6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
Size

124KB
MD5

bcf68ec493c6da5c147ac8531caac217
SHA1

e2b7545c9cecb783a41178c8fcc1bcbc688c2a39
SHA256

6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7
SHA512

1f56b8df607697c9247173523fe8e6f24ffcc0b447d7bc88722a49733c25441087339b6795b35604efa1fa52d9909e89ac09afbdfa9be883e405dd9889002d37
SSDEEP

3072:11i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOks5YmMOMYcYY51i/NU83:ni/NjO5YBgegD0PHzSv3Oai/Nv

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
File opened for modification	C:\WINDOWS\windows.exe	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ddc00934ccd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985267"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985267"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{25824E18-3827-11ED-AECB-E62BBF623C53} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000e13930ce8bf3fe11912e5affa6e8cd69673059d19f7da253303cfeba388ed901000000000e8000000002000020000000c2460cfba02e673bba994bf9f5ade61c5c52af78311105d1895a3770ce2bd11420000000f9719851f8eaddd3ce3e3219d670dbe9099024f295c7a36e55906fa12c048dfd40000000a8cfcbaeaa0015664625f9d96bc1168abd4e6069976e435485697db7afbabff08eb1ac20370567fcc097bacb5b54b12a9db571af72d16be897ade6bb09282cfa	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4203452789"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07c8d0a34ccd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370362610"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4255640615"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985267"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4203452789"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d91200000000002000000000010660000000100002000000034b8e8250abb5c840d3fa1c75cd49fa7c09b4fa74875ade18953d650515525e4000000000e800000000200002000000076151063e4f3c8dea8d69ce4ff29d2465cdec725b0f44a949ce6c5517afb667d200000004486ac71f0c96483d042380dbbf1f24ea8d1431ed0a145c9c7abc4ab0e893b424000000097b2524a40b9317bac51f67276e8b32b2a357a5da3a0dd904670eb403642d9e102e750c3c8c8a244340cf74fd494db7908191262a6276c99478e227aa42a6179	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2276	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2276	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
2276	IEXPLORE.EXE
2276	IEXPLORE.EXE
724	IEXPLORE.EXE
724	IEXPLORE.EXE
724	IEXPLORE.EXE
724	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2276	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	76
PID 4432 wrote to memory of 2276	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	76
PID 2276 wrote to memory of 724	2276	IEXPLORE.EXE	77
PID 2276 wrote to memory of 724	2276	IEXPLORE.EXE	77
PID 2276 wrote to memory of 724	2276	IEXPLORE.EXE	77
PID 4432 wrote to memory of 1220	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	78
PID 4432 wrote to memory of 1220	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	78
PID 4432 wrote to memory of 3948	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	79
PID 4432 wrote to memory of 3948	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	79
PID 4432 wrote to memory of 3948	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	79
PID 3948 wrote to memory of 888	3948	cmd.exe	81
PID 3948 wrote to memory of 888	3948	cmd.exe	81
PID 3948 wrote to memory of 888	3948	cmd.exe	81
PID 4432 wrote to memory of 3252	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	82
PID 4432 wrote to memory of 3252	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	82
PID 4432 wrote to memory of 3252	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	82
PID 3252 wrote to memory of 928	3252	cmd.exe	84
PID 3252 wrote to memory of 928	3252	cmd.exe	84
PID 3252 wrote to memory of 928	3252	cmd.exe	84
PID 4432 wrote to memory of 4804	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	85
PID 4432 wrote to memory of 4804	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	85
PID 4432 wrote to memory of 4804	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	85
PID 4804 wrote to memory of 4444	4804	cmd.exe	87
PID 4804 wrote to memory of 4444	4804	cmd.exe	87
PID 4804 wrote to memory of 4444	4804	cmd.exe	87
PID 4432 wrote to memory of 2196	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	88
PID 4432 wrote to memory of 2196	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	88
PID 4432 wrote to memory of 2196	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	88
PID 2196 wrote to memory of 3576	2196	cmd.exe	90
PID 2196 wrote to memory of 3576	2196	cmd.exe	90
PID 2196 wrote to memory of 3576	2196	cmd.exe	90
PID 4432 wrote to memory of 2080	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	91
PID 4432 wrote to memory of 2080	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	91
PID 4432 wrote to memory of 2080	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	91
PID 2080 wrote to memory of 2108	2080	cmd.exe	93
PID 2080 wrote to memory of 2108	2080	cmd.exe	93
PID 2080 wrote to memory of 2108	2080	cmd.exe	93
PID 4432 wrote to memory of 2708	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	94
PID 4432 wrote to memory of 2708	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	94
PID 4432 wrote to memory of 2708	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	94
PID 2708 wrote to memory of 820	2708	cmd.exe	96
PID 2708 wrote to memory of 820	2708	cmd.exe	96
PID 2708 wrote to memory of 820	2708	cmd.exe	96
PID 4432 wrote to memory of 4256	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	97
PID 4432 wrote to memory of 4256	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	97
PID 4432 wrote to memory of 4256	4432	6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe	97
PID 4256 wrote to memory of 4492	4256	cmd.exe	99
PID 4256 wrote to memory of 4492	4256	cmd.exe	99
PID 4256 wrote to memory of 4492	4256	cmd.exe	99

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4444	attrib.exe
3576	attrib.exe
2108	attrib.exe
820	attrib.exe
4492	attrib.exe
888	attrib.exe
928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe
"C:\Users\Admin\AppData\Local\Temp\6d881dc614ea24578f591e889d50fc5b6fbd7e4cddacad31f83d5232aa0ce2a7.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:724
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:4444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
520071a63bb5e2038486cd0ce14055b1

SHA1
752cfb61bbe3ae1e2c2609c53aeee510661a59ed

SHA256
f8a989e9cf1fe0f0000c795537122a3c727e3b570b66582bfb62d9bbae4b20f8

SHA512
6f0131c9e0943c6a13d52a7525e1c592c95db868bf2dd21a8a37254150a239748985cc31518d0c4844bebfc5613feee6857b5debfbbbd6ed4539cd5e494ebbb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
db14aa1de75e705d8b986b6caa3bf972

SHA1
57eb38b9434fae975ee69a2f179955090f0e32ec

SHA256
11cc8adc75053fe7f36aee85677556fed3904b12d7a82a2b889a424dc1d962aa

SHA512
ff512ecddd174646ab0db9d3233aa3cf1836bae135e7396e6ddedb27b4d368f5c806a85ee33d76028483be223e46f770b47e9dbb6524dd46c772caf4ab443809

Download Submit
C:\WINDOWS\windows.exe

Filesize
124KB

MD5
d8b628b5d43135e0fa80de9529866a90

SHA1
8bd7435547c0e2b3daba4ba09394c8b70b8bdebc

SHA256
65c657995fa3a5ecf66671c6755711a3cfc7b428ca6873522922640a74789345

SHA512
7b1b2ecb82554bf6614c3c614fc4a567ae26be737c539797ff55559032e9224e658801e611e14378bb46744beac193dd7819b5f9176dafb0d89e669453be626f

Download Submit
C:\system.exe

Filesize
124KB

MD5
fa629cd272ef0d60664b5928c37a646d

SHA1
e4851057966f8fdfd0cf4cb06914df8d84b07377

SHA256
321662513aed768efb4ef389b687faf6c377d940c3160ce71d2e4933d3d082ad

SHA512
aca27d9a38307b9718a2532ffdb0cc793a1d32f8efca32bae0c03ce47b0fe60291db8100e73b057bab1bea08ad6af9df197605473ebd39a301ee461d795f934b

Download Submit