f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3

Analysis

max time kernel
77s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe
Size

159KB
MD5

60fcd8202d97384da4f34afadd0aa6f6
SHA1

067352f27992d7f693152216ef2b14ad49338b6e
SHA256

f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3
SHA512

e7cd23a744636c12ba4c36fe20f1c160488ad7e9c9e27e1cc2c343d5e08a0820bf1046c0ebb0e3b0a7b16d9106bf1dbc8c19bc41b77d171041a0494b102ff983
SSDEEP

3072:aY8Y1dB+mX+zjxixGqQpTa10GilgSPK5:oWoK+HMQqQta10DlP

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	mstdc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/792-135-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0008000000022e04-138.dat	upx
behavioral2/files/0x0006000000022e14-183.dat	upx
behavioral2/files/0x0006000000022e14-184.dat	upx
behavioral2/memory/1960-185-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/1960-188-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safetray = "\"C:\\Windows\\Config\\shell\\winopim.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\internat = "\"C:\\Windows\\system32\\1025\\internat.exe\""	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safe = "\"C:\\Windows\\SYSTEM32\\WinXMLdate.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce	reg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bd.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\bd.ico	cmd.exe
File created	C:\Windows\SysWOW64\gg.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gg.ico	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SYSTEM\mstdc.exe	cmd.exe
File opened for modification	C:\Windows\SYSTEM\mstdc.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜\ = "http://www.biso.cn/js/menu.asp?menu=123"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\gg.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=9"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╨┬╬┼╫╩╤╢"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╣╚╕Φ╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MenuExt\╬╥╥¬╦╤╦≈	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\default Icon = "C:\\Windows\\System32\\bd.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\bd.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,14"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╣╚╕Φ╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,14"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╨┬╬┼╫╩╤╢"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■\ = "http://www.biso.cn/js/menu.asp?menu=soft"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\bd.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "░┘╢╚╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╨┬╬┼╫╩╤╢"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\gg.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\default Icon = "C:\\Windows\\System32\\gg.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╣╚╕Φ╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "░┘╢╚╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╬╥╥¬╦╤╦≈\ = "http://www.biso.cn/js/menu.asp?menu=search"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "╨┬╬┼╫╩╤╢"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\default Icon = "C:\\Windows\\System32\\shell32.dll,14"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1808	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 440	792	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	83
PID 792 wrote to memory of 440	792	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	83
PID 792 wrote to memory of 440	792	f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe	83
PID 440 wrote to memory of 1808	440	cmd.exe	85
PID 440 wrote to memory of 1808	440	cmd.exe	85
PID 440 wrote to memory of 1808	440	cmd.exe	85
PID 440 wrote to memory of 1748	440	cmd.exe	86
PID 440 wrote to memory of 1748	440	cmd.exe	86
PID 440 wrote to memory of 1748	440	cmd.exe	86
PID 440 wrote to memory of 2588	440	cmd.exe	87
PID 440 wrote to memory of 2588	440	cmd.exe	87
PID 440 wrote to memory of 2588	440	cmd.exe	87
PID 440 wrote to memory of 2420	440	cmd.exe	88
PID 440 wrote to memory of 2420	440	cmd.exe	88
PID 440 wrote to memory of 2420	440	cmd.exe	88
PID 440 wrote to memory of 1100	440	cmd.exe	89
PID 440 wrote to memory of 1100	440	cmd.exe	89
PID 440 wrote to memory of 1100	440	cmd.exe	89
PID 440 wrote to memory of 3068	440	cmd.exe	90
PID 440 wrote to memory of 3068	440	cmd.exe	90
PID 440 wrote to memory of 3068	440	cmd.exe	90
PID 440 wrote to memory of 2900	440	cmd.exe	91
PID 440 wrote to memory of 2900	440	cmd.exe	91
PID 440 wrote to memory of 2900	440	cmd.exe	91
PID 440 wrote to memory of 2084	440	cmd.exe	92
PID 440 wrote to memory of 2084	440	cmd.exe	92
PID 440 wrote to memory of 2084	440	cmd.exe	92
PID 440 wrote to memory of 4444	440	cmd.exe	93
PID 440 wrote to memory of 4444	440	cmd.exe	93
PID 440 wrote to memory of 4444	440	cmd.exe	93
PID 440 wrote to memory of 4124	440	cmd.exe	94
PID 440 wrote to memory of 4124	440	cmd.exe	94
PID 440 wrote to memory of 4124	440	cmd.exe	94
PID 440 wrote to memory of 4048	440	cmd.exe	95
PID 440 wrote to memory of 4048	440	cmd.exe	95
PID 440 wrote to memory of 4048	440	cmd.exe	95
PID 440 wrote to memory of 220	440	cmd.exe	96
PID 440 wrote to memory of 220	440	cmd.exe	96
PID 440 wrote to memory of 220	440	cmd.exe	96
PID 440 wrote to memory of 928	440	cmd.exe	97
PID 440 wrote to memory of 928	440	cmd.exe	97
PID 440 wrote to memory of 928	440	cmd.exe	97
PID 440 wrote to memory of 1468	440	cmd.exe	98
PID 440 wrote to memory of 1468	440	cmd.exe	98
PID 440 wrote to memory of 1468	440	cmd.exe	98
PID 440 wrote to memory of 3628	440	cmd.exe	99
PID 440 wrote to memory of 3628	440	cmd.exe	99
PID 440 wrote to memory of 3628	440	cmd.exe	99
PID 440 wrote to memory of 4148	440	cmd.exe	100
PID 440 wrote to memory of 4148	440	cmd.exe	100
PID 440 wrote to memory of 4148	440	cmd.exe	100
PID 440 wrote to memory of 4268	440	cmd.exe	101
PID 440 wrote to memory of 4268	440	cmd.exe	101
PID 440 wrote to memory of 4268	440	cmd.exe	101
PID 440 wrote to memory of 740	440	cmd.exe	102
PID 440 wrote to memory of 740	440	cmd.exe	102
PID 440 wrote to memory of 740	440	cmd.exe	102
PID 440 wrote to memory of 2248	440	cmd.exe	103
PID 440 wrote to memory of 2248	440	cmd.exe	103
PID 440 wrote to memory of 2248	440	cmd.exe	103
PID 440 wrote to memory of 3204	440	cmd.exe	104
PID 440 wrote to memory of 3204	440	cmd.exe	104
PID 440 wrote to memory of 3204	440	cmd.exe	104
PID 440 wrote to memory of 3460	440	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe
"C:\Users\Admin\AppData\Local\Temp\f192e7c73164f2ffb060debfb54e24633e6932a117925a25ac533c4be97ed7d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\win32.bat""
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 en.517sichuan.com
    3⤵
    - Runs ping.exe
    PID:1808
- - C:\Windows\SysWOW64\at.exe
    at /delete /yes
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\at.exe
    AT 11:20 /every:M,TH,Su C:\Windows\repair\winu.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\at.exe
    AT 21:20 /every:M,T C:\Windows\repair\winu.exe
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /va /f
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safetray /d """"C:\Windows\Config\shell\winopim.exe"""" /f
    3⤵
    - Adds Run key to start application
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v internat /d """"C:\Windows\system32\1025\internat.exe"""" /f
    3⤵
    - Adds Run key to start application
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safe /d """"C:\Windows\SYSTEM32\WinXMLdate.exe"""" /f
    3⤵
    - Adds Run key to start application
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\╬╥╥¬╦╤╦≈" /v "" /d "http://www.biso.cn/js/menu.asp?menu=search" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■" /v "" /d "http://www.biso.cn/js/menu.asp?menu=soft" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\═°╒╛╡╝║╜" /v "" /d "http://www.biso.cn/js/menu.asp?menu=123" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,14" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\shell32.dll,14" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4148
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,14" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:740
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=1" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╨┬╬┼╫╩╤╢" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:604
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\gg.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\gg.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\gg.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=2" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╣╚╕Φ╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4536
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:456
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\bd.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\bd.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\bd.ico" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=9" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "░┘╢╚╦╤╦≈" /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1852
- - C:\Windows\System\mstdc.exe
    C:\Windows\System\mstdc.exe
    3⤵
    - Executes dropped EXE
    PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mstdc.bat""
      4⤵
      PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd.ico

