5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Size

212KB
MD5

549da97e1b010b8a9f54c566b9be8af6
SHA1

cd0239c1c4022af91bfe5babec57838565e6fef1
SHA256

5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044
SHA512

5408cd6466c33911d6dc9e3b77ddfa91e35ab051316cd08ab482516f4b17863bed98dd379e77862af97f872c73ae5008a2d77e8c049582fee3bf44b34910c260
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmD:dHp/urb4A1WdBfg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4004	Program FilesPP8D67.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\d.ico	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
File opened for modification	\??\c:\Program Files\Common Files\t.ico	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000d3ed3eb63cb1f1a7d5c295833e7ac986ab4a210abd9b9b18cb188cfc75082831000000000e8000000002000020000000d045362ca94310106fe39380300b302d1e8fec8aecf5b0c5a81e5bf4ea4e1b9020000000132c16b1eb27571f6e08ad4db47d11d61220fe48f74505a87760e5f498c358b240000000285237e4784afe90a3ac078daaf807c3b9cffda0984c758a0fa8bb3069dce5923524a01404a151378976d378a0256969031ed6677b5bce94ca0ad2423b0bf1ff	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0da41c662e5d801	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991714"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9AAFC33-5155-11ED-89AC-4AA92575F981} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3455110527"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000003ce12f2d69feb32c73602de1eb6c35830d926dbe754b88660df96595e2b8d7a5000000000e8000000002000020000000d1d8b7b535f98f56c4a0285e5b333445ebbde814e43d9b045026044861af617320000000e734ee1a4059aacefda3902b70be1e8df5fbb746343b65ced17eedeff5377c0f400000005e497c8caead71e14e0b757d06eeddf8d849999f404bbe282946bebc2a7d42dfe1432fb6545efe5c0c3f1842757a03ccb921dfa940eadb1b5ea7bb2db6c9bb66	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373131482"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3455110527"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EDF61719-5155-11ED-89AC-4AA92575F981} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405116cc62e5d801	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991714"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4916	IEXPLORE.exe
4968	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
4004	Program FilesPP8D67.exe
4916	IEXPLORE.exe
4916	IEXPLORE.exe
4968	IEXPLORE.exe
4968	IEXPLORE.exe
3916	IEXPLORE.EXE
3916	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4004	4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe	82
PID 4740 wrote to memory of 4004	4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe	82
PID 4740 wrote to memory of 4004	4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe	82
PID 4004 wrote to memory of 4916	4004	Program FilesPP8D67.exe	84
PID 4004 wrote to memory of 4916	4004	Program FilesPP8D67.exe	84
PID 4004 wrote to memory of 4968	4004	Program FilesPP8D67.exe	86
PID 4004 wrote to memory of 4968	4004	Program FilesPP8D67.exe	86
PID 4740 wrote to memory of 2328	4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe	91
PID 4740 wrote to memory of 2328	4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe	91
PID 4740 wrote to memory of 2328	4740	5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe	91
PID 4968 wrote to memory of 3916	4968	IEXPLORE.exe	88
PID 4968 wrote to memory of 3916	4968	IEXPLORE.exe	88
PID 4968 wrote to memory of 3916	4968	IEXPLORE.exe	88
PID 4916 wrote to memory of 1364	4916	IEXPLORE.exe	89
PID 4916 wrote to memory of 1364	4916	IEXPLORE.exe	89
PID 4916 wrote to memory of 1364	4916	IEXPLORE.exe	89

C:\Users\Admin\AppData\Local\Temp\5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe
"C:\Users\Admin\AppData\Local\Temp\5f53f5d176fad7cb5ecc66f514397293668150ba5f81f0888c9b50fbdae96044.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- \??\c:\Program FilesPP8D67.exe
  "c:\Program FilesPP8D67.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1364
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4968 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3916
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesPP8D67.exe

