b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c

Analysis

max time kernel
152s
max time network
180s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Size

212KB
MD5

5413dcbdbb2bd0d88776a31b83b11037
SHA1

6e1f42b7256b8f5567154a320e2d8407a055ba4f
SHA256

b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c
SHA512

821eb0886078520af1059529d92d820a58aee8c1f647198418fa09d569da2b6d8faf60c19bc558ac17d4aafa7ce4105ccc8e5f82c8320bd1393889578bca9161
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDm3:dHp/urb4A1WdBfU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	Program FilesEEL7F3.exe

Deletes itself 1 IoCs

pid	Process
1940	WScript.Exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1DD5131-5814-11ED-B2BF-6651945CA213} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000061374eb787e4b82a09304e482dd29335921b7b400f1b8f6c7a947415d7767372000000000e80000000020000200000001e1e980a58764059d11d110dd843b49f6320a5f4d3cfc6692eee5305cc574998900000005e4b9824017e2fdd2c77a2211c23917df57a5f9bf5ea762329b1bcbff340045555880117a27436bdca0f91273df309133e73f289bd19138cbf7e839b11a8a42fc330adf65287bf30dc54fed19fe56952de8cc7b3abcb28c25dac11b02883fb4e6f5388e10b182d55e4fc88c497b4bb14c4b5c9e2dea43d1580f6e3f4fc98efaa51fc73a0254419a0c25a0e46e3f1de9740000000988d289d60c19e513bd65d07c1078ac8cd6047ce7b9e221753e50d0f87ad5ee2abc4e84a695362a4be3fb03554e4853637c7e369ff74debdda69de1c93748fd3	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1A69191-5814-11ED-B2BF-6651945CA213} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000fd91ffc885466f04066748a64c60c04e97b6ff11d7d3fb262f88c60f318b1fdc000000000e8000000002000020000000cc35078067f0abe42eb04c69df1fc4952497472dac486130351bf083e4336c6e200000003d10aa8b51aab88f38683a7438d8a7e648d3d2207bd73527a541c04bfa94942b40000000b4c9af63c0a4f5499247f2520bf34e38a1b078481076e28955718cda6aad86f55c1f7d57bfef190caaca7c5d7469f704afab866c3957b9b7f4f79207bee895ba	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f0d9b321ecd801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373873175"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1204	IEXPLORE.exe
972	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
948	Program FilesEEL7F3.exe
1204	IEXPLORE.exe
1204	IEXPLORE.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
972	IEXPLORE.exe
972	IEXPLORE.exe
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 948	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	27
PID 1740 wrote to memory of 948	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	27
PID 1740 wrote to memory of 948	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	27
PID 1740 wrote to memory of 948	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	27
PID 948 wrote to memory of 1204	948	Program FilesEEL7F3.exe	29
PID 948 wrote to memory of 1204	948	Program FilesEEL7F3.exe	29
PID 948 wrote to memory of 1204	948	Program FilesEEL7F3.exe	29
PID 948 wrote to memory of 1204	948	Program FilesEEL7F3.exe	29
PID 1204 wrote to memory of 1632	1204	IEXPLORE.exe	31
PID 1204 wrote to memory of 1632	1204	IEXPLORE.exe	31
PID 1204 wrote to memory of 1632	1204	IEXPLORE.exe	31
PID 1204 wrote to memory of 1632	1204	IEXPLORE.exe	31
PID 948 wrote to memory of 972	948	Program FilesEEL7F3.exe	32
PID 948 wrote to memory of 972	948	Program FilesEEL7F3.exe	32
PID 948 wrote to memory of 972	948	Program FilesEEL7F3.exe	32
PID 948 wrote to memory of 972	948	Program FilesEEL7F3.exe	32
PID 1740 wrote to memory of 1940	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	34
PID 1740 wrote to memory of 1940	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	34
PID 1740 wrote to memory of 1940	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	34
PID 1740 wrote to memory of 1940	1740	b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe	34
PID 972 wrote to memory of 1308	972	IEXPLORE.exe	35
PID 972 wrote to memory of 1308	972	IEXPLORE.exe	35
PID 972 wrote to memory of 1308	972	IEXPLORE.exe	35
PID 972 wrote to memory of 1308	972	IEXPLORE.exe	35

C:\Users\Admin\AppData\Local\Temp\b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe
"C:\Users\Admin\AppData\Local\Temp\b1fc90cbed47c7c7e8db6ca4c567b23a3a2d783f4f88778da5492620f2b79f3c.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- \??\c:\Program FilesEEL7F3.exe
  "c:\Program FilesEEL7F3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1632
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1308
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesEEL7F3.exe

Filesize
36KB

MD5
c04250a762980b55d853ed1dbbfb5737

SHA1
0cfef8cea78f5d68255dd377c393a5cb4aa7729a

SHA256
92c0f1dcb8ce087f2261b5c438bc002a3774882507ebc1852560079a633ebb2d

SHA512
31317fa2290f39602bacffc00fa4faedda40fe363f24c366b39ec340011da49d9f509af7d74819972360382998094c465a8a5c04ff18e29e78a3a30928c0a0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D1A69191-5814-11ED-B2BF-6651945CA213}.dat

Filesize
5KB

MD5
4acfa2bab5e93a97dec760f605419ac1

SHA1
b5585d66e77022f340980ab2fa1f956ed746138a

SHA256
819b6ed9918af175ae776480f576891424ecd8bc7a694c7b55b40af4202cabd1

SHA512
0b004722510bac76dd597816325c99a259aefeac83ea1f5d5d390f7a3e1062e612f2c09435aff4e9f0b71b6d553fef53a6daf9cc2a5f41dba4b32de40481a894

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
daa9cfa3312a0b4dc5e2db91a9aff4d7

SHA1
f5415f2e5e05042fa58db71a4b854c94d310c098

SHA256
bec9a0016f0a4ed336e28efaba8fcbe2216b62d59808f4c12cf74f6d4819fa2d

SHA512
75f70350a5e5f3ef62a539a094ebc9f3de38673a9080aa0c9c28bbe91ad9ecc6a6550f9ea1080314d86fba336c82b8de494ea01452ef77b54660187c716b5483

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PFKVS3UV.txt

Filesize
608B

MD5
dd2134368778732cd68fe3ca20a31439

SHA1
00b54ca82ba18868715dd8c6556628d389e35f25

SHA256
9db10b0e575ccdf9c9210b8ee9abb31bbbfab47074f5d6d5c0ea97ab911b671a

SHA512
b39bffcf5de2b5cb206b4ec7d9ca7e1ebfec90d864cbb8fba2651bca6db51312bac41b69bd4da7ebf1a4a7ed4a096fc45f5c1e188250925d85746c25c9a043f9

Download Submit
memory/1740-56-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download