2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-06-2023 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Size

1.4MB
MD5

23371d43d689fb43c9a65bac96542387
SHA1

54384615481d3d31b839d7cabe13aa80e46ec0ff
SHA256

2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e
SHA512

0a6451bb5ea4fb2222b1d895443f822d74f2de1dc9baf19c19f601b0b74d8987ab99d3bdf8834f0267c1b724ad32e4df01835606e74075e0377e035a62336ee8
SSDEEP

24576:lGphMuzBMCx3Kta4ATJAH1mfpugR/md1bV5aaO0DN0vbdE+GHVIP8eJyYp14Y:kZzO43KtaISugRed1bVkaBDNudErVIP6

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1992	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQDisabled	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Search Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFDFile\Shellex	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\Sharing	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\XXX Groove GFS Context Menu Handler XXX	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new\ = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFDFile\Shellex\IconHandler	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFDFile	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\Gadgets	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
964	regsvr32.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1800	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	27
PID 916 wrote to memory of 1800	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	27
PID 916 wrote to memory of 1800	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	27
PID 916 wrote to memory of 1552	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	29
PID 916 wrote to memory of 1552	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	29
PID 916 wrote to memory of 1552	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	29
PID 1552 wrote to memory of 1992	1552	cmd.exe	31
PID 1552 wrote to memory of 1992	1552	cmd.exe	31
PID 1552 wrote to memory of 1992	1552	cmd.exe	31
PID 916 wrote to memory of 524	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	32
PID 916 wrote to memory of 524	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	32
PID 916 wrote to memory of 524	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	32
PID 916 wrote to memory of 588	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	34
PID 916 wrote to memory of 588	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	34
PID 916 wrote to memory of 588	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	34
PID 588 wrote to memory of 1876	588	cmd.exe	36
PID 588 wrote to memory of 1876	588	cmd.exe	36
PID 588 wrote to memory of 1876	588	cmd.exe	36
PID 916 wrote to memory of 1256	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	37
PID 916 wrote to memory of 1256	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	37
PID 916 wrote to memory of 1256	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	37
PID 1256 wrote to memory of 964	1256	cmd.exe	39
PID 1256 wrote to memory of 964	1256	cmd.exe	39
PID 1256 wrote to memory of 964	1256	cmd.exe	39
PID 1256 wrote to memory of 964	1256	cmd.exe	39
PID 1256 wrote to memory of 964	1256	cmd.exe	39
PID 916 wrote to memory of 1772	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	40
PID 916 wrote to memory of 1772	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	40
PID 916 wrote to memory of 1772	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	40
PID 1772 wrote to memory of 1612	1772	cmd.exe	42
PID 1772 wrote to memory of 1612	1772	cmd.exe	42
PID 1772 wrote to memory of 1612	1772	cmd.exe	42
PID 916 wrote to memory of 628	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	43
PID 916 wrote to memory of 628	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	43
PID 916 wrote to memory of 628	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	43
PID 628 wrote to memory of 640	628	cmd.exe	45
PID 628 wrote to memory of 640	628	cmd.exe	45
PID 628 wrote to memory of 640	628	cmd.exe	45
PID 916 wrote to memory of 2024	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	46
PID 916 wrote to memory of 2024	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	46
PID 916 wrote to memory of 2024	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	46
PID 2024 wrote to memory of 556	2024	cmd.exe	48
PID 2024 wrote to memory of 556	2024	cmd.exe	48
PID 2024 wrote to memory of 556	2024	cmd.exe	48
PID 916 wrote to memory of 2012	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	49
PID 916 wrote to memory of 2012	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	49
PID 916 wrote to memory of 2012	916	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	49
PID 2012 wrote to memory of 2008	2012	cmd.exe	51
PID 2012 wrote to memory of 2008	2012	cmd.exe	51
PID 2012 wrote to memory of 2008	2012	cmd.exe	51

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1992	attrib.exe
1876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
"C:\Users\Admin\AppData\Local\Temp\2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Users
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +r +h +s desktop.ini
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\attrib.exe
    attrib +r +h +s desktop.ini
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd ..
  2⤵
  PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +r C:\Users
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Users
    3⤵
    - Views/modifies file attributes
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /u /s igfxpph.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
    3⤵
    - Modifies registry class
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
    3⤵
    - Modifies registry class
    PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads