ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743

Analysis

max time kernel
118s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Size

613KB
MD5

06a55e03a5aa3f6be6b2e636be7a560d
SHA1

21e10c0bcd04234cb5eb4d16573fe4fb119577a9
SHA256

ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743
SHA512

f64f0929055620e22b3e6f98a8d6dcb36495f206f152844c2216ab0bf36f177f0b9cd08a986116bde13fcdb5c501f28f758aec6e67b7a70e44a10982d1b81b3e
SSDEEP

12288:vaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQXG:yadMv6CYrjqnyLQXG

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\ICBC\\Wrapper.w\" \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Deletes itself 1 IoCs

pid	Process
1856	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60db034e0af2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72E34741-5DFD-11ED-9551-6E705F4A26E5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "900"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\go2000.com\Total = "900"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000007e882d38231eae09f19ea13e49cee24e2250689b69a01f253e1b0fedc949306000000000e80000000020000200000008ca6fdc587d3c0e07d10493d502b8e2510506175c09ae97590528be4fcaf57fd20000000dbfd5d1350e8d7141371d672f6f9c833196295c05b5bbfdd244453254e51cfca4000000024421a6bf11be93ab72689d3fe34b6a1fead7df780d673571efd45fefd6773eea3747af8584ea3539d4dfeea9af1825f19996469fa3eaf958067495aaa5c2928	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000d3fb9e10016fab9eb55ee0e327bccd3508f5dd0dc14ffef0646e3c99e6e6f381000000000e8000000002000020000000aad85701ef6d3bea37227ee26d5726b734e396dacdfae866d0d100259000755f900000001466ea7b09d612d2f65834aeea06ec35a596909a3f4f36c1286ffcf695ab46d9b0ee7a6e4b8c5a9bafa0fb3f58fe1e32a670379abedf4f05085bdf2b751d6cfc49af75a32e61a7db34a27682dac98cffdba6c82edee426396b4a0d587b9c8d22c6f1a481b353887e14fe2c4ebe9bd1fd882e5744a0dc2c88b0161da8acd6fb3a6315e59132f8743ea40bbfaebd3a84d140000000519e632c6ac0cf28fdd9b66875ced4a090ddc902f1911f9181eb50ff9c94c75df207fa0328e88cda5d7953df90797e1c9ab1b4fb14869bfa622e1499d6f74196	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.go2000.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\go2000.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.go2000.com\ = "900"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374522841"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\go2000.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\ = "打开(&O)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine\ = "JScript.Encode"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\ = "在命令提示符中打开(&W)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\ = "打印(&P)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\ICBC\\Wrapper.w\" \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.w\ = "wfile"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.w	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ = "JScript 已编码的 Script 文件"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\ = "编辑(&E)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1084	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1020	iexplore.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1020	iexplore.exe
1020	iexplore.exe
828	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1696	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	28
PID 1488 wrote to memory of 1696	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	28
PID 1488 wrote to memory of 1696	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	28
PID 1488 wrote to memory of 1696	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	28
PID 1696 wrote to memory of 1020	1696	WScript.exe	31
PID 1696 wrote to memory of 1020	1696	WScript.exe	31
PID 1696 wrote to memory of 1020	1696	WScript.exe	31
PID 1696 wrote to memory of 1020	1696	WScript.exe	31
PID 1488 wrote to memory of 1856	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	32
PID 1488 wrote to memory of 1856	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	32
PID 1488 wrote to memory of 1856	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	32
PID 1488 wrote to memory of 1856	1488	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	32
PID 1856 wrote to memory of 1084	1856	cmd.exe	34
PID 1856 wrote to memory of 1084	1856	cmd.exe	34
PID 1856 wrote to memory of 1084	1856	cmd.exe	34
PID 1856 wrote to memory of 1084	1856	cmd.exe	34
PID 1020 wrote to memory of 828	1020	iexplore.exe	36
PID 1020 wrote to memory of 828	1020	iexplore.exe	36
PID 1020 wrote to memory of 828	1020	iexplore.exe	36
PID 1020 wrote to memory of 828	1020	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
"C:\Users\Admin\AppData\Local\Temp\ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.jse"
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - Runs ping.exe
    PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33883141e7ee375acccff9be8fef0290

SHA1
326742d7663891ca9591f2a9777c6106573905d1

SHA256
1dd0a5dc600d7c13ab1bcabf518d9904013a48320ec823616f82257608454423

SHA512
1e3080f0e57dcb63442e0daaf122650aa80b15c972cf2207f0a9e296dcb5d2ee64862259e3d443a62cff994a2c722be6c19791a5a54a4f1df7b1eb288b54d1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.jse

Filesize
6KB

MD5
3703f6292de8ab9a849f5e768bba10f2

SHA1
9f0742fcaeb032b6c35fd202d63447a8f96be04b

SHA256
c7c6145c52992be1f14cbb58844044de5f1c82b327c99bfd159e502f942ae658

SHA512
4121a24c22cbdecfc033c8d6c6d8b8a8dbd9dbe47fa218ed193ce975165cfbb584091deed24fc67df45857930a5559c3bb79549ad16898f38dd0b52a5a031219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FY88B4V7.txt

Filesize
608B

MD5
a75f1206ffbf358e3f354541cf45c97c

SHA1
dc3db69de8413a5db0f79a4f51d1717f96abab8b

SHA256
2bc2a47271f13e252645406d8d6448246ed13cb3d5d9faaa865c8c3eb1d4e238

SHA512
12d3bbcdd6bfb3198bfcdba55fde895d90761d039a88f9befda0d6408f9716d3acc2e72418c2123893fc661fe2c07f6aac9117f15440c28971a981b6d92166ac

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
4ca56aa9c8f6a44f12d7b6c498aef700

SHA1
f748abc1bbee7334a613362a057013c3644a1789

SHA256
57ed0d2d4dde722b86dccf46e6864d581b348d187f5d43b6cd7a554db7f71777

SHA512
3b9b015cb239139ac11237e2df497225f16242f20446b1306b767f31cbf9abdaf6b9cf169ddbd82ba00201492b1929f1690ca7934dc028feecb1e3d1873c0248

Download Submit
memory/1488-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download