4f146e2a76c1befd792fb00ed88019bd30e0c3974a38a57cb0a063b1a7660164

General

Target

练习参考程序/练习6/clickDraw/clickDraw.xml
Size

10KB
MD5

f973d8cf67b2166736de325ca6d4a627
SHA1

764f0abfb51f5f4d99291709e1fba307ae6b67ba
SHA256

b518a996d06db594e8444ed2cd66b231ba1e489c32fb2cf45e294879f2b98971
SHA512

2f55d424a7a6afe254fc118bd2a7e8a30f5146da3add88c41bd5a953d215a68d9e1dc66085244f41f33be287faef8343324c42e1b1b25d0ef96300c2488e680c
SSDEEP

96:yY0/zcpM1fNOimF4mbima4G2YyaLbyaLMyaL6yaLDmPsOB9UAD/e44fh54AD/eQw:yx/zcq/RBkRbn/UfH/sfD/zfe/rfsx

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6B441DF9-5056-11ED-B696-E62BBF623C53} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991459"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000006a35a36c717f406f8971ff646b4f50706b0afa9002c3dc439c7e4c161225c622000000000e8000000002000020000000b15e350459f2c94ce2648e8820b46c28915fbc842db1ff08cd66e0713b67210b200000001ac65a2a8f5d591f5ed65e0bbcbccf76c402103095ccfa18e9687a6bb1b90711400000004d689431a3ff9bede1fae46b2f383c85c395c48bc52fe00a9fd8276f5d8adf32ab6467a5c1ec5abcca6016672fde4b55d32325d1956454d47c9f37a895ac4081	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1211157375"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373021740"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000003f81be7bfd5d52016f4f6492c12c2bd790707773993cd97c33acff372d1cad0a000000000e800000000200002000000080e9b9bbb77beb87693c04ef66b5e6facb3c062dc34c33d1fbfabae4f6252fba2000000070841b0d79560cd51108146718906973aed997cbd8db5520e46fc2b696cce0f4400000003d7da818f688d96a9ef41d2f4ca750640fcd5abaf37854f144bfdb97c29d6753d34b89a02fa5f3f8777922c0254a9cb0731f09d087771be0197f1dc367bad0da	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991459"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991459"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1211157375"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07e065a63e4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1195532934"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991459"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302d495a63e4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1195532934"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3916 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3916 iexplore.exe
3916 iexplore.exe
4780 IEXPLORE.EXE
4780 IEXPLORE.EXE
4780 IEXPLORE.EXE
4780 IEXPLORE.EXE

pid	process
3916	iexplore.exe

pid	process
3916	iexplore.exe
3916	iexplore.exe
4780	IEXPLORE.EXE
4780	IEXPLORE.EXE
4780	IEXPLORE.EXE
4780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 1792 wrote to memory of 3916	1792	MSOXMLED.EXE	iexplore.exe
PID 1792 wrote to memory of 3916	1792	MSOXMLED.EXE	iexplore.exe
PID 3916 wrote to memory of 4780	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 4780	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 4780	3916	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\练习参考程序\练习6\clickDraw\clickDraw.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\练习参考程序\练习6\clickDraw\clickDraw.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
d3ff0edeee7d1ea5754d8a290ae01189

SHA1
253ee24a4776d30bac0aedd7ea213adea6acb6f9

SHA256
e2e542a3681c428c021d38e608dffa43da666f6f3c53f623c21dc184639b222b

SHA512
ab14449059ae31856026e8d8cb0ec0b4158da0fd19f2a73940a159574a9084ce6a09ac05fb80ef3ab11cd9b1395dce021872215baced48f9e8a0bf7311000db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
2f7bfaffa6251df36f095209e9aa97be

SHA1
241cab9cb3850640916434fb844d51b4d9853dd7

SHA256
bb3bd0e9c0e0762586153e13caa13f1d56487811f5e1223daa9145e93cf2a39f

SHA512
7a4e1bedcbf45f20132e95a3fccb43f5e809adb05f5252afaceb2873cffd0777923d381c1bb045bbde35a0e8863ff6a718bc134b9a76a3cfab4d2e7450eb8a97

Download Submit
memory/1792-132-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-133-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-134-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-135-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-136-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-137-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-138-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-139-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download
memory/1792-140-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing