326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Size

212KB
MD5

52e52f5654fd9940411c1cffb682e805
SHA1

85954cba4c9b319df9d601e9cd98ffd7bd8a81d9
SHA256

326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a
SHA512

c124ea256904c0b5a0c438a8e38795afe2f5da4cdc49ab4484f1af2a19e7962528a2d6f28542272037403a38abc4d53b75fa434e3a01942f85a2888a1a13ec62
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmP:dHp/urb4A1WdBfo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	Program Files4MS0N6.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000005268a0f64d6124c6a6dee531b6ffb478906d7891d751baa8fa00ad92026d9806000000000e80000000020000200000005cded981768c6092032b63f7173847c1a6b524db63d9bb1db9b8f570822e73d12000000092c098f2796f0437020a14350e188cf6ba341a071e61c74eaa23942a0d11dd0d4000000011baf18f31f53d8f31e6cd3c6ab587d280c0490207abab987801586febcc9c1a8d9ddd2f3f7a863930e9371b2a00b8e41822f73253fa37d9c35dd5bd48ca72a5	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d574f051e5d801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4022159454"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000629155f2f82d55f727afb831b9a7d0a19a4537ad3ccc256307d43ebc166f8501000000000e80000000020000200000002a3d3e0c4dd0c974930ccf3db36823d129f55bc118287cbc6e41246e7ba3d38220000000ec0ac7e91117a01c47401386dac5527f231a0aec89cccddff2382c2002beb404400000000149fefc898d0a782ce0a7aabb894875ea1b224aaa0c519238bee9b91b0492e145bf20c825879a0aba8bede8e77a79dccacafc26efc1745d375438434f1f40d3	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0a96df051e5d801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373124251"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991697"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991697"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1AB65F15-5145-11ED-A0EE-72E891315508} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4014346458"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4014346458"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991697"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
404	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
404	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
3256	Program Files4MS0N6.exe
404	IEXPLORE.exe
404	IEXPLORE.exe
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 3256	3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	82
PID 3284 wrote to memory of 3256	3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	82
PID 3284 wrote to memory of 3256	3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	82
PID 3256 wrote to memory of 404	3256	Program Files4MS0N6.exe	84
PID 3256 wrote to memory of 404	3256	Program Files4MS0N6.exe	84
PID 404 wrote to memory of 3832	404	IEXPLORE.exe	85
PID 404 wrote to memory of 3832	404	IEXPLORE.exe	85
PID 404 wrote to memory of 3832	404	IEXPLORE.exe	85
PID 3256 wrote to memory of 3804	3256	Program Files4MS0N6.exe	86
PID 3256 wrote to memory of 3804	3256	Program Files4MS0N6.exe	86
PID 3284 wrote to memory of 4684	3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	87
PID 3284 wrote to memory of 4684	3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	87
PID 3284 wrote to memory of 4684	3284	326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe	87

C:\Users\Admin\AppData\Local\Temp\326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe
"C:\Users\Admin\AppData\Local\Temp\326d63830778be82e426ca5814efe1f8fac8e692cfa3f999f349ab6c14c6043a.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284
- \??\c:\Program Files4MS0N6.exe
  "c:\Program Files4MS0N6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:404 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3832
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    PID:3804
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files4MS0N6.exe

Filesize
36KB

MD5
9e9f75ec0851920cc2eb809f4e7316da

SHA1
f6452e9078fa318c69bc3c6558a705da48ed1554

SHA256
e3326f8036a27e70e8102d34fbb100673d68662f36af658946493d058be62d4f

SHA512
643494451cfde2f8c691a3fadf97042af3f0c8b3ed160d4f8894ace5280f224697109c480480a9e81e9d8bacbcf46a3f028d8f31c8e04070ee6e6b21bb335263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7550b85aee4221c59808672005ed8855

SHA1
aeb269eff06f518132b9ecea824523fa125ba2d2

SHA256
2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

SHA512
216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
2e83e9e5ae1e79c654902f2e2c82c7fe

SHA1
22e0b39d469edcfc2f5184a8e067d106b3b6e359

SHA256
29e018757e61b506cb9791ca5a016063f4a66c6defc82dee32106062cd0a4dcf

SHA512
0a0819960cb54a06284893cd5daee9898726da7a6981f2bf05eb759c498fcee965f0c9fbf092bad14a45eebd154a237efc1fa85f92547daebfe69bdbd8bc8386

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
2802a268585de9367341c9feb8d42af1

SHA1
3768f1426ca7dfc4cbfc668832390077dbcb373d

SHA256
fe6ba43863acc42a572b08440f12a2bec9af9a5455079d757d257450663a0c53

SHA512
d66ef66b096af07635669d4c4e1eea7609c438b535fe52180e05dd2d3732821f68b3c335ac37331e59d24b843079f3ae69d8ae5a503f830dc7bce255a2dc0577

Download Submit
\??\c:\Program Files4MS0N6.exe

Filesize
36KB

MD5
9e9f75ec0851920cc2eb809f4e7316da

SHA1
f6452e9078fa318c69bc3c6558a705da48ed1554

SHA256
e3326f8036a27e70e8102d34fbb100673d68662f36af658946493d058be62d4f

SHA512
643494451cfde2f8c691a3fadf97042af3f0c8b3ed160d4f8894ace5280f224697109c480480a9e81e9d8bacbcf46a3f028d8f31c8e04070ee6e6b21bb335263

Download Submit