5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646

Analysis

max time kernel
133s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 04:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
Size

1.4MB
MD5

13ca8d970669e09c60b583ed30e74948
SHA1

051d8356627474b95bedd823c4ff7028b4ca4757
SHA256

5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646
SHA512

706d5b96fd7fb7add413f73616887892af876d28c1d09dd1f22ac876c6d170b7bff953aac26fffb05352fee4d352477c6c7642ad90eace42464e47b132656545
SSDEEP

24576:5Zr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNFYXi:f/4Qf4pxPctqG8IllnxvdsxZ4Usy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe

Loads dropped DLL 10 IoCs

pid	Process
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft242602\0220110205020222260224020202.txt	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\wl06079.exe	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\d_2402.exe	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File opened for modification	C:\Program Files (x86)\thenewworld\newnew.ini	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\pipi_dae_381.exe	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\seemaos_setup_O7A4.exe	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\a	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\tt_2402.exe	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
File created	C:\Program Files (x86)\soft242602\MiniJJ_12318.exe	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989630"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1918160333"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989630"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9DCC3A57-4931-11ED-A0EE-E289BC6C3020} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989630"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1918003336"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989630"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000629b75c03d60bb6d38a6e78271ad217205087bef884df9b1b08ee17778c05e54000000000e80000000020000200000002a89b0493b567c4e690bd604513b18a8a3581130e44cbaf02d1569a70095da562000000058be7f7c139389edb515e1bd584066a94fb655673545766f7757cafce221fc3e40000000d3325b9db7051ed3916d3159138bd868f012aa29e70bf6c25712867f6318f103e69e85d94efe23274fefc4eeea2a321a40e04420536dcb3d3a8b8b13e68dc36d	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1918003336"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1926288574"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705e557c3eddd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1926288574"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9DC9D946-4931-11ED-A0EE-E289BC6C3020} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000bdacf5471035bc41f756e3c99e68efb3bd18ec2acefee211f9ef921f46bfd6c6000000000e8000000002000020000000a1376a54385d27280f8f39aed1bb2cae2d8a4b2baed11ef9a487b4b5c5d6b9eb2000000081677fc9f49408c94d9a249665c26a64c4a8725d6eca578fb6babe64c9f36eb94000000075da4f7917c65e0b31ec49085d329fd49dd3ec5f78027c54bd672035c92fb093a55da5912bda0716fd6a34c7dc97c611704590eda05b989d199dc8ce61705336	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80324e7c3eddd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1918160333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989630"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372236272"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3984	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
636	IEXPLORE.EXE
3984	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3984	IEXPLORE.EXE
3984	IEXPLORE.EXE
636	IEXPLORE.EXE
636	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
3596	IEXPLORE.EXE
3596	IEXPLORE.EXE
3596	IEXPLORE.EXE
3596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1972	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	82
PID 5112 wrote to memory of 1972	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	82
PID 5112 wrote to memory of 1972	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	82
PID 5112 wrote to memory of 1928	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	84
PID 5112 wrote to memory of 1928	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	84
PID 5112 wrote to memory of 1928	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	84
PID 5112 wrote to memory of 3060	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	83
PID 5112 wrote to memory of 3060	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	83
PID 5112 wrote to memory of 3060	5112	5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe	83
PID 1972 wrote to memory of 636	1972	IEXPLORE.EXE	85
PID 1972 wrote to memory of 636	1972	IEXPLORE.EXE	85
PID 1928 wrote to memory of 3984	1928	IEXPLORE.EXE	86
PID 1928 wrote to memory of 3984	1928	IEXPLORE.EXE	86
PID 3984 wrote to memory of 3596	3984	IEXPLORE.EXE	88
PID 3984 wrote to memory of 3596	3984	IEXPLORE.EXE	88
PID 3984 wrote to memory of 3596	3984	IEXPLORE.EXE	88
PID 636 wrote to memory of 2104	636	IEXPLORE.EXE	87
PID 636 wrote to memory of 2104	636	IEXPLORE.EXE	87
PID 636 wrote to memory of 2104	636	IEXPLORE.EXE	87

