f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2

Analysis

max time kernel
62s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Size

32KB
MD5

19a57089ecc366b182b84367fa98e8aa
SHA1

8067bc3fe326d87aa013d5979ef64f379adfe928
SHA256

f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2
SHA512

143d6a06d50cd89d0a213888317a265e2adf2b4709e4c7a7f53e1d72daf98a1eb4af2427ab170344704ff604facbc42ae4e994fe02a34426b12150f984163422
SSDEEP

768:MArOY3/AV4slnloBLpzO3D9bID7UR4VfnbcuyD7UXG4:LOaqVToBFS+c4Vfnouy8Xh

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\7104675.TMP	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\realteck\geoidq.pif	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\realteck\geoidq.pif	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\7104675.TMP"	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
Token: SeDebugPrivilege	2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1664	2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe	28
PID 2032 wrote to memory of 1664	2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe	28
PID 2032 wrote to memory of 1664	2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe	28
PID 2032 wrote to memory of 1664	2032	f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe	28
PID 884 wrote to memory of 1932	884	explorer.exe	30
PID 884 wrote to memory of 1932	884	explorer.exe	30
PID 884 wrote to memory of 1932	884	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe
"C:\Users\Admin\AppData\Local\Temp\f6677296826831d38b63670a90cbfed306bfe066af24dbfb0a4f0263056982f2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\7104675.TMP

Filesize
12.2MB

MD5
a434a2c846ec20b3897c457678bedea6

SHA1
a18cdda8812d26bc559885ca6d83061bf07dd22a

SHA256
ae9d7fb8021868f52d8b68f7f9f0c5a75bf0ab6738bd7c308473b2d0a827c66f

SHA512
1db544b5c2d8bfb7e011cf962d976e6c207040cd99a9544f723fa510c439f1aa57c79c6e196db189451be33e4b1ed158dd23e0554204a7b095254db4eef0352e

Download Submit
memory/884-60-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/884-62-0x0000000003AD0000-0x0000000003AE0000-memory.dmp

Filesize
64KB

Download
memory/1664-57-0x0000000000000000-mapping.dmp

Download
memory/1664-59-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/1932-61-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2032-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download