Filesize
36KB

MD5
70058a4f7fabdae66b4a4270331e201d

SHA1
364bdad825fee497f3c75d3d9a70c497004cbb49

SHA256
b02f910c0d2d4fc8c2c5b07727c85b7ee78ac5a2d96c911f9ca0d0f2dc137052

SHA512
b2afc6fb3d0d50766607b6991fe575c897467d00b2e63a49d58a93acc7a9944d133e84bc5fd74cb43138bc52b3725d5ff2037bfc33b824815356a110ecc72280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
5c95d2ff9ff2efece50e64988ab55924

SHA1
5e0b64557f198d05a57e3af2f5872b1ce1f6f89e

SHA256
11ae4fd6a9410cfde7e13021f290b590072b89b033f2101e375473712107c706

SHA512
12c9e17d4c3336ea746099e44059f92e5b8a6288dfef5ba9d926bb67f3b06eedacd0933f9b815cbc0ae5a144e06969da8b2305f137b02ed7aa248ea302bdd477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
edfeac8496fb1a2b30e397e033b4bcb6

SHA1
165af5886d27d2fe3a3c67a0370e7d71459a3e10

SHA256
f2b39c0e34ee2aa52a6278fb38f3f5a2fc4fe495d8309dbbb6b50c0c31d7e05a

SHA512
f455851e1f76c28856dea433100150d5affe6bccf8c8f0cc8d622e8fccafe2164e8ba81460ca7ed551d4d6b444c9e8ef1f80fe99a12a2f9130deaeded0664095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9AAFC33-5155-11ED-89AC-4AA92575F981}.dat

Filesize
5KB

MD5
13201f6e6c791758ead71ea68ea6b80e

SHA1
037f7b8a35dfe583252288c4a5b48b9018d1cae6

SHA256
c90a48f7c0b55021b3803b6b555bc0d78e5c3e99e437bf2ebf6d40897cb029a1

SHA512
8f43e4dbd87939274f1a346d93854f6f453a7fe023177498c865de3964a3a2e3b191481ed020a3ed75dc9cdb59248326c16f9b66c5806ee6af09ed4e16d855de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDF61719-5155-11ED-89AC-4AA92575F981}.dat

Filesize
5KB

MD5
9502efc59c4ab39b35e640993c09d42a

SHA1
c49e3a5af41dc568223d5a79a2dc40f6d0983491

SHA256
5eb922613435f47d986de48ebd01810819cdfa1621a9aeef91cae0ec258ead6e

SHA512
1825dc051bd0b9a1f0de2969ad63d9b753d366e005ed5fe45f8a26776fb684b818956cdc3af4384be55864c227310edc361b53a256fc5ebbb14efb426091c6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
75aedea248a4a3afbe3e5e88d4eb9b04

SHA1
28245e65c04f152edbf3324e12b3e1cda6128470

SHA256
44cb4871d7b69172761079121e41a1315c6e8ffe2852398e1e1ada41f55e9d5f

SHA512
95010ca3537bab40dfac3d21c5802716cb7b3bc62653bdb36ad20fb221c08b7b2292a6ee12a890686605657e43c39bcb0664340e39f65ee1a7f0f1f7a36a49e5

Download Submit
\??\c:\Program FilesPP8D67.exe

Filesize
36KB

MD5
70058a4f7fabdae66b4a4270331e201d

SHA1
364bdad825fee497f3c75d3d9a70c497004cbb49

SHA256
b02f910c0d2d4fc8c2c5b07727c85b7ee78ac5a2d96c911f9ca0d0f2dc137052

SHA512
b2afc6fb3d0d50766607b6991fe575c897467d00b2e63a49d58a93acc7a9944d133e84bc5fd74cb43138bc52b3725d5ff2037bfc33b824815356a110ecc72280

Download Submit
memory/2328-139-0x0000000000000000-mapping.dmp

Download
memory/4004-134-0x0000000000000000-mapping.dmp

Download