26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806

Analysis

max time kernel
150s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Size

212KB
MD5

f072cbe3aa6ec798d3d74db2a9a3e6a0
SHA1

a1329d247f94a92eceb5680367d9847ba031c1f2
SHA256

26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806
SHA512

3e48d68a96e5ac53f0bfc901f41d28f8aa4ce01fc673dcb2ccfd8831672a49bdb19171b8c5b6ce04be2090e44c8df8cdaab71ac246e7c206e4472436dd03c21d
SSDEEP

6144:qljASXqcAP6A5PACApvAPDyoAJMShfl4QxsYBO7Czn8DmJ:qJa+IGhflP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	Program Files9914ZC.exe

Deletes itself 1 IoCs

pid	Process
1100	WScript.Exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504dffd608ccd801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9896CD1-37FB-11ED-9F1A-42A98B637845} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000c39a5c11ad03281fbe964d4fc04ba39a2a8d818d3f1bb7568dcc15b6a6fd1f4e000000000e8000000002000020000000e67c27ea2ec6064a16495fe7c7db4450c278d15b1003dc6ed38c1a53e85fc29790000000222be2253c6675f39bcdac27296b1475d66ca56e15fd45563a2fa75bf15638665fdee2abffd603ec862e0496f3931a3bb54bbdf97b08b85f4117b5836280d6ed400858a84194baa24ef8640a8ba65c1e5b60fd29a61a47aa2e9e48095fa1119b7650cf07f6abbb57713a08ed38ea926e420d34c67a526331fc245c52bde6f6a654422697281b66460f0613bf9dfab96340000000d1e05c3a06bf5922d548fa28e1f309c6d73ee83d6082671586f69d332624266f14f4a64c07e03acd6ff0fb87a963bd3fff90bdba66b89ea6f9bf237d6b6a33b9	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E959D151-37FB-11ED-9F1A-42A98B637845} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000df8fed6dc5f98663bbeb1757078a503ba93544a4bb13050d579c954f5ee9fa85000000000e80000000020000200000006fed617e7b64f1300ba0b8ba898156a904cafc9030f231981b93291de6801ac220000000ea4eeb3078cef0a41eba499ddd0a67eec2d4a95a902c97f94363d91cd3ff4c094000000010bec2d3d70d2bed205b13168065ede2aa2f9ee7f756bb8b429a17cec9fde98ed1be3d2b978773fcc5d237e156b81a1380c5dce02dd92c69d37f5062fa6baaff	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370344043"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?2012"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?2012"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.5ijunshi.com/?2012"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?2012"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?2012"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?2012"	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2012	IEXPLORE.exe
1696	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
1500	Program Files9914ZC.exe
2012	IEXPLORE.exe
2012	IEXPLORE.exe
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1696	IEXPLORE.exe
1696	IEXPLORE.exe
432	IEXPLORE.EXE
432	IEXPLORE.EXE
432	IEXPLORE.EXE
432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1500	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	28
PID 1088 wrote to memory of 1500	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	28
PID 1088 wrote to memory of 1500	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	28
PID 1088 wrote to memory of 1500	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	28
PID 1500 wrote to memory of 2012	1500	Program Files9914ZC.exe	30
PID 1500 wrote to memory of 2012	1500	Program Files9914ZC.exe	30
PID 1500 wrote to memory of 2012	1500	Program Files9914ZC.exe	30
PID 1500 wrote to memory of 2012	1500	Program Files9914ZC.exe	30
PID 2012 wrote to memory of 1680	2012	IEXPLORE.exe	32
PID 2012 wrote to memory of 1680	2012	IEXPLORE.exe	32
PID 2012 wrote to memory of 1680	2012	IEXPLORE.exe	32
PID 2012 wrote to memory of 1680	2012	IEXPLORE.exe	32
PID 1500 wrote to memory of 1696	1500	Program Files9914ZC.exe	33
PID 1500 wrote to memory of 1696	1500	Program Files9914ZC.exe	33
PID 1500 wrote to memory of 1696	1500	Program Files9914ZC.exe	33
PID 1500 wrote to memory of 1696	1500	Program Files9914ZC.exe	33
PID 1088 wrote to memory of 1100	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	35
PID 1088 wrote to memory of 1100	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	35
PID 1088 wrote to memory of 1100	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	35
PID 1088 wrote to memory of 1100	1088	26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe	35
PID 1696 wrote to memory of 432	1696	IEXPLORE.exe	36
PID 1696 wrote to memory of 432	1696	IEXPLORE.exe	36
PID 1696 wrote to memory of 432	1696	IEXPLORE.exe	36
PID 1696 wrote to memory of 432	1696	IEXPLORE.exe	36

C:\Users\Admin\AppData\Local\Temp\26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe
"C:\Users\Admin\AppData\Local\Temp\26dfe977ecf5028d3e001a7cc86be5ed4caa4ec5274b88854d21a93fe56e4806.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- \??\c:\Program Files9914ZC.exe
  "c:\Program Files9914ZC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.nyni.info:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1680
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.nyni.info:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:432
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files9914ZC.exe

Filesize
36KB

MD5
c54e70153d9de17018a5a75de4546d3f

SHA1
8445cfb5dff592987ab2998984356eabd277f8e9

SHA256
5d904029a76cb312f6e2926729ece3fd6416ab048b7b964e9b5d8f25e6df2353

SHA512
8fb5d9c685519bb54c78aa3a166af2df4d9b83a56b3425b502860655a5d428516ad832a366b267f159f7aacec8471506b228a185ddcd5168d7c97f2a890228dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E959D151-37FB-11ED-9F1A-42A98B637845}.dat

Filesize
5KB

MD5
4d1631f6c00e22de3a0cff8994aebd03

SHA1
f94db9671dcb62b064c9b67ab37d64c511c9dde7

SHA256
73fbef0b3bf9511a27ce36776240bb18105d5068a32281569abb8bea98eef1b5

SHA512
c3bbb414a3d73c5f7d9c6317517b1547225d87fa7d0a39d9a960ae5a0690cb5425c57d5877daf1b5981387bb3c1357c57a7e6ae4bd6e2740d70a9f0824610477

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
ce454be99ea889cd057525701dcfa3ed

SHA1
a599baf0b858d5c920a2037d3de7744045113b08

SHA256
f70634c7c8096612dbc52c81a40a58782fe9749263fa4935990f43081e47f67b

SHA512
872604bb5349c6816d7cc89564976fa21f3dbc03e77686828ea397e3c4208efbc3af7ba0b5d1fda1353c766512c326308de62a73d0621d79ed8788321be987a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IA3FOE81.txt

Filesize
608B

MD5
d33519a37809dced5243c1b112b40310

SHA1
bb5b49553409e75c95931e6048524c115f12c92d

SHA256
67bb8257c01884e29bd24615ab2654be742459c3be119c8b4300341924020418

SHA512
54d0552aeba8334e6b0210f841df62bc3726a9db6acbedc7a5689d09395025dc5e7cf63c0d5e86e82cbf20801f1bf4a67c5412a2d194b812312986fcbfd8222d

Download Submit
memory/1088-56-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download