6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c

Analysis

max time kernel
44s
max time network
69s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
Size

52KB
MD5

38fad30c6ee239246741b4991d8d1720
SHA1

b2da0d90a56e3ce0508d34b882c6937e230e3edc
SHA256

6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c
SHA512

5401f6acb1a41a97cd0561fba8916650df2ad4ec9491323870a6642bf41717ed7365ea0313b1b93273a1eaf6e13bb0402b525f723f761abf2a5db66d20d7f710
SSDEEP

768:EclW/lMFggAKwU0DN1C0wlfAenhODYaG426VmkblAYG3iqKMP65PuMPI2hTTToT:tWN/gAKqfCmQhOp2Yb9wbPCP5QqTToT

Score

8^/10

adware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1300	smss.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/864-57-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/864-86-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2000	WScript.Exe

Loads dropped DLL 6 IoCs

pid	Process
864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
1300	smss.exe
1300	smss.exe
1300	smss.exe
1932	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\ = "??????"	regedit.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\jqhwa\bajfv.dll	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\WindowsMy.reg	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
File created	C:\Windows\del.tmp.bho.bho.bho.vbs	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
File created	C:\Windows\userid.txt	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
File opened for modification	C:\Windows\zk\indexOlds.vbe	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
File opened for modification	C:\Windows\wgzm\smss.exe	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
File created	C:\Windows\reg.reg	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://www.dianxin.cn?158"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\ = "QvodAdBlocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\ProgID\ = "QvodAdBlocker.QvodBlocks"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.QvodBlocks	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\ = "00.00.00.00"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ = "_QvodBlocks"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\TypeLib\ = "{03C2388B-1A78-4346-90CB-2292392F8D6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ = "QvodBlocks"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\0\win32\ = "C:\\Program Files\\jqhwa\\bajfv.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ = "_QvodBlocks"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\TypeLib\ = "{03C2388B-1A78-4346-90CB-2292392F8D6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\ = "QvodAdBlocker.QvodBlocks"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.QvodBlocks\ = "QvodAdBlocker.QvodBlocks"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.QvodBlocks\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\Attributes = 00000000	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.QvodBlocks\Clsid\ = "{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AF410F-3CF9-4A18-9FBD-F727045B3086}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\InprocServer32\ = "C:\\Program Files\\jqhwa\\bajfv.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\TypeLib\ = "{03C2388B-1A78-4346-90CB-2292392F8D6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03C2388B-1A78-4346-90CB-2292392F8D6C}\1.0\HELPDIR\ = "C:\\Program Files\\jqhwa"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DB494AC-17AA-4CC1-84CC-DA54AED8A423}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Runs .reg file with regedit 2 IoCs

pid	Process
632	regedit.exe
1544	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
1300	smss.exe
1300	smss.exe
1300	smss.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	31
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1300	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	32
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1932	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	33
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1148	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	34
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 1540	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	35
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 864 wrote to memory of 2000	864	6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe	38
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1148 wrote to memory of 632	1148	cmd.exe	39
PID 1540 wrote to memory of 1544	1540	cmd.exe	40
PID 1540 wrote to memory of 1544	1540	cmd.exe	40
PID 1540 wrote to memory of 1544	1540	cmd.exe	40
PID 1540 wrote to memory of 1544	1540	cmd.exe	40
PID 1540 wrote to memory of 1544	1540	cmd.exe	40
PID 1540 wrote to memory of 1544	1540	cmd.exe	40
PID 1540 wrote to memory of 1544	1540	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe
"C:\Users\Admin\AppData\Local\Temp\6c222f6429e297f517eed9bc737a19e8eec08a3c840d70441c47836923b3761c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\zk\indexOlds.vbe" 0
  2⤵
  PID:300
- C:\Windows\wgzm\smss.exe
  C:\Windows\wgzm\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1300
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "baidu" /d "c:\windows\wgzm\smss.exe " /f
    3⤵
    PID:692
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files\jqhwa\bajfv.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regedit.exe /s C:\Windows\reg.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Windows\reg.reg
    3⤵
    - Installs/modifies Browser Helper Object
    - Runs .reg file with regedit
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regedit.exe /s C:\Windows\WindowsMy.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Windows\WindowsMy.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1544
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe C:\Windows\del.tmp.bho.bho.bho.vbs
  2⤵
  - Deletes itself
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\jqhwa\bajfv.dll

Filesize
28KB

MD5
3828594d73900c5c5358e17e28ac21b1

SHA1
df78ecd976d828c53332184df37cd8876dbed1a2

SHA256
d038403782ece2e16cd79f8f4a33df35558ce23a885d126094a377b4c94d8925

SHA512
5858691cbf5e7ca95687bed6e75afa65d55ec18e193528a7b997febbba0a8038cde0036ec45447bc02bff4fce8988cea11ef9f9ef759c84e82f5d9af02db5499

Download Submit
C:\Windows\WindowsMy.reg

Filesize
1KB

MD5
958217370aa43a176700027f14d8620d

SHA1
301edce9b46a9b6d67378b83ef4c98c280c32e3e

SHA256
d0f35efe4fda41b828ecfb10b17673d2b2a972476dea85204e45a4b9edda055f

SHA512
283048c76f0b2eabcc69764dde29c75228f65630feb65df27379153b454dbf240dee2f967cb722904b3b570ea5d5570096d5320745522b4ccff86e6cc2dad5a8

Download Submit
C:\Windows\del.tmp.bho.bho.bho.vbs

Filesize
474B

MD5
49083dbce7187c5336d66b27117c2d50

SHA1
4c80cbf0199569526058280b8de371077676e3fe

SHA256
54bc23c50fdd5f6096cd8199f8ced0caad7c4cf8b09a0e201f8961dcb75255a8

SHA512
d750fbb708a8f72000d553aba01d444ce002cda9fdbed426c54ee6ce4a37863a2992af23df073d704fa253709ac9279880faacb401564b0e059ab1ec5a3cddcc

Download Submit
C:\Windows\reg.reg

Filesize
185B

MD5
e306a0be95a54a6455e7ed15466d5d81

SHA1
6cb2f94dee7cf4fefcf3b80f311e70fed747e2fd

SHA256
685f6bbe7c8e99402adaf80dcde15110320d49ddf9c4c5d457a6a5601381b7a2

SHA512
35c36e4f01803d4831939fbeae3566b9e58bf499bfe620a639b11da22b9892d7fa2db65f1cba6a7ffbc2f7aec296f9f74767e96c6585cadf5e347d0613dd23d5

Download Submit
C:\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
C:\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
C:\Windows\zk\indexOlds.vbe

Filesize
231KB

MD5
6cf3da30191169075dcd42c7739c7c9e

SHA1
fad354fafd6b66364cd60f4917ba11d89f95594f

SHA256
a81bf85a4baaffb3d073e3fc9d7ed9f792f0f99f3c0d1527fd1fda587d50293a

SHA512
fc04c91b0dc5cdf43ca968b64c6cf748761685a1d34dbde7e5b4712d56f4ef16ec761c4edd27e820398957036dfd398c2de006b08d6b14778e8a1758d846383e

Download Submit
\Program Files\jqhwa\bajfv.dll

Filesize
28KB

MD5
3828594d73900c5c5358e17e28ac21b1

SHA1
df78ecd976d828c53332184df37cd8876dbed1a2

SHA256
d038403782ece2e16cd79f8f4a33df35558ce23a885d126094a377b4c94d8925

SHA512
5858691cbf5e7ca95687bed6e75afa65d55ec18e193528a7b997febbba0a8038cde0036ec45447bc02bff4fce8988cea11ef9f9ef759c84e82f5d9af02db5499

Download Submit
\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
\Windows\wgzm\smss.exe

Filesize
64KB

MD5
cbac52bb2b9e20b24ef7c47d7e9a4fa4

SHA1
17f20b8a479167e988a1a71ff05e9caf09a5ffc8

SHA256
390b9fd28632280fd79a5e3f19b86cfe6634d90ede18e9e7aeef9d748f4683fa

SHA512
d36305aa1ae3c04e9618ee4d82a89759d6f633cba17b29dc9b600464adc04e6cd8afa980bd663aed5291175001be82fb336bba68c344144f6d03bec75597f9b5

Download Submit
memory/864-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-58-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download
memory/864-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/864-86-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-87-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download