91b82611b21bf9b93959caa9f41e02d1cfe589ffba89ebbd37ddc99d70203340

Analysis

max time kernel
100s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

册2 相关支持性材料/4-2-1 国内流行病学数据或销量数据等支撑材料/人口数.html
Size

58KB
MD5

c82b0b16cbca6776646a652708808c74
SHA1

dad5251f4750cd157dfca1411244c54f57b919e0
SHA256

265f51b7121b5910539dc69a18dc8ce2bf41ae670d99f1c9d4a82c6c4eab52f4
SHA512

0936e9b802dc7c515ecf7ae08e12d5b7c35c8400cc24194bbd866faa71fcf56850193d09d5b273a93c5898a221de4783025618af6b55e257f6537eeca3972d9c
SSDEEP

1536:I6wumbvJvOXsirXeJsr8TdImudeXDQefUihgXRKFJQczVrcicC0Q2AjnKXY4GktK:I6wumbvJvOXsirV8TdImudeXDQefUih7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000006f47d657580e17bd3d0a7f4233104b2dd4cf293f62b6b5ef8a3c765484a3facc000000000e80000000020000200000008d282dcc35c296a974302ed4b491088a74306682e53f8dd1b7f13c7c7dae67692000000006e994c3251e7082b8caebfbdbd28db4af8bf247fcca84f2d69de2c5d55ba459400000009cbf05fa15f76f985936ead2d64089aa74c4eae8c9f7f458baaf37baaa2f45e06aa056f6e1ef5fcfaf119c0f9359fe6076bfaae0658f45703daeeb9ea8acae69	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3041d18cc6e9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E23A401-55B9-11ED-B390-DA7E66F9F45D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000290a2b79aa770c01bf2e65a98f634aa5629f4140ca84dabf5a2f3c3af3d691f6000000000e80000000020000200000001f3a43d5828923d14fed45d7d9e014649e78af63ea8743d07040404a0123da9c90000000fea8724741143ca5e724d8e6fc0c5570931971217da7361eed5c10fe0cda5d448873781bb44139699d18038d381dcf8cbdffe5864ff086dac9aeec870f89292c43a31dada6ae8b721a0b93ad65521dc6ad6dbe66e2d442df3e4f7b2ebf52c16630d988433dd3aa925e54a19228d54b4b1cd18254b946a68512422ab68fe98cd91e8d1e1e91b18903ca0b10d769cd68604000000098941c15f3adb01c340a0365bd5e106b4c4111d3ed494c8dc4c920a73f9aeb2fd59af76912aa857ed826af2593b96205fb7080b20eedc68b6ae52846d9855c58	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373614099"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1500 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1500 iexplore.exe
1500 iexplore.exe
1376 IEXPLORE.EXE
1376 IEXPLORE.EXE
1376 IEXPLORE.EXE
1376 IEXPLORE.EXE

pid	process
1500	iexplore.exe

pid	process
1500	iexplore.exe
1500	iexplore.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1500 wrote to memory of 1376	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 1376	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 1376	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 1376	1500	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\册2 相关支持性材料\4-2-1 国内流行病学数据或销量数据等支撑材料\人口数.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
df7c4bbc8c3c3ad392f42dc5a18a86f4

SHA1
7e89f11630c3b1801e74988eed97665811f3f96b

SHA256
d5f3ac3d662d14d5638e94eec6030c864475209013b67e7c8432ab24f490d328

SHA512
232f08306f9e9ab62b66a31a42e5369646044bc343c5566919439ba0dceacd7a0478c1545fc94608fc515636a7d6f9a1e647e58de815d22be58be89a749c16ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T800B82J.txt
Filesize
608B

MD5
a2bd7b36971358bb9cee788daf70d95a

SHA1
f74f524fb60c5bb56c2954525b7b7d3dce2f35b9

SHA256
324e320b089a8c4ec42effdcf58e52cc2fcefc51e930e2a16832cd3366de85af

SHA512
e5173ff5fdfa6e8d2b08c20997307a1564390a9038143f62d04bdac164b2704e7cef057e8fa37913860ca78efd7db88b862eb2a8e9682cb034005793480ebd0f

Download Submit