e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70

Analysis

max time kernel
95s
max time network
136s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
Size

1.4MB
MD5

6a926ca475169020b4ee5b660424d148
SHA1

c32f673e1723d79463052443777a6086a8d510b9
SHA256

e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70
SHA512

ea34e60a7a3997e8c85dbca3f11d4480e46d2529f4a4e0a752577a444e3242b2ef43d39ea12fdadb1d520e3de90c32fe9e3b4c77e3aed1ecd14c05bdb384b715
SSDEEP

24576:9L8r/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNpkG:K/4Qf4pxPctqG8IllnxvdsxZ4U/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft225208\0820110805080821520822080808.txt	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\tt_2208.exe	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\MiniJJ_12318.exe	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File opened for modification	C:\Program Files (x86)\thenewworld\newnew.ini	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\pipi_dae_381.exe	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\seemaos_setup_O7A4.exe	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\a	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\wl06079.exe	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
File created	C:\Program Files (x86)\soft225208\d_2208.exe	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15BB83D1-4254-11ED-AE24-CE372EDB0509} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000483ef4b900944028c0b83f10a3147b1583f55ce036665c83b0437c6a5ddcb24b000000000e8000000002000020000000c2e98a6d9b69303934ed4fb4c90067e4b2b1658c9fbd140057d4c36b9110ff2e20000000a7cec2c2e4c10d7aa329d0dd0e65edf9b1914e712ced1a259da607d71b975ede400000005b44c535d7e6c0edfb2ea27b9610bafcf1e8d221b13606753be9659b771431acfc89805c5ccbb26e4a8202d6b7e0294574a835e1bc66f7e86b2b4b23864b6129	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371481418"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15BAC081-4254-11ED-AE24-CE372EDB0509} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000007ac68981d88b8c3a560adf1060d4f267174472f68f876c769fc5fc22b0d6f230000000000e8000000002000020000000bf3977dc3a1a1490ab4257ac0eaa55b1b6b0f6aad4bcd3187c0a4f62960e13b89000000063be657d852032154f3a727a111fb8d4051ef43bd9092c3004b55bcf5cd2ba0a73feadeaab3a99eb51644df34b44fdf4185112fecfe57bffb42f7bb11fce39b3e1916c2dedc3a42e45baf82aafab4763fc47253f8948fa10c929c67c8dcb3a47c1e52f07cbc4bc7e6eca7c4a5b53c083f5bf457e6cf31199108ca3d800a9b894967184014bb5dfeb30562edcd1f2c5be400000000411c210958670a10fee837c09b60e637d632f41a2ad199c8b8be584974045d54a4e43cc0c5d9fa29333b359c54e61f959157544a0ff28a21d59bd76b23e35ec	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005b84f060d6d801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1332	IEXPLORE.EXE
896	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
896	IEXPLORE.EXE
896	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 1428	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	27
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1228 wrote to memory of 948	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	28
PID 1428 wrote to memory of 1332	1428	IEXPLORE.EXE	30
PID 1428 wrote to memory of 1332	1428	IEXPLORE.EXE	30
PID 1428 wrote to memory of 1332	1428	IEXPLORE.EXE	30
PID 1428 wrote to memory of 1332	1428	IEXPLORE.EXE	30
PID 948 wrote to memory of 896	948	IEXPLORE.EXE	31
PID 948 wrote to memory of 896	948	IEXPLORE.EXE	31
PID 948 wrote to memory of 896	948	IEXPLORE.EXE	31
PID 948 wrote to memory of 896	948	IEXPLORE.EXE	31
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 1228 wrote to memory of 904	1228	e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe	29
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 896 wrote to memory of 1212	896	IEXPLORE.EXE	34
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33
PID 1332 wrote to memory of 1452	1332	IEXPLORE.EXE	33

C:\Users\Admin\AppData\Local\Temp\e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe
"C:\Users\Admin\AppData\Local\Temp\e3cfe429708d941e955898b570071c8f53ca222f8a781c9bb119bf108fda8e70.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1452
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1212
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft225208\b_2208.vbs"
  2⤵
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft225208\b_2208.vbs

Filesize
293B

MD5
dcd673c87e41782aa250a0e129f9d585

SHA1
a682dc3eb0f0a0ac81990b106106bf55629228d2

SHA256
43cae8bbcaa9b2a71e91ac3fb41cc06dc0a9f3445b8ca3590f25bf1f2fa9e9c2

SHA512
b782cf102091af978855229304727f6beebc5905493d8183fb0c43937be5b547e66d95e6065e98c1d3d8c168e4a74c69a7aec6b9628f2c08e4018c989a836f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29086ac4f9df1af14dd23f0a4372616f

SHA1
c3aef94aea3b1ad645a26c2ba4375f0cd2a1c5f7

SHA256
ae4326e93a40f032fa985f2de04630d7da99afe931eebc808b6bfb22a44c9251

SHA512
a6bc419d63f81f4b29aa6c352f5279240dac9b395ff9223f8d35b76a55e5f30f66eb05583860795137705207231f9f56a40ef7fa628c63a675ca25ef16b0bc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{15BAC081-4254-11ED-AE24-CE372EDB0509}.dat

Filesize
5KB

MD5
8a9992c941383bdbb84e83ba482953e9

SHA1
5fbc5e40ddf9a44667aca8b351e2382d3806fcf0

SHA256
211f5263490c1707ab43439d09e2ce69eb691fce2da87f5ebf348b037c9cc808

SHA512
5a6d141688d68e1a410c6ac2075dddbe19175a088742c90442b49371af3aa5987988c3632d24843eed857732b259373dcbf7477894e8f74eb0503e9accb3bfbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{15BB83D1-4254-11ED-AE24-CE372EDB0509}.dat

Filesize
3KB

MD5
81770e013eed5e64d6b45d110dd3ca9a

SHA1
4aefb3c3055c46aea42f4be8e54c2a16c928bdfc

SHA256
3d0be72fd9b504e6264c49e9c3d890a708533e937f0978d507ad85bbb5b6a9ff

SHA512
761504eb361d413b5faa6fd2a8eddec8f5b75f47817a798c2173f4a219d886560e297d24f56dfa920732b29636f5dbe7fbe3e6ed36e12d41b146de68b12397a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GN1JNBSW.txt

Filesize
608B

MD5
81a1c692fb13ff35b9590dff52cbfc9c

SHA1
9ccfeab1403628592c4748a2896b05250c0b8d7f

SHA256
db91b1e4cb70991422da71b84714b25eb6cfb8d5da1946f5a165d3ccfc598b65

SHA512
a32b0add82fad812b4f0e82ddcd418a7064afab07db1d5aca8e94dc9b5f2f125200dee989f621f1355387b2e62a19b1354fcdad249fe2ef8e527851c116ed103

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26C4.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
memory/904-58-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download