326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a

Analysis

max time kernel
154s
max time network
165s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Size

212KB
MD5

52e52f5654fd9940411c1cffb682e805
SHA1

85954cba4c9b319df9d601e9cd98ffd7bd8a81d9
SHA256

326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a
SHA512

c124ea256904c0b5a0c438a8e38795afe2f5da4cdc49ab4484f1af2a19e7962528a2d6f28542272037403a38abc4d53b75fa434e3a01942f85a2888a1a13ec62
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmP:dHp/urb4A1WdBfo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1792	Program Files0CI6D2.exe

Deletes itself 1 IoCs

pid	Process
988	WScript.Exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000d43d18ecd5bd860d403a3d2a0fa26f95e5b8f85eb94e11b5ed32d996c0c6fcc0000000000e8000000002000020000000c357078a98764f97886f3dae62ea82e4d4062a87671292ba8bb8e0bf23ce2378200000009ddf01bcfcd3cd7ae1f9ab8db2339de7ef1108c9d84d6469afa6b8b125dbb8a2400000007d5da822be6bc6ca9b60ec42303e97ce999004de73634a11177e4f58148ff8b7b4d1e09b3105aa336beac6d105865cbdf20c1069161555f0986805cc527d8f41	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000008166c98aa3e59215562dc69d90e985464405bda1a81575ee5143047ad2e03162000000000e8000000002000020000000937f809bd57c1423d9e2247274b094ab8872f751071969138e29cb194aea1e96900000009ce0a98f0c27c385022ef2a77f6ddb88c3fbf03f88e7c3f0b438a68b27e5e2abb7e2930cc1ae7fc65738529b91b218b5e265a0b6b103e1eef41a2c01a467d16955fc38cdf5a3f0b97bd4e0c3f9cd51ccb6d60606782b4e02e9a6ebb9bb8743b257f265bc2aa63a90c50daca9361a054181e42731e775e407ecc3759fa0bd0d98d3819b5f66d5ee717f48410fa401ee2f400000009b3b31efacdd147eeb934b9cabfbc887f5016057bf9e7e462b30d871bb4079a347c208aa6340f6783a4358b56cdf7f690271a6d66435601de285279242e89071	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13B6CD91-5156-11ED-B40B-E20468906380} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809117ff62e5d801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372528459"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{150D9390-5156-11ED-B40B-E20468906380} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
576	IEXPLORE.exe
1812	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
1792	Program Files0CI6D2.exe
576	IEXPLORE.exe
576	IEXPLORE.exe
1812	IEXPLORE.exe
1812	IEXPLORE.exe
1100	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1792	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	26
PID 1756 wrote to memory of 1792	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	26
PID 1756 wrote to memory of 1792	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	26
PID 1756 wrote to memory of 1792	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	26
PID 1792 wrote to memory of 576	1792	Program Files0CI6D2.exe	28
PID 1792 wrote to memory of 576	1792	Program Files0CI6D2.exe	28
PID 1792 wrote to memory of 576	1792	Program Files0CI6D2.exe	28
PID 1792 wrote to memory of 576	1792	Program Files0CI6D2.exe	28
PID 1792 wrote to memory of 1812	1792	Program Files0CI6D2.exe	31
PID 1792 wrote to memory of 1812	1792	Program Files0CI6D2.exe	31
PID 1792 wrote to memory of 1812	1792	Program Files0CI6D2.exe	31
PID 1792 wrote to memory of 1812	1792	Program Files0CI6D2.exe	31
PID 1756 wrote to memory of 988	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	32
PID 1756 wrote to memory of 988	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	32
PID 1756 wrote to memory of 988	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	32
PID 1756 wrote to memory of 988	1756	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	32
PID 576 wrote to memory of 1452	576	IEXPLORE.exe	33
PID 576 wrote to memory of 1452	576	IEXPLORE.exe	33
PID 576 wrote to memory of 1452	576	IEXPLORE.exe	33
PID 576 wrote to memory of 1452	576	IEXPLORE.exe	33
PID 1812 wrote to memory of 1100	1812	IEXPLORE.exe	35
PID 1812 wrote to memory of 1100	1812	IEXPLORE.exe	35
PID 1812 wrote to memory of 1100	1812	IEXPLORE.exe	35
PID 1812 wrote to memory of 1100	1812	IEXPLORE.exe	35

C:\Users\Admin\AppData\Local\Temp\326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
"C:\Users\Admin\AppData\Local\Temp\326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- \??\c:\Program Files0CI6D2.exe
  "c:\Program Files0CI6D2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1452
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1100
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files0CI6D2.exe

Filesize
36KB

MD5
766ea2a0302a356ce9cbed1c7c1a6eda

SHA1
d41aeead76f032d9907eb667dacc23fb37a97c2f

SHA256
4c0db65a6407394e665680f6ed037027277e55df836e9ba87310d292d59616e3

SHA512
0279e94f600391211e8fa350f195b04860ac3e59c70780b92d23eb2555f5f9a3556d0c641bee5123171e5e9a58fc7239cc0e1d75efa0545b75b0a237be581853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{150D9390-5156-11ED-B40B-E20468906380}.dat

Filesize
3KB

MD5
06989915a4e2f16c9bfdf2f593576a39

SHA1
e8e275f211f4b7ea59863ab30c190d78715d871b

SHA256
21426764460b03528efab4cc3f11f5becd9d49ae4b3a8f1ef2d68558220e586a

SHA512
ebdf7c514209ffc959ae0b1e92df09b683adc1b8434edee6415e43c446a2fb8de2d4705e703df9b807deaf6a27e2f3291e7aebd9c4e9b26942bacb7c7159f2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
2802a268585de9367341c9feb8d42af1

SHA1
3768f1426ca7dfc4cbfc668832390077dbcb373d

SHA256
fe6ba43863acc42a572b08440f12a2bec9af9a5455079d757d257450663a0c53

SHA512
d66ef66b096af07635669d4c4e1eea7609c438b535fe52180e05dd2d3732821f68b3c335ac37331e59d24b843079f3ae69d8ae5a503f830dc7bce255a2dc0577

Download Submit
memory/1756-56-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download