ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Size

613KB
MD5

06a55e03a5aa3f6be6b2e636be7a560d
SHA1

21e10c0bcd04234cb5eb4d16573fe4fb119577a9
SHA256

ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743
SHA512

f64f0929055620e22b3e6f98a8d6dcb36495f206f152844c2216ab0bf36f177f0b9cd08a986116bde13fcdb5c501f28f758aec6e67b7a70e44a10982d1b81b3e
SSDEEP

12288:vaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQXG:yadMv6CYrjqnyLQXG

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\ICBC\\Wrapper.w\" \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000622e153a44ed1bab2824b26a04bcb97f48bc5f818b2b4c172fc93f8bd4768dfb000000000e80000000020000200000000cfcf0b1d6737a04c1a31baa79156f8bb2afc95b2158091a0d8db05503bf5d3620000000172dd1e14869ad7b6b074c21ee06333c88da7e468d0843cb3898e0478141e2cd40000000cc75be4d88883682e95e4cc123827966dede778a07d27e15002f709b4fba8cf080e460eb3961f45d78712942180270cf1e95d3f25cf4d9e3f06c8a3f1f855c18	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30994954"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\go2000.com\Total = "900"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7105F350-5DFD-11ED-B696-D2A4FF929712} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\go2000.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10bc99680af2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\go2000.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\go2000.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.go2000.com\ = "900"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000eb0dbcc07519224d7ccb4f2c569eddda9f32dc433a5b9cb107abf85e1b4c8cce000000000e800000000200002000000031596a699268abf4d0bd6a4e739670fff013a15d2216852da9b1ca54f15b771420000000853aa6de47fc3bbdeba5e176103cdfcc55aad219d1b7460ff14befc8ab98aee340000000291d49f809f1232d46be35f6b64f4c22c41bb73dc4118ea84d5549ffe15be90843247fdba69b2c10cc31b5edf8c2de115a337584ebf5d59c2f78523cb29ede45	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1177903579"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1177903579"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "900"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374522858"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30cfd05d0af2d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994954"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.go2000.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\ = "打印(&P)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{000214F9-0000-0000-C000-000000000046}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\ = "在命令提示符中打开(&W)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\ = "编辑(&E)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\ICBC\\Wrapper.w\" \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\ = "打开(&O)"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\CLSID	WScript.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.w	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ = "JScript 已编码的 Script 文件"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine\ = "JScript.Encode"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{000214EE-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.w\ = "wfile"	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\DROPHANDLER	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{00021500-0000-0000-C000-000000000046}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4776	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5088	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
5088	iexplore.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5088	iexplore.exe
5088	iexplore.exe
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2384	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	80
PID 1816 wrote to memory of 2384	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	80
PID 1816 wrote to memory of 2384	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	80
PID 2384 wrote to memory of 5088	2384	WScript.exe	82
PID 2384 wrote to memory of 5088	2384	WScript.exe	82
PID 1816 wrote to memory of 5040	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	83
PID 1816 wrote to memory of 5040	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	83
PID 1816 wrote to memory of 5040	1816	ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe	83
PID 5040 wrote to memory of 4776	5040	cmd.exe	85
PID 5040 wrote to memory of 4776	5040	cmd.exe	85
PID 5040 wrote to memory of 4776	5040	cmd.exe	85
PID 5088 wrote to memory of 4244	5088	iexplore.exe	86
PID 5088 wrote to memory of 4244	5088	iexplore.exe	86
PID 5088 wrote to memory of 4244	5088	iexplore.exe	86

C:\Users\Admin\AppData\Local\Temp\ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe
"C:\Users\Admin\AppData\Local\Temp\ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.jse"
  2⤵
  - Modifies system executable filetype association
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\ffc90631b171de3daa0372d614f55d6ae660e234c91ce3251392d08f29275743.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - Runs ping.exe
    PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\monitor.jse

Filesize
6KB

MD5
3703f6292de8ab9a849f5e768bba10f2

SHA1
9f0742fcaeb032b6c35fd202d63447a8f96be04b

SHA256
c7c6145c52992be1f14cbb58844044de5f1c82b327c99bfd159e502f942ae658

SHA512
4121a24c22cbdecfc033c8d6c6d8b8a8dbd9dbe47fa218ed193ce975165cfbb584091deed24fc67df45857930a5559c3bb79549ad16898f38dd0b52a5a031219

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
7a0c221589e4b2574ebce8abdbcfea29

SHA1
304f5dfba69d0dcaa2d2ef415328d23c80a2273a

SHA256
41f401ad2cba8ce5f5afac01fa63031b3db0895db36752faf59aa2050fbc815b

SHA512
557d8488deb094ef1c17e2d7636e4c22b237a510895dd22fb1ddedff6d22089866031538c114c9db24f6d5a015157794977d521df2576055fe2d15b0f448763f

Download Submit