16ffc20967f73bd4ff0229972cb7732589f2fd96336505bdb25544cfa0912844

Analysis

max time kernel
118s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
Size

104KB
MD5

cd9e021b58de5ccc6a2fbbe41b0a2bab
SHA1

9db7e920c7cc4eb539b0d1ef97582700d34cd512
SHA256

16ffc20967f73bd4ff0229972cb7732589f2fd96336505bdb25544cfa0912844
SHA512

ef8ce8b51ea8e95aa44730ffd379f51d5cc8065b27d785d2a439244dc1816a4e7465728bd69536481a3323cecffa1acf47c00261c0c85ab0b1a5527e297d341c
SSDEEP

1536:9yVOmTBYa0XkuDkxP4P2g9iB0orjaJLtgb:8dpckuDkxP4Hb+aJLtgb

Score

7^/10

adware evasion persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	G7RJMB.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72000669-841C-D39B-8178-A1AEC41A9DB3}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\91ETHXADKJ\HSRJX2I.EXE	G7RJMB.EXE
File opened for modification	C:\Program Files\91ETHXADKJ\HSRJX2I.EXE	G7RJMB.EXE
File created	C:\Program Files\91ETHXADKJ\D873P4J8.EXE	G7RJMB.EXE
File opened for modification	C:\Program Files\91ETHXADKJ\D873P4J8.EXE	G7RJMB.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
File created	\??\c:\windows\fdonszuycqs.dll	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{72000669-841C-D39B-8178-A1AEC41A9DB3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72000669-841C-D39B-8178-A1AEC41A9DB3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{72000669-841C-D39B-8178-A1AEC41A9DB3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72000669-841C-D39B-8178-A1AEC41A9DB3}\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72000669-841C-D39B-8178-A1AEC41A9DB3}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\SCRIPTHOSTENCODE	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2604	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2740	G7RJMB.EXE
2740	G7RJMB.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2740	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	28
PID 2180 wrote to memory of 2740	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	28
PID 2180 wrote to memory of 2740	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	28
PID 2180 wrote to memory of 2740	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	28
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2056	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	29
PID 2180 wrote to memory of 2724	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	30
PID 2180 wrote to memory of 2724	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	30
PID 2180 wrote to memory of 2724	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	30
PID 2180 wrote to memory of 2724	2180	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	30
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2628	2724	cmd.exe	32
PID 2724 wrote to memory of 2644	2724	cmd.exe	33
PID 2724 wrote to memory of 2644	2724	cmd.exe	33
PID 2724 wrote to memory of 2644	2724	cmd.exe	33
PID 2724 wrote to memory of 2644	2724	cmd.exe	33
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2680	2724	cmd.exe	34
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2560	2724	cmd.exe	35
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2596	2724	cmd.exe	36
PID 2724 wrote to memory of 2432	2724	cmd.exe	37
PID 2724 wrote to memory of 2432	2724	cmd.exe	37
PID 2724 wrote to memory of 2432	2724	cmd.exe	37
PID 2724 wrote to memory of 2432	2724	cmd.exe	37
PID 2724 wrote to memory of 2984	2724	cmd.exe	38
PID 2724 wrote to memory of 2984	2724	cmd.exe	38
PID 2724 wrote to memory of 2984	2724	cmd.exe	38
PID 2724 wrote to memory of 2984	2724	cmd.exe	38
PID 2724 wrote to memory of 2732	2724	cmd.exe	39
PID 2724 wrote to memory of 2732	2724	cmd.exe	39
PID 2724 wrote to memory of 2732	2724	cmd.exe	39
PID 2724 wrote to memory of 2732	2724	cmd.exe	39
PID 2724 wrote to memory of 2460	2724	cmd.exe	40
PID 2724 wrote to memory of 2460	2724	cmd.exe	40
PID 2724 wrote to memory of 2460	2724	cmd.exe	40
PID 2724 wrote to memory of 2460	2724	cmd.exe	40
PID 2724 wrote to memory of 2452	2724	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
"C:\Users\Admin\AppData\Local\Temp\cd9e021b58de5ccc6a2fbbe41b0a2bab.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\G7RJMB.EXE
  C:\G7RJMB.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2740
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\2Y4K97U98.BAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2644
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2680
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2560
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2460
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2Y4K97U98.BAT

Filesize
1KB

MD5
91d17ba69c29686ec8929044ff7fcf56

SHA1
db0f273606c7eb9825f57caf9338abf0981d477f

SHA256
2f62c3275b2af56b9801147a9c876bbb9b4cd9ed284f4355d9b66dd557c41eb7

SHA512
171213b4095a7fb299a2ba35da4ed7ac201844b05d5329b08a0f5fc297a1971751f04579a9e7925d5d2c3438696eb8fecf4f27869cda16fca030c1a50cb301dc

Download Submit
C:\G7RJMB.EXE

Filesize
10KB

MD5
19595de7fbed86bc29d5d9547073ca63

SHA1
8fa2edaa9e3edefeb672bb3139436fddc5bb3d27

SHA256
e3c841c3b05305890c2496dadf759a8077860f4b1e6a73a12e90bd97cfd95b44

SHA512
740d859c835fd168b6f9951475fd5054515fd83150e655ab6f3d24b320ef235a6af711a08adc615b1186c06c0c2ef5480152c6b53cfcafbd8fa79a5133916747

Download Submit
C:\Program Files\91ETHXADKJ\HSRJX2I.EXE

Filesize
104KB

MD5
cd9e021b58de5ccc6a2fbbe41b0a2bab

SHA1
9db7e920c7cc4eb539b0d1ef97582700d34cd512

SHA256
16ffc20967f73bd4ff0229972cb7732589f2fd96336505bdb25544cfa0912844

SHA512
ef8ce8b51ea8e95aa44730ffd379f51d5cc8065b27d785d2a439244dc1816a4e7465728bd69536481a3323cecffa1acf47c00261c0c85ab0b1a5527e297d341c

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
104KB

MD5
97a9dc422523b7b7106565ee8a4e8ac9

SHA1
6183c83b0bd90bdd9f9504b192f84488d10bf594

SHA256
dd81008218161e65ccab6b6420c9ffe4ae1a7f19f90402adaaef19a20efa8a26

SHA512
18ff0a6d085040c06bd16bcefb2c106142d217ce3431515300dd07baa4dd5756fcb9e4d71f27a71893852a16e25e4695ca3cddf031553a8ef1268a8e36846d0e

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
ecfee270c2d71fbfe96568bd1e214665

SHA1
c6ebebe2e6313fee775454451fe8cf460733939b

SHA256
fcfba5ab83249f8335eed513d3541833fa612d6e483bc77417c55ac6732b78b8

SHA512
2ef6e08a7fd7915e857877ce5bcc0812fbb18bd69c840fce57d01363b70ea503ecfffde3b03af576655011220dd4f4e730d56be5f9985c240d08303b23564078

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads