240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827

Analysis

max time kernel
148s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe
Size

1.2MB
MD5

7b159c899ab5c3fdeb2a0a0aebfe280b
SHA1

b80f784e5e7b0f8d44e63a01f0221b429fc5afdc
SHA256

240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827
SHA512

659c3c3d2859086bd901978f7ab8381eff312f161c41634b07b0c80fde395920a7142a81e26756c927f70bfd5d6cf4c7ae6df0e2bb7e297a7dc5206fefa3dba9
SSDEEP

12288:/z7PzGXyhTE3xn8QLHxqr7pCDRFLP7uNrGuXyA9GSEXFBckIR:/z7bGXyh6xntLRqvpCTLP7s7RQlcNR

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\progra~1\ico\$dpx$.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\53444ebbc846e94e946bf2e5d101706d.tmp	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\fdb0396dd19ded40b22b886c1813e0c8.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\b2c3b382690d6547a4b32976891252f3.tmp	expand.exe
File opened for modification	C:\progra~1\ico\meiv.ico	expand.exe
File opened for modification	C:\progra~1\ico\$dpx$.tmp\job.xml	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\4c0a2c0f2f80424db7536bdb2afcb6c4.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\0f13c5ada46b0241ad8a7436e4f97236.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File created	C:\progra~1\ico\$dpx$.tmp\acb62aacd6a5bf4eafeb4131ebc9038c.tmp	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000004a1709173b88ef3381b791c3e5bc94150162c505d580414a94684fdb32552392000000000e8000000002000020000000af9c2898009431b255fdb20b803f3a4dd00f76f81f1e49d7b22dc896f16959562000000073d3d3d8f6ff997ecde898b03c9ded09232e6efeb853be563582d290aad7335f4000000073f2456401c2cb0d9220f0013ec118e434e4e939b4ceba5420946379ff60b9a3b53c62aa7f519f191bcb1c33a34f97850f521c7ee85785d35f1aeef878473ecd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\618889.shop.ename.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\618889.shop.ename.com\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\ename.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe
1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
628	iexplore.exe
1300	iexplore.exe
780	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe
1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe
628	iexplore.exe
1300	iexplore.exe
628	iexplore.exe
1300	iexplore.exe
780	iexplore.exe
780	iexplore.exe
528	IEXPLORE.EXE
1156	IEXPLORE.EXE
1880	IEXPLORE.EXE
1156	IEXPLORE.EXE
528	IEXPLORE.EXE
1880	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1644	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	27
PID 1116 wrote to memory of 1644	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	27
PID 1116 wrote to memory of 1644	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	27
PID 1116 wrote to memory of 1644	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	27
PID 1116 wrote to memory of 1676	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	26
PID 1116 wrote to memory of 1676	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	26
PID 1116 wrote to memory of 1676	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	26
PID 1116 wrote to memory of 1676	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	26
PID 1644 wrote to memory of 1628	1644	cmd.exe	29
PID 1644 wrote to memory of 1628	1644	cmd.exe	29
PID 1644 wrote to memory of 1628	1644	cmd.exe	29
PID 1644 wrote to memory of 1628	1644	cmd.exe	29
PID 572 wrote to memory of 1300	572	explorer.exe	32
PID 572 wrote to memory of 1300	572	explorer.exe	32
PID 572 wrote to memory of 1300	572	explorer.exe	32
PID 1116 wrote to memory of 628	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	33
PID 1116 wrote to memory of 628	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	33
PID 1116 wrote to memory of 628	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	33
PID 1116 wrote to memory of 628	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	33
PID 1116 wrote to memory of 780	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	34
PID 1116 wrote to memory of 780	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	34
PID 1116 wrote to memory of 780	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	34
PID 1116 wrote to memory of 780	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	34
PID 1116 wrote to memory of 1512	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	35
PID 1116 wrote to memory of 1512	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	35
PID 1116 wrote to memory of 1512	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	35
PID 1116 wrote to memory of 1512	1116	240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe	35
PID 1300 wrote to memory of 1156	1300	iexplore.exe	38
PID 628 wrote to memory of 1880	628	iexplore.exe	37
PID 1300 wrote to memory of 1156	1300	iexplore.exe	38
PID 628 wrote to memory of 1880	628	iexplore.exe	37
PID 1300 wrote to memory of 1156	1300	iexplore.exe	38
PID 628 wrote to memory of 1880	628	iexplore.exe	37
PID 1300 wrote to memory of 1156	1300	iexplore.exe	38
PID 628 wrote to memory of 1880	628	iexplore.exe	37
PID 780 wrote to memory of 528	780	iexplore.exe	39
PID 780 wrote to memory of 528	780	iexplore.exe	39
PID 780 wrote to memory of 528	780	iexplore.exe	39
PID 780 wrote to memory of 528	780	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe
"C:\Users\Admin\AppData\Local\Temp\240b8caa66100e6055321b904b19fe9eb7ff2d9dc84732f886d0a8ce06e25827.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.v258.net/list/list16.html?mmm
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8VOHo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.q22.cc/?ukt
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1880
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:528
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj
  2⤵
  PID:1512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:572
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v258.net/list/list16.html?mmm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1300 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cc64c7d062f56a476fefc635cd560e90

SHA1
4266149eb432bf006240e6defcaaaff66408e647

SHA256
26eaecf7f75634bdfa8b78edf8d5b161adc99b3e229fccfff82a40f504d3565c

SHA512
f658e2a603177a50c2cb613a155a9fd7328a510223cbe4001e26899831c4357b1f010795c03bad10d842abdcc9c25fc7b1aaf6a0f874b469f757f9847038b1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A4FF60D1-4BAE-11ED-8C25-6AB3F8C7EA51}.dat

Filesize
3KB

MD5
b3309afda3774d54fdf121640cd9df4c

SHA1
cbf4404a10755f6f66ba140bf6f752b6b2fee4c4

SHA256
63f0bc259006dc8f90a36347ec242d9d9457111e9e95e8c452ecdf70db4b533c

SHA512
d1138b2463a0f5ce2fe71b97af70036c4fb2afb3e57ffc78d2602b1271093be5a84dc85bc5cadc939e98c7dbf237ebe862d2d0e05fe8bdfe99457592b3e40850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A4FF87E1-4BAE-11ED-8C25-6AB3F8C7EA51}.dat

Filesize
3KB

MD5
04b6303016fded0b508683ab3e9e592d

SHA1
2fa486e182a7cd9d8e9ed20ce687f215f0442758

SHA256
f3d98de241eda5df85cd5a6b22b7d3adad4c00dc7c5df30254c428ed43e35499

SHA512
3420155e40dbde0ce0a397c8bf1bfecfa0783605207780f4e6e099dfd1d5c8e0807868547d1961a0dcdce3352d45908f8d8ea49a811f53a142927b9fb59e1741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A4FF87E1-4BAE-11ED-8C25-6AB3F8C7EA51}.dat

Filesize
5KB

MD5
76d529771e45cc43e5c61d5dde57943d

SHA1
0bf1fe451c9135ce8ec7bdb66fa4225fc26ebc11

SHA256
e3b92c854492e42acdc47dd266f5a99e1bcfe9fe15cdd292fa010afa3ac34127

SHA512
72fa6a47029c68addef2c19bf6d232f21ceebbedc1e406b5899fa907bd15e3afb1227ff139848106dd3e1155bf550bea8af32dcd60849163f88b386784b88903

Download Submit
C:\Users\Admin\AppData\Local\Temp\8VOHo.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LR4I2MLB.txt

Filesize
537B

MD5
3f1b708008393be315d7b4f63668c022

SHA1
94a8f50dbd34a8ab91041bea105913b438f2d815

SHA256
5656bcb599468a36db587b839801da4b8f9ea7e7fb419b6be77c01436e157dd2

SHA512
cf8111086d20e939e43141dd8c01a8769588e056e8a9220ec2e98c062acb32eb9bf6d6e93f88dd0d827b8a392c19e1ae581683e2dd583be287c1b5c8ed967f59

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
20KB

MD5
1319e9998cedc513c68fa6d590b6ad63

SHA1
ae95b333e88a13886994f320f5dfb4856168a710

SHA256
9a5b18efe243fbe9b9b0be3674a24080e9210436986988f3f85a4007905083bb

SHA512
d4052a899c6c310296e2f5fdf6c2031c22d2644be620cb34ddcc6b59789d82a6462daaeb34466c568be48ee975c4a5ab43143eab0792312a6cd0d49f9fbd8d3f

Download Submit
memory/572-63-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1116-67-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1116-54-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1116-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1676-59-0x0000000074F61000-0x0000000074F63000-memory.dmp

Filesize
8KB

Download