b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a

Analysis

max time kernel
188s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Size

212KB
MD5

5fc3df3d1f66a8a70a4f65fcd02ad813
SHA1

1c123cc47ed48723a168c89709de96d56103227f
SHA256

b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a
SHA512

53967e2b9251bf7b0e85276d001dd34d5c91ac601e9d83e2ef64024d601d6dd465a5c8eba416ef246852f7b51c8e075e8ef72b836835f9b4215af5e080f4dcf9
SSDEEP

6144:fzanGw+tnswng5nLnQ/n0ogdn3muA36IlLpjie5teizueDmL:ffNJ8TA36ING

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1188	Program FilesXYEL90.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8DA35E48-4A79-11ED-89AC-E23A5D90AA50} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989958"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1757671355"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000003746a557b83f1014c38c6d0095ceaf15b17a6b33a02f88027b218b7cfaa3ba0a000000000e800000000200002000000081b85852c2db3699bff4923d687dd64bbccec920bd58db67da1d9b5cad73cfc320000000c7b31d643d93d5cf6c1fee5c315d022739956dee24fecd48f105c129d17a5a974000000094f6e7f0146d8c9bc0eeeb099483002ec84f45f8e8ba3b0e299667ac0d0856af5bf6d74534ccd9d3cff0313815e9772215e03243abae0934a909e612985c3799	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1872983405"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1757671355"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989958"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1873138623"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8DA38558-4A79-11ED-89AC-E23A5D90AA50} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989958"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1873138623"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989958"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3074166a86ded801	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1872983405"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989958"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372377143"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000a90fc27f767b5ad7e002e4ef87b040ae9b1a8c1ca94b0e72e6165e29ba2edfe2000000000e80000000020000200000004d96171f8e45d7a4d3e8392f50ee059fa58336a9f52515b4e8cb08fd4e82087a200000007de86fa580c08743de9e0149db311eac96571c11db8998f01bb77d6e2250808c40000000246b1a782da276c304686ce125eca10aa4b334ba35590634c99ebe5d4fced047b779c83ec1c71b10182c88b7ab5c6169202e7fad835dc88c35c15bde1af59199	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989958"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d1866f86ded801	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?2012"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?2012"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?2012"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.5ijunshi.com/?2012"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?2012"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?2012"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1132	IEXPLORE.exe
1916	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
1188	Program FilesXYEL90.exe
1132	IEXPLORE.exe
1132	IEXPLORE.exe
1916	IEXPLORE.exe
1916	IEXPLORE.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1188	3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe	81
PID 3472 wrote to memory of 1188	3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe	81
PID 3472 wrote to memory of 1188	3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe	81
PID 1188 wrote to memory of 1132	1188	Program FilesXYEL90.exe	83
PID 1188 wrote to memory of 1132	1188	Program FilesXYEL90.exe	83
PID 1188 wrote to memory of 1916	1188	Program FilesXYEL90.exe	84
PID 1188 wrote to memory of 1916	1188	Program FilesXYEL90.exe	84
PID 3472 wrote to memory of 2460	3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe	85
PID 3472 wrote to memory of 2460	3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe	85
PID 3472 wrote to memory of 2460	3472	b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe	85
PID 1132 wrote to memory of 2264	1132	IEXPLORE.exe	86
PID 1132 wrote to memory of 2264	1132	IEXPLORE.exe	86
PID 1132 wrote to memory of 2264	1132	IEXPLORE.exe	86
PID 1916 wrote to memory of 2536	1916	IEXPLORE.exe	87
PID 1916 wrote to memory of 2536	1916	IEXPLORE.exe	87
PID 1916 wrote to memory of 2536	1916	IEXPLORE.exe	87

C:\Users\Admin\AppData\Local\Temp\b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe
"C:\Users\Admin\AppData\Local\Temp\b15cede3e97bccfe50fc2e104c73109b895e9266364336da432f010ee2a0ea7a.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472
- \??\c:\Program FilesXYEL90.exe
  "c:\Program FilesXYEL90.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2264
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2536
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesXYEL90.exe

