2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Size

1.4MB
MD5

23371d43d689fb43c9a65bac96542387
SHA1

54384615481d3d31b839d7cabe13aa80e46ec0ff
SHA256

2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e
SHA512

0a6451bb5ea4fb2222b1d895443f822d74f2de1dc9baf19c19f601b0b74d8987ab99d3bdf8834f0267c1b724ad32e4df01835606e74075e0377e035a62336ee8
SSDEEP

24576:lGphMuzBMCx3Kta4ATJAH1mfpugR/md1bV5aaO0DN0vbdE+GHVIP8eJyYp14Y:kZzO43KtaISugRed1bVkaBDNudErVIP6

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3868	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQDisabled	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.429980.com/"	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\new\ = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFDFile\Shellex\IconHandler	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFDFile	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFDFile\Shellex	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\New	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\Sharing	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new	reg.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 208	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	84
PID 4852 wrote to memory of 208	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	84
PID 4852 wrote to memory of 2360	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	86
PID 4852 wrote to memory of 2360	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	86
PID 2360 wrote to memory of 3868	2360	cmd.exe	88
PID 2360 wrote to memory of 3868	2360	cmd.exe	88
PID 4852 wrote to memory of 4088	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	89
PID 4852 wrote to memory of 4088	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	89
PID 4852 wrote to memory of 4964	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	91
PID 4852 wrote to memory of 4964	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	91
PID 4964 wrote to memory of 4680	4964	cmd.exe	93
PID 4964 wrote to memory of 4680	4964	cmd.exe	93
PID 4852 wrote to memory of 788	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	94
PID 4852 wrote to memory of 788	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	94
PID 788 wrote to memory of 4124	788	cmd.exe	96
PID 788 wrote to memory of 4124	788	cmd.exe	96
PID 4852 wrote to memory of 4776	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	97
PID 4852 wrote to memory of 4776	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	97
PID 4776 wrote to memory of 1752	4776	cmd.exe	99
PID 4776 wrote to memory of 1752	4776	cmd.exe	99
PID 4852 wrote to memory of 2488	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	100
PID 4852 wrote to memory of 2488	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	100
PID 2488 wrote to memory of 4820	2488	cmd.exe	102
PID 2488 wrote to memory of 4820	2488	cmd.exe	102
PID 4852 wrote to memory of 4004	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	103
PID 4852 wrote to memory of 4004	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	103
PID 4004 wrote to memory of 2848	4004	cmd.exe	105
PID 4004 wrote to memory of 2848	4004	cmd.exe	105
PID 4852 wrote to memory of 2064	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	106
PID 4852 wrote to memory of 2064	4852	2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe	106
PID 2064 wrote to memory of 3184	2064	cmd.exe	108
PID 2064 wrote to memory of 3184	2064	cmd.exe	108

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3868	attrib.exe
4680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe
"C:\Users\Admin\AppData\Local\Temp\2f82f6e5562a5bc8baa8b047cfc737e9e32a834124812befe2e758a81f9c5e1e.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Users
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +r +h +s desktop.ini
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\attrib.exe
    attrib +r +h +s desktop.ini
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd ..
  2⤵
  PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +r C:\Users
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Users
    3⤵
    - Views/modifies file attributes
    PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /u /s igfxpph.dll
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
    3⤵
    - Modifies registry class
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
    3⤵
    - Modifies registry class
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
    3⤵
    PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads