Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 17:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://yaohouo.com
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
http://yaohouo.com
Resource
win10v2004-20220414-en
General
-
Target
http://yaohouo.com
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359841521" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\yaohouo.com IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec0000000000200000000001066000000010000200000007d9b0b690775afc70795d3f185ce7d3f1a040396996726f0abd5176d79d887d3000000000e8000000002000020000000e0338dbf4e23b2132ae1670d88e0a7d71ea3005e02ab3bda0c06bb9dbaea7ceb900000008ae37357cbc63555b3326e902f983cc5178de32c26e6d4057c753ee4c49fe9f419abecfa205e2a95367cd5a62ae3b3afa9c31c2693046d4415e29862f6212e1cbc95aa4d5935383ce111bfcc2fb0c8f01b88c6df3097920457f1fb14902df9ee1da966753e60bef12add142a09005d4196dac2b507148e36671d94c82b2629e265db7285245cfee598152d88d209279c4000000024d655b1a4191ff49019482abf4499eee3b9dd2408fa09e0a9e480099912d5fb049b524819446543bd27d9d0d94af437420f434fd0488fac78363645b8159061 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CDE88131-D876-11EC-8FF3-F60B165D620F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\yaohouo.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000061dd9184c284c52fe8d57530622c6b11830e5bf68caa55ce5bf581e4c6d68ddf000000000e8000000002000020000000cb1d77fea954cf4e7db99cf2654a81fee8b47c8d0cd9ea434fd6cb926bf7e1a920000000d30d6be07326d7c6d3f054af340b556e9fd900a909599c9252f6c7f6da809a894000000064dbc3b46d5ada0082c497665846d7b17054510760b91dfa83c3f739f756e2235cdc95c87eea1d1ede939798b7fe13fb6e3fc59b69895f8fbd51a39bb3a70e15 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5051ffa8836cd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1208 iexplore.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1208 iexplore.exe 1208 iexplore.exe 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE 1156 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid process target process PID 1208 wrote to memory of 1156 1208 iexplore.exe IEXPLORE.EXE PID 1208 wrote to memory of 1156 1208 iexplore.exe IEXPLORE.EXE PID 1208 wrote to memory of 1156 1208 iexplore.exe IEXPLORE.EXE PID 1208 wrote to memory of 1156 1208 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://yaohouo.com1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e1f75c8a491f849d989dd4111e5b76d1
SHA1977fad1611ccffb0fb194c57b4ab4227c7c14728
SHA2568a290ddceffcbf5026457c55c9520d17e2b7491edf8942babd7ffafe73110ea5
SHA5123d841d746cf9655d8d9e35ccffa0f80912c599ab14b3d46bb4b1387379586f54bdf670248269537d535f258f487a0f7e9bfae6627d7af8d8d03aba6fc57f4b92
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.datFilesize
5KB
MD558b67e7f6d9de230eaf16c2d91b934fa
SHA169894130aed57810532a4fc04ce4d20defbb90aa
SHA2567e6ab8181c7b4dae4d504a95662d44e7fa41bad9f65f8898e20f1a1503fbfb6b
SHA5125e5d316f42d5b2df03fb2ceab5f3be38028dcb838519869920161e5f92ece1bda4f63c2c10aaa22d3b6bf855480e5d2897b2d0b4dab872e11ad911736b54a0b5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J2W67U9P\favicon[1].icoFilesize
1KB
MD5178819cc32a7774822e3550c57cd20aa
SHA1c8050ec440e8cc1367a6115934edc0bf94a0d343
SHA2568565aaa87282f585b8a021ee0e693f662eb179df62890d01e086cc9f23dec1d2
SHA512794c0578a7521c093c27a5592ab6f4874742f6db4c53e9b0b07acfecabf8575117ff1808ff0f0426594f4981f5933c756647b146b7ac815decaa9c5fcec246fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8BWSPB4P.txtFilesize
603B
MD5da6a80158d59727106a92ee41423c298
SHA131c8aee9dc82fdd09f56397a2c079980e62e8226
SHA256cbe8dfc8ce15ba5963f29308445cfac41d1586b18ce9c2064fc0ef2194ef5cab
SHA512426bf23906e625cda42c55abdd586801a934d9348ad099820a3acc61fb7369bb541633f96b6bdb69931cbf49983b68f782cc8786ee2a88b6fe92a17aa6edbb34