Filesize
36KB

MD5
cd4fc5be68fd8c65b3b25ae1f2d27144

SHA1
57f5187864cbdd2527252ce7b9a8dc043a66cff1

SHA256
5ec06b2d8068fe1400247bc88680e3436bce6dc22bfe139a23df9774c37a1489

SHA512
f16ab77564229b6a127bb00dda51629e0f42b2c20ae85b75455475593e2888664bf68e120c39979f3bc7b9ecaf3fc4432029b3afc91adc785341888466a8f358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
957d711ef13aae49d723c4d2b1d4fa37

SHA1
aa818a5cfb5ce97987c05c8f20866cbbafb4bf93

SHA256
43184ac9a857febd19b97a04797528a7de0c15744ae3d540e23cc4b5f1d2641b

SHA512
f5c8fb180bba40d0755c909349bb960be5b8242de651237b9c2368d74accbf845f3cad131ff9b80f71745353dd11b53ddda7fd5cb928a2f543be217b9e975030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
3c2098dca6315a5c0e379c31c25a9ef8

SHA1
ea7ca6052f7ea8cece1316aba8ba2a94ded4b3a8

SHA256
d8782384068f39a45a61ea5ad773a8d4f396f706682912214c425c5cc73b1557

SHA512
2c5bfc7d530ab2efe5d1fbee840db6c0d5560af5de8bf811720fd339ee1f692023d3463ce1e30c7fe4679f3b26002d9f9c2e08ea548b39dc93cebcfc115a9ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8DA35E48-4A79-11ED-89AC-E23A5D90AA50}.dat

Filesize
5KB

MD5
a4a3c141411f495f620f2c98ba2de700

SHA1
6ceda0dd902f4dc0f75637b08e3f740ef1ed64aa

SHA256
cd1646b66ad1e1a7825a2740dc9a5588592313aab7944ea7c44a6f39b371f09a

SHA512
96d066c318178e955931f7896e0ff0d6d79b84a6df54198a556b57366a2efe6ab78ef2af1edf04dfb8641aabb4117605744266e0aa2a280149486dc0bfc9cde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8DA38558-4A79-11ED-89AC-E23A5D90AA50}.dat

Filesize
5KB

MD5
b2e66802a39fcf3019fc0ab9b2626be9

SHA1
47fe012d5c36173271b0dfa6c27eca00a77759c0

SHA256
a4e4d1db27d3f06c5cd8f4c772b05c08646e5c7fd00ef7918f77d481aeae79b7

SHA512
b81ec620959f27a2ccafa1e596f884ec3d32715ac1ff44e8a5eb10ce328589b839646715787dafaee6f6ea2145437b72bceadf2b685f1897486f6195171cf795

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
1950abe356fd551871006e4ee85ab24d

SHA1
b2a3ab844d0008c5ad801ed3f4dacd0cb34f1103

SHA256
d875ffdff234147bbf6f4e6eb7c07e4c6ebb1a2437ca75207cdf931995b91f8b

SHA512
0e285a8c01140600db00b61bb5db7753c47f9d2a5dcebdacfdd38d36ecab4f361b4d8bd523796450cf324e4be1b60e05f02010f1d3d60b7806bd817dfe8d0057

Download Submit
\??\c:\Program FilesXYEL90.exe

Filesize
36KB

MD5
cd4fc5be68fd8c65b3b25ae1f2d27144

SHA1
57f5187864cbdd2527252ce7b9a8dc043a66cff1

SHA256
5ec06b2d8068fe1400247bc88680e3436bce6dc22bfe139a23df9774c37a1489

SHA512
f16ab77564229b6a127bb00dda51629e0f42b2c20ae85b75455475593e2888664bf68e120c39979f3bc7b9ecaf3fc4432029b3afc91adc785341888466a8f358

Download Submit
memory/1188-134-0x0000000000000000-mapping.dmp

Download
memory/2460-139-0x0000000000000000-mapping.dmp

Download