Filesize
22KB

MD5
ef8ac542aa53436343300c722b549b92

SHA1
7ae192461958fb705804cf53708ed766a95f4e6f

SHA256
f6aeee3554d8884e904ad39ff35c5c64e9a63ce99b582b010399ee3b825a44bf

SHA512
3ea42ff5e9f930f6cb39392135f64156ee2cdc6a1c41b2c3cf2da2e6f7c49f6ace0ab619b7820421dffbe7608c395f61516ae23ac9200f819f3bfe751494dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.ico

Filesize
22KB

MD5
8ada014673ca24dd00da270c3c412a1a

SHA1
dbe0ab7178715b7ed7177f1b50b17e494f227ce0

SHA256
8c1dbad82e055db66b57108261fea963a9f661cdcf437173858c6a8a7ffc4919

SHA512
ced5fcfa4ab1b80af6e8fc847843235acd5189c9e34ad85cbb6eda9a66a98977e6b94e1930a8fc71f39fc2fe89105232fce8da43db1370598e70d4dbc36d748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstdc.bat

Filesize
541B

MD5
348783259a9f3f30af9903874802d8d3

SHA1
42e971517efced514f42bec8e07aae31e324f82b

SHA256
9cba5d403c0769dd932b5fb593a94faec772e62f68c50b1c7abaae4b3e4d7405

SHA512
e92dce24ebaf9248614c30ffecb9ec10718800bf8429b6616f5d32f9b50f3285ac16594dd51b904476dd6ef9c7e445ca422ca299c8e5d1b844463d7885d941b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32.bat

Filesize
10KB

MD5
6eca432bfc685808c9fd1c0c6dcf04da

SHA1
fb2c3bfd9ad8216a39bd425f8a95fa52e7f563f3

SHA256
370a7854421df9c11a14ab028cf2e4d8eed77cb4f6ba169818c02f5184882173

SHA512
0c56eff4599ea752ec6607a3ee74a431b3396f67f8acfaf94785511140bf5fe4f01038a2b4f3a7c6c5826583da6241170ef24089b409c3cf969ba7642542902b

Download Submit
C:\Windows\System\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
C:\Windows\System\mstdc.exe

Filesize
19KB

MD5
ca096d98f96ff1003cd259cf96f01227

SHA1
301dad354d173c2f74c4f08b875e7a9122513dc2

SHA256
d6f63102829ad9c9337da5cda800a8198f5874a11c7a0fd5095f938db2fbe66e

SHA512
f81aff49d8e54efd4f232922dd8db016bde8113751c578403e8dfc23e5eb84142ea8bd040cab52ad48ed39f0af4b80f1ff91353ed608188c2fd35a7a2dbb44bd

Download Submit
memory/792-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1960-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1960-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads