5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a

Analysis

max time kernel
143s
max time network
167s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Size

212KB
MD5

5245490dd86f544ad288db16fb2241bf
SHA1

6337b24538e0a54be918e52a38db6367c7b875a5
SHA256

5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a
SHA512

6699863a582537d763e0f01446787a03b5f7a3d37dec445d8c52630b2538a9cebea62a4dbc4f3da659d6a94a3efbcbc3af707364cb7033fe229afa05ad301eb6
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmC:dHp/urb4A1WdBfl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	Program FilesTUA389.exe

Deletes itself 1 IoCs

pid	Process
1212	WScript.Exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\d.ico	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
File opened for modification	\??\c:\Program Files\Common Files\t.ico	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8086c6ee97e5d801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09736981-518B-11ED-965B-E20468906380} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08E235A1-518B-11ED-965B-E20468906380} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000006c5d24666195248a7dc3f16ce637e97cad0cee74a58188e2391ac679cbfbc1e4000000000e800000000200002000000026c326babdf94476ce1bf51e2bdf03e8d83abf3f32456e99ccbe5bf6abdc25e1200000002fc37649663aaee1999e612afb5130dac719d1444f3cb7989981f613d69431b2400000006bc979e76eec585a29a0ac88d20085dd7f5e808681b615f6cb464671e5a6092f439f8344fd2685bea0b9c62e21caf4576a82d4d214c88daf8de5a5f1eccef735	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000b846cd7e1f480c31fa3fc5c806b4708795f8e2786b84511bbf046ce5fed06e19000000000e8000000002000020000000c44c0bcf83191ca7e836d536da182def226e6375e0e4798fa917b9d4e3d675c79000000062e870f7d18cf6dc0874aca0001c10faf0cd9611c6b5638ef89a024dc66bd2ab2fca2affcb079e14a17034ef79418e87d653973d05fcf3dd5141ba5b7f8b3d764732265b72a25c882a32f8a1d09f3861c889ff650f6deeb809fd6596317aab9c10696fe3e62263b83c5ed0b22a49a9b63e0f73d4d99e70bc678362986aeaf4e343140e07402a1b168b8e42de740d37bc400000003212b18d725889b7c35747895eb893945d90da1d6f41663a018bfd5a973731c23ea2b86b35a0bde988b72e8add86c1773bb23711b46a60c1a2e1b2f34342ffaf	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373154287"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1932	IEXPLORE.exe
1164	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
2004	Program FilesTUA389.exe
1932	IEXPLORE.exe
1932	IEXPLORE.exe
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1164	IEXPLORE.exe
1164	IEXPLORE.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2004	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	27
PID 780 wrote to memory of 2004	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	27
PID 780 wrote to memory of 2004	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	27
PID 780 wrote to memory of 2004	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	27
PID 2004 wrote to memory of 1932	2004	Program FilesTUA389.exe	29
PID 2004 wrote to memory of 1932	2004	Program FilesTUA389.exe	29
PID 2004 wrote to memory of 1932	2004	Program FilesTUA389.exe	29
PID 2004 wrote to memory of 1932	2004	Program FilesTUA389.exe	29
PID 1932 wrote to memory of 1636	1932	IEXPLORE.exe	31
PID 1932 wrote to memory of 1636	1932	IEXPLORE.exe	31
PID 1932 wrote to memory of 1636	1932	IEXPLORE.exe	31
PID 1932 wrote to memory of 1636	1932	IEXPLORE.exe	31
PID 2004 wrote to memory of 1164	2004	Program FilesTUA389.exe	32
PID 2004 wrote to memory of 1164	2004	Program FilesTUA389.exe	32
PID 2004 wrote to memory of 1164	2004	Program FilesTUA389.exe	32
PID 2004 wrote to memory of 1164	2004	Program FilesTUA389.exe	32
PID 780 wrote to memory of 1212	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	34
PID 780 wrote to memory of 1212	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	34
PID 780 wrote to memory of 1212	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	34
PID 780 wrote to memory of 1212	780	5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe	34
PID 1164 wrote to memory of 1160	1164	IEXPLORE.exe	35
PID 1164 wrote to memory of 1160	1164	IEXPLORE.exe	35
PID 1164 wrote to memory of 1160	1164	IEXPLORE.exe	35
PID 1164 wrote to memory of 1160	1164	IEXPLORE.exe	35

C:\Users\Admin\AppData\Local\Temp\5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe
"C:\Users\Admin\AppData\Local\Temp\5f746936f55bd660b1ad904019855cc018143b9faafab65d0d4d260894d4ee8a.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- \??\c:\Program FilesTUA389.exe
  "c:\Program FilesTUA389.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1636
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1160
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesTUA389.exe

Filesize
36KB

MD5
841002eac91cf2923a7b74717ad9fa97

SHA1
34f2b6213952cb827c574ff61b1fd129c090d254

SHA256
32a3c17c9bb49b98a0267a9b1138a4ea76720510ee550dfbd617bdf87ff4eaae

SHA512
ff9c9c7302ebc4e170e8963cda1cd55f6edf198f36fb4e390af47fee396e117a07fb02c572af88564f1108eb3e73f4755c73bd145aeeb817c0dd526d7ac29221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{08E235A1-518B-11ED-965B-E20468906380}.dat

Filesize
5KB

MD5
fb9de7a941d6db0f61c83dd0e47a7786

SHA1
b04e4b2d71baa37fbb9d2c85c24162d9251b04f7

SHA256
1847edbf636afa1e5d517afe26977f5304dce44741c16bd0355292d25dd90554

SHA512
bd6ed2ad6e6297b603fcd24073395ce53e8f864eafb3c8feaec3bd19d3285c7b7276f4a1086be7408b747eaf965856ab7380b0368b294d3b62718cd0eb57dd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
ca62f5987432eb3d500c71fc463d0d58

SHA1
24bbdaf91795bc2342e6e54acab14c9e725ac6af

SHA256
e77fbab91ea2f1fb964365458dabb5d9ca70a83d004d527b717030f7601e812e

SHA512
9ca5cc5547410b75e2d1ab91e72f88dfdb7b72b552111d6e8050dc0c0ee6d1d1b8947211ee2d69a0ea1264c58c1fcfcad79923e23ff1bbbf64adcc1a0e1a3727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TJF8UBEP.txt

Filesize
608B

MD5
472cbb7266a2c86574b5552ae68a5eb2

SHA1
0555f48e25c9cce7f8f093ca68dafaa733871111

SHA256
a967ffeac39aeea0650cd3be8350ae745c2990ff6452a0406c677dafd42f73ad

SHA512
e4bfe3df98e6732d2f3ccd812ab0b4001c1360f3fbcb706ea69d554cbc3135ba0655a58767a4a256f56572d20f837a282426194930781679155c43bda0784914

Download Submit
memory/780-56-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download