56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Size

212KB
MD5

5425fed3d805a988da16ce27dc6f6024
SHA1

b5468f6eac632d25a213275c03c77702896651bb
SHA256

56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230
SHA512

66f669b24844d4416f505abd28c615203bd9205fb5e7f2a44d0240d893ea3ed1b51d507be1180b4df1e1235658f2c88f8233cb2a8339c17807078e2b99f8a8c2
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmk:dHp/urb4A1WdBfr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1972	Program Files0136EH.exe

Deletes itself 1 IoCs

pid	Process
1912	WScript.Exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000005081b638de6ed187ca03628afb3787c4d8d2e49cc00f32558b726004ccf8d7e4000000000e8000000002000020000000bec10812fb36a1fad09ce91f02d329ac6de2dbd2acd62799f7b54b900ea00718200000004bc58bda83b0fbfd04a07ac89c26d7911c295a2b6028602bf02672de67e4a544400000005ee1db9a4b085593b8bcab66fe51d4790f326bb5a3ca814af06ba3a4d9fde0ceb964855bfae0f32e97e42a773c725cc7dd6f63f25b3b3f5972dbec514e93e2aa	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DBEBB8D1-5155-11ED-9172-7ADD0904B6AC} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000007109ec2324c17f7e94f0e55c4cb33b89983ad15899550abc1370a2753c69f470000000000e8000000002000020000000bf40762efb0940fc7aa4c8ddbfe7d6ff89ddcb210cc80ef26c9e7bdeef7b8f58900000008f61cc0d6853af180cf43036ee696671b4bdeec206b52ce2117039eeea0c4d1d6982bb7121d2680573357c7468b53db40c5e4342f502f522d7184d1cc8e6ae773a4bdc570d9736f73b1d8ba2ce39cf11205af2189cb781abceaaaa32cc94bd894a0ce0c335e4821f7150131da8cff30a7034d8e70d01ea1f901380a16a273e3145b39b7e4d77b35c4afaa9353378cbfa400000007bcbaa0b1f196127f596cd9b967f3b5bf3ee5f9215b243df6fa42495ebaef5a099c597ce91cb257827d903297bdc7ed5d92136973a8e7dc6e48174ff2817a08b	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DCA7C571-5155-11ED-9172-7ADD0904B6AC} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373131466"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0be79c762e5d801	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1740	IEXPLORE.exe
904	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
1972	Program Files0136EH.exe
1740	IEXPLORE.exe
1740	IEXPLORE.exe
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
904	IEXPLORE.exe
904	IEXPLORE.exe
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1972	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	28
PID 1664 wrote to memory of 1972	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	28
PID 1664 wrote to memory of 1972	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	28
PID 1664 wrote to memory of 1972	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	28
PID 1972 wrote to memory of 1740	1972	Program Files0136EH.exe	30
PID 1972 wrote to memory of 1740	1972	Program Files0136EH.exe	30
PID 1972 wrote to memory of 1740	1972	Program Files0136EH.exe	30
PID 1972 wrote to memory of 1740	1972	Program Files0136EH.exe	30
PID 1740 wrote to memory of 1028	1740	IEXPLORE.exe	32
PID 1740 wrote to memory of 1028	1740	IEXPLORE.exe	32
PID 1740 wrote to memory of 1028	1740	IEXPLORE.exe	32
PID 1740 wrote to memory of 1028	1740	IEXPLORE.exe	32
PID 1972 wrote to memory of 904	1972	Program Files0136EH.exe	33
PID 1972 wrote to memory of 904	1972	Program Files0136EH.exe	33
PID 1972 wrote to memory of 904	1972	Program Files0136EH.exe	33
PID 1972 wrote to memory of 904	1972	Program Files0136EH.exe	33
PID 1664 wrote to memory of 1912	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	35
PID 1664 wrote to memory of 1912	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	35
PID 1664 wrote to memory of 1912	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	35
PID 1664 wrote to memory of 1912	1664	56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe	35
PID 904 wrote to memory of 552	904	IEXPLORE.exe	36
PID 904 wrote to memory of 552	904	IEXPLORE.exe	36
PID 904 wrote to memory of 552	904	IEXPLORE.exe	36
PID 904 wrote to memory of 552	904	IEXPLORE.exe	36

C:\Users\Admin\AppData\Local\Temp\56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe
"C:\Users\Admin\AppData\Local\Temp\56259aeda9cbd5498eab6de3a5fb8de4f7f1982d7e52de5ea11d1e45e8178230.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- \??\c:\Program Files0136EH.exe
  "c:\Program Files0136EH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1028
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:552
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files0136EH.exe

Filesize
36KB

MD5
a4e391ac06379f513762eabc75e7c2ac

SHA1
9ead37ec76ceb55dd6fbfd031a976a1a54341a7c

SHA256
48cd036f0eb0415cece31cb1b5a10a7ac78800a78ce2f49a00b5d77cb667a827

SHA512
f2800a23a854862167e766ced3f91cc50d6b033e9f77cc523e61859a5472172961293b76647ae42d5554a51e9c996a64bc5536f7167dfb2b27ccd83887cf2c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DBEBB8D1-5155-11ED-9172-7ADD0904B6AC}.dat

Filesize
5KB

MD5
353a5a80e601e72f92304ab81c01e2ce

SHA1
fc2f60803e1d83878f24ce086a8ad16fe211e237

SHA256
656ea2bd17a86f71b56682b303d00a4607b06b42ffbeabd9f3056944d2b378c3

SHA512
132ec5686b38492d77b1c033b3f6a560ba5a5543f2800d0c8962007aba5dd0bfff9acb0ff21a024cd7aac6000773cb1c1a7f59af6bb8d6890b36f64dbd6cfaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
340efa9ce90a8c057178d1295e999354

SHA1
7bcbeef550d74b554d84b166d72de5a66a4afd21

SHA256
55eb47aa67a4ef38cc7ed97fcb70a511892a2dcc8fb1e7580083f7af5a621e6d

SHA512
4a12a3e0f9b189dc61df965ac1b1a8a03e53ac05bff9368b21f05c73c612ee763a9b4312cc630bbeb951fd379eb8852507ea6d87eeb94cde87990fd0c3fca105

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AH6YSCRV.txt

Filesize
608B

MD5
7012e91368a9818e9ee2033f351d0a7c

SHA1
44e637d4eac9b8b405eb21c3b77bfb24269de575

SHA256
b5b9db79f1741dc5f4b2dfb465703e673d300da8fc9aeb1b554080f9478ab129

SHA512
e25bece6e161857597772bc0ff37f6a94a0afcaff446e4c50ea557c3d213c83dd0a536d3e45963ad72a429d37ad9b5ebcf339c00aa8712aa0e8c9908ee7d199a

Download Submit
memory/1664-56-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download