2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f

Analysis

max time kernel
141s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Size

1.0MB
MD5

3b632bdbbb3e4c7e1230916828b47f62
SHA1

28780075a43a29924c6891949a3c25d99ef88467
SHA256

2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f
SHA512

a6b5eadc1e1220736f79c0a02bad3a36804197dc5749ba62cd1fd80219f03115da796181b94df25ed3a5b349f1cfa22885f0e0e57183a3475ca783e368f60b1c
SSDEEP

24576:yNoYMx2ZB8Xk61KmjBpVGE7EjwSM8AXjYRyfhfeQ:21MKB8UyjsE7DlNMRywQ

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec\ = "[open(\"%1\")]"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE,1"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0\ = "&Edit,0,2"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3\ = "Foxit Reader"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID\ = "{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2\ = "PDF"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject\ = "0"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID\ = "FoxitReader.Document"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable\	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus\ = "32"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension\ = ".pdf, PDF ??(*.pdf) "	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE /dde"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1\ = "&Open,0,2"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32\ = "ole32.dll"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Printable\	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\ = "PDF Document"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE\" \"%1\""	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable\	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE /dde"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject\ = "0"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE,1"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2909ED~1.EXE /dde"	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1060	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
1060	2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe

C:\Users\Admin\AppData\Local\Temp\2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe
"C:\Users\Admin\AppData\Local\Temp\2909edfcf5f53522d0fed654a0432d485f76471082f0ef57fcc03e20d77e628f.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-54-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1060-55-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1060-56-0x0000000003260000-0x000000000350E000-memory.dmp

Filesize
2.7MB

Download
memory/1060-65-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1060-66-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads