159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Size

917KB
MD5

bcc660796f568636736e44fce27ffcc4
SHA1

c9273b674834afd152415188af51555de60db04a
SHA256

159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212
SHA512

381fa02f6178e333b8e2992977dc2eaee7b171442b9d9c8fa1a3c9efc1fe6b6801d3ffd9bd7b1d92429dc3103d914452f0f12e6f7df49d642dae6fa1e5119c6d
SSDEEP

24576:qNoYMx2ZB8Xk61KmjBpVGE7EjwSM8AXjYRyfhfe:O1MKB8UyjsE7DlNMRyw

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE /dde"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32\ = "ole32.dll"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension\ = ".pdf, PDF ??(*.pdf) "	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3\ = "Foxit Reader"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE,1"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID\ = "{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID\ = "FoxitReader.Document"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable\	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\ = "PDF Document"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE\" \"%1\""	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1\ = "&Open,0,2"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0\ = "&Edit,0,2"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE /dde"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject\ = "0"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Printable	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE,1"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec\ = "[open(\"%1\")]"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159FC4~1.EXE /dde"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec\ = "[print(\"%1\")]"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable\	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ = "PDF Document"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2\ = "PDF"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus\ = "32"	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3100	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
3100	159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe

C:\Users\Admin\AppData\Local\Temp\159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe
"C:\Users\Admin\AppData\Local\Temp\159fc4e1f843cf0d66f08352de1117cb52be06cc7c3261378824096bf3d78212.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3100-132-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/3100-133-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads