fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb.exe
Size

506KB
MD5

10f43cbc459394fbc8bd79a722da5173
SHA1

9a1c8c8a1eb1c942c2351447ef846668c95286ea
SHA256

fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb
SHA512

a543b04aa240e94cc672fdac7e0c18d325ea2fec097b892fb455e28706255556b81020a5e9f1414332a4e3897273be5e62c3c131169e3dd71b0eee21d0fa889b
SSDEEP

12288:IK18uSOzVoDWSNqHhJR4L8aq8NtIwanL4YcDUJN:IKrSnDW/fRgQh5L4pAJN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1416	helpserver.bat

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url\:favicon:$DATA	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3NHK9X3O.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Q06A07JW.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DFDX58DF.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WAQCTJN2.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url:favicon	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\IY5370XK.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1462D143-5DDF-11ED-A6C3-FE72C9E2D9C9}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\X3LC89BL.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1462D14C-5DDF-11ED-A6C3-FE72C9E2D9C9}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YWJL119Z.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\N6TE8UIO.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\N6TE8UIO.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\X3LC89BL.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3NHK9X3O.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Q5D7W907.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1462D141-5DDF-11ED-A6C3-FE72C9E2D9C9}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WAQCTJN2.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Q5D7W907.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1462D141-5DDF-11ED-A6C3-FE72C9E2D9C9}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\fg8jepd\imagestore.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Q06A07JW.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\suggestions[1].en-US	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DFDX58DF.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\fg8jepd\imagestore.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\IY5370XK.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YWJL119Z.txt	IEXPLORE.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\helpserver.bat	fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb.exe
File opened for modification	C:\Windows\helpserver.bat	fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb.exe
File created	C:\Windows\helpserver.DLL	helpserver.bat
File opened for modification	C:\Windows\helpserver.DLL	helpserver.bat

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1462D141-5DDF-11ED-A6C3-FE72C9E2D9C9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 006e17dbebf1d801	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 005372d7ebf1d801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000c04cd6d7ebf1d801	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	helpserver.bat
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005791c210e1cc604bb9cd5058dbbd5e880000000002000000000010660000000100002000000077cac6b274d72153cb4e3fb4832d72452891ad4b0b5834a31456c0cca3d8f841000000000e80000000020000200000002bd141c85878f788a666c240172076049ff42542fa7b55c9ea49d17df60683c2500000009694e5c674573b5ad0a99a753ae4d7d22dbea20d77400fd15ef0658274896b1d2ec8838709e240c83c301200631e374ba5ea3d624df9778e7760da5b516a0547cbad5854dba87146241c01cfa71bcdfd40000000500e9c7790ca2ed77b99dfab096fa750e5fc16db14fe34279a34ec28181192d45f7af3ce30da2e9fe43f05f84d20daea9db1e4c2878da5ded7be7ca427e8800d	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{22FF3CD5-48ED-4598-A645-266F1D93B125}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e6070b00000006000e001b000b005301	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	helpserver.bat
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "fg8jepd"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720}\2e-61-41-c2-1a-05	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
268	IEXPLORE.EXE
268	IEXPLORE.EXE
268	IEXPLORE.EXE
268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1704	1416	helpserver.bat	28
PID 1416 wrote to memory of 1704	1416	helpserver.bat	28
PID 1416 wrote to memory of 1704	1416	helpserver.bat	28
PID 1416 wrote to memory of 1704	1416	helpserver.bat	28
PID 1704 wrote to memory of 1708	1704	IEXPLORE.EXE	29
PID 1704 wrote to memory of 1708	1704	IEXPLORE.EXE	29
PID 1704 wrote to memory of 1708	1704	IEXPLORE.EXE	29
PID 1704 wrote to memory of 268	1704	IEXPLORE.EXE	30
PID 1704 wrote to memory of 268	1704	IEXPLORE.EXE	30
PID 1704 wrote to memory of 268	1704	IEXPLORE.EXE	30
PID 1704 wrote to memory of 268	1704	IEXPLORE.EXE	30
PID 1416 wrote to memory of 1704	1416	helpserver.bat	28

C:\Users\Admin\AppData\Local\Temp\fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb.exe
"C:\Users\Admin\AppData\Local\Temp\fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb.exe"
1⤵
- Drops file in Windows directory
PID:1336

C:\Windows\helpserver.bat
C:\Windows\helpserver.bat
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:1708
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\helpserver.bat

Filesize
506KB

MD5
10f43cbc459394fbc8bd79a722da5173

SHA1
9a1c8c8a1eb1c942c2351447ef846668c95286ea

SHA256
fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb

SHA512
a543b04aa240e94cc672fdac7e0c18d325ea2fec097b892fb455e28706255556b81020a5e9f1414332a4e3897273be5e62c3c131169e3dd71b0eee21d0fa889b

Download Submit
C:\Windows\helpserver.bat

Filesize
506KB

MD5
10f43cbc459394fbc8bd79a722da5173

SHA1
9a1c8c8a1eb1c942c2351447ef846668c95286ea

SHA256
fdd412b1b97dfd47e959430eb795a1d0d2975e38c49b2bfa44d9589b9885d6eb

SHA512
a543b04aa240e94cc672fdac7e0c18d325ea2fec097b892fb455e28706255556b81020a5e9f1414332a4e3897273be5e62c3c131169e3dd71b0eee21d0fa889b

Download Submit
memory/1708-57-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download