C:\Users\Admin\AppData\Local\Temp\5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe
"C:\Users\Admin\AppData\Local\Temp\5994f5d6bcffe2dc03a3881b7f401dba2612f8ae741acf96cd3497f726651646.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2104
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft242602\b_2402.vbs"
  2⤵
  PID:3060
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3984 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft242602\b_2402.vbs

Filesize
293B

MD5
363dacce53a7400d17b5bbc34dd4100d

SHA1
0d61c236bc5937c0d9a9525e8ed75d730832f029

SHA256
562bb354200875dbe342abbb6ea426f836cd0bd8afbf658fd2877ec9d559d5cd

SHA512
50584362455f63c8fa46ba88a4f0826621a06deabf236da26bc9d2d7b1a5e60fad8c5d649152749216a295370f818ab564ffac94006db055e0efe4e30e1800ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fceed7a5f76725fb398c6a91ff552899

SHA1
237aec000ae7c7c35a639664b1ad6c0d842a0749

SHA256
2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

SHA512
adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fceed7a5f76725fb398c6a91ff552899

SHA1
237aec000ae7c7c35a639664b1ad6c0d842a0749

SHA256
2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

SHA512
adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
dc0f758059bc20fc91bb81818b786e2b

SHA1
5909c5ad1970105f7249abd5ac979b0ad8be9903

SHA256
88a28dd946e5c7fddc62fa89449126ab6fc7ef4eb4a30e910cecb0fed5f103b9

SHA512
29f3c2bd39450684798b9895e48ffb8d0d8e91a7618fc491ecefc16bef3a6eee35c991753c9965363149f0f6e8f672385099aa2a91610951ce3fe0a743819a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
dc0f758059bc20fc91bb81818b786e2b

SHA1
5909c5ad1970105f7249abd5ac979b0ad8be9903

SHA256
88a28dd946e5c7fddc62fa89449126ab6fc7ef4eb4a30e910cecb0fed5f103b9

SHA512
29f3c2bd39450684798b9895e48ffb8d0d8e91a7618fc491ecefc16bef3a6eee35c991753c9965363149f0f6e8f672385099aa2a91610951ce3fe0a743819a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
dc0f758059bc20fc91bb81818b786e2b

SHA1
5909c5ad1970105f7249abd5ac979b0ad8be9903

SHA256
88a28dd946e5c7fddc62fa89449126ab6fc7ef4eb4a30e910cecb0fed5f103b9

SHA512
29f3c2bd39450684798b9895e48ffb8d0d8e91a7618fc491ecefc16bef3a6eee35c991753c9965363149f0f6e8f672385099aa2a91610951ce3fe0a743819a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9DC9D946-4931-11ED-A0EE-E289BC6C3020}.dat

Filesize
3KB

MD5
ef397fbae42401b8b5ff7969e801ce61

SHA1
481d55b2b43e98c2419b429ff96be3bf8d236d97

SHA256
3a006d40137a5afbc4f8048ea27d872a581a1c752be9f89fbc8693372dc53c28

SHA512
0be2655e1242919ddd7f42ff0da960cd287d77d84a992dbba5b487ab1cf54e7055078362c47164aed16e84dcda52bc3d374da5288d6a6b1b553a6c713f19100d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9DCC3A57-4931-11ED-A0EE-E289BC6C3020}.dat

Filesize
5KB

MD5
44852b71a30aa128f0a06f447eb68028

SHA1
a9b00e355c8b3dbeca6f34c69146a534eef7692c

SHA256
7e9f08b4047b385a72de5f90a406476b649acbc1e2be3ddb34cb57da5bc0f0dc

SHA512
4b80c2bda61e0228dbe3fae68ec061a54778f1959c0debf18834333951cae1d3cb0565fdee750cc3cca99bd60df7c7e896880e4236a6bd25a275ea4df5840ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDA29.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit