
4KB

MD5
0fe06b2503ac0e34dcbb7ac744f8905b

SHA1
8850ee13bfdc7e62670b67588f8b88e798f02622

SHA256
ee29d7672ab20bd7c779268d59994217be7d3704396e52785f3da70db8afb02b

SHA512
bf3df6c9dba950e63dc0b1d448e87d1387cfd63233fe9eb04cb72563bc9fb2be8bce133748be07b74e8cf47d374b0fd5641c1d8fd66886c950cad6bc771ee8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\lCe2JamnbBZVzN.x64.dll
Filesize
645KB

MD5
f1d5fc4488d1a83dc1b50cd0a03e9a4e

SHA1
4cced3bca48fd00858df9e76f4fbff05da82575b

SHA256
128a355220799bbea2587e47eeb23f47b711a7adba937858871f5f7c888b3466

SHA512
1f0064675fe37629a6c5701a00eacac03ee5988cbce8e2571dd64c4c6ab09951fcfc64becea0ebbc737e9ba9b78c719f7a4518fc7278e272f24e0470b6d05677

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\reuK6g5cd5Sg6N2.dat
Filesize
7KB

MD5
1ececa63a666b0dd13b495ca92fa692b

SHA1
23c1dcf740b3a72147bf81c67be77fadd5581550

SHA256
434f5ee8a1b963c4f1078d86ea521687d193f896221448374fc457d72683c410

SHA512
1ba516379c1b5ac034847fcf22337db2f1753fb76e5e08b7c6be059fe94b19a43623d824c59ced677de48ce9aa53bfd275891650dbed7ca5ec047ee8bb21aacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\reuK6g5cd5Sg6N2.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e8a1b0b\reuK6g5cd5Sg6N2.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{890b17ff-7f24-435c-97bd-1b65753f2d43}-log.txt
Filesize
1KB

MD5
7d2c6a1d53ae84901399e6e2ec009722

SHA1
6d7ed3e56e09d4ae1a77ae683bc738666aefc6f3

SHA256
23301cc992d30a3ab83f533c7cf817fb2a1fc71734f2d42a0731a9aa28b998be

SHA512
0ad14245fd8fd1e7d8792562558b51ab45cf5995f76f28bca443fb80715bf59f0dcab4c28b9c89e61f602afc02439ed6f3e97b9a40ae0c94e3dd3c11c33e5c34

Download Submit
\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.dll
Filesize
573KB

MD5
46bbf1449337d4bc81236f1b130427ec

SHA1
685a825e6bb59ae55ab87883a21f31565dcb7de2

SHA256
c5fdc4493eba83af39e8f4e8360b49af8995f0c5eda2949159a7427097b0e5f2

SHA512
c7f4ee5e5067db83d2b51521b308a4dea2e84995072544c386b558b4d8e777007c9e2b63a0308af148f740f1e43726c65317fb496c2d274fff5a183abbc5c716

Download Submit
\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll
Filesize
645KB

MD5
f1d5fc4488d1a83dc1b50cd0a03e9a4e

SHA1
4cced3bca48fd00858df9e76f4fbff05da82575b

SHA256
128a355220799bbea2587e47eeb23f47b711a7adba937858871f5f7c888b3466

SHA512
1f0064675fe37629a6c5701a00eacac03ee5988cbce8e2571dd64c4c6ab09951fcfc64becea0ebbc737e9ba9b78c719f7a4518fc7278e272f24e0470b6d05677

Download Submit
\Program Files (x86)\VaUDix\lCe2JamnbBZVzN.x64.dll
Filesize
645KB

MD5
f1d5fc4488d1a83dc1b50cd0a03e9a4e

SHA1
4cced3bca48fd00858df9e76f4fbff05da82575b

SHA256
128a355220799bbea2587e47eeb23f47b711a7adba937858871f5f7c888b3466

SHA512
1f0064675fe37629a6c5701a00eacac03ee5988cbce8e2571dd64c4c6ab09951fcfc64becea0ebbc737e9ba9b78c719f7a4518fc7278e272f24e0470b6d05677

Download Submit
\Users\Admin\AppData\Local\Temp\6e8a1b0b\reuK6g5cd5Sg6N2.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/1172-64-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1928-56-0x0000000000000000-mapping.dmp

Download
memory/2032-68-0x0000000000000000-mapping.dmp

Download
memory/2032-69-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads