db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5

Analysis

max time kernel
216s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
Size

2.6MB
MD5

30410ea7b5e764cd413aecdeff8e2b9e
SHA1

d66a2c07d208cb37f6bda020ac94c558f32cf3cb
SHA256

db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5
SHA512

221ef3535a981db376d88debf5863ebf33ecb779c8453f0008d89d2b8c7b57b9b14ff39450a5bc5a7397807045663bf9bc8732afc777eadf83c2e8c2b2574ed4
SSDEEP

49152:6ffy4NwrQg0uaXxl9LC2v2UZGglxh5ozMP4NQQOSr5k/I4XTZGfVuK:6ffyuuM9LCC2UfYz24NQdWC/IgT3K

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing
Executes dropped EXE 6 IoCs

Processes:

game.exehahagame.exemaxthon.exehahagame.tmpHijack.exedownload.exe

pid process

3804 game.exe
1380 hahagame.exe
4556 maxthon.exe
4400 hahagame.tmp
2480 Hijack.exe
716 download.exe

pid	process
3804	game.exe
1380	hahagame.exe
4556	maxthon.exe
4400	hahagame.tmp
2480	Hijack.exe
716	download.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

game.exemaxthon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	maxthon.exe

Drops file in Program Files directory 5 IoCs

Processes:

game.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft IExplorer	game.exe
File created	C:\Program Files\Microsoft IExplorer\lpk.exe	game.exe
File opened for modification	C:\Program Files\Microsoft IExplorer\lpk.exe	game.exe
File created	C:\Program Files\Microsoft IExplorer\Hijack.exe	game.exe
File opened for modification	C:\Program Files\Microsoft IExplorer\Hijack.exe	game.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4864 taskkill.exe

pid	process
4864	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997952"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4204330629"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997952"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119069"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "83"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119097"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4204175180"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "119282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "119097"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "119069"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375810813"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\west.cn\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997952"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997952"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "60"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\DOMStorage\west.cn	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\west.cn\Total = "185"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "245"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\aliyun.com\Total = "119055"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1BF0D401-69B4-11ED-B5DD-F675107A8182} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4197612747"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.west.cn\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4197612747"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4204330629"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "199"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wanwang.aliyun.com\ = "119055"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Hijack.exe

pid process

2480 Hijack.exe
2480 Hijack.exe
2480 Hijack.exe
2480 Hijack.exe

pid	process
2480	Hijack.exe
2480	Hijack.exe
2480	Hijack.exe
2480	Hijack.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exeiexplore.exeiexplore.exe

pid	process
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
1160	iexplore.exe
1156	iexplore.exe
1160	iexplore.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe

pid	process
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeiexplore.exedownload.exeHijack.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1156	iexplore.exe
1156	iexplore.exe
1160	iexplore.exe
1160	iexplore.exe
716	download.exe
2480	Hijack.exe
4548	IEXPLORE.EXE
4548	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
4548	IEXPLORE.EXE
4548	IEXPLORE.EXE
1160	iexplore.exe
1160	iexplore.exe
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exehahagame.exeiexplore.exeiexplore.exegame.exemaxthon.exedownload.exeiexplore.exe

description	pid	process	target process
PID 4876 wrote to memory of 3804	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	game.exe
PID 4876 wrote to memory of 3804	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	game.exe
PID 4876 wrote to memory of 3804	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	game.exe
PID 4876 wrote to memory of 1380	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	hahagame.exe
PID 4876 wrote to memory of 1380	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	hahagame.exe
PID 4876 wrote to memory of 1380	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	hahagame.exe
PID 4876 wrote to memory of 4556	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	maxthon.exe
PID 4876 wrote to memory of 4556	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	maxthon.exe
PID 4876 wrote to memory of 4556	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	maxthon.exe
PID 4876 wrote to memory of 1160	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	iexplore.exe
PID 4876 wrote to memory of 1160	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	iexplore.exe
PID 4876 wrote to memory of 1156	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	iexplore.exe
PID 4876 wrote to memory of 1156	4876	db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe	iexplore.exe
PID 1380 wrote to memory of 4400	1380	hahagame.exe	hahagame.tmp
PID 1380 wrote to memory of 4400	1380	hahagame.exe	hahagame.tmp
PID 1380 wrote to memory of 4400	1380	hahagame.exe	hahagame.tmp
PID 1156 wrote to memory of 1056	1156	iexplore.exe	IEXPLORE.EXE
PID 1156 wrote to memory of 1056	1156	iexplore.exe	IEXPLORE.EXE
PID 1156 wrote to memory of 1056	1156	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 4548	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 4548	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 4548	1160	iexplore.exe	IEXPLORE.EXE
PID 3804 wrote to memory of 2480	3804	game.exe	Hijack.exe
PID 3804 wrote to memory of 2480	3804	game.exe	Hijack.exe
PID 3804 wrote to memory of 2480	3804	game.exe	Hijack.exe
PID 4556 wrote to memory of 716	4556	maxthon.exe	download.exe
PID 4556 wrote to memory of 716	4556	maxthon.exe	download.exe
PID 4556 wrote to memory of 716	4556	maxthon.exe	download.exe
PID 716 wrote to memory of 2792	716	download.exe	cmd.exe
PID 716 wrote to memory of 2792	716	download.exe	cmd.exe
PID 716 wrote to memory of 2792	716	download.exe	cmd.exe
PID 716 wrote to memory of 4156	716	download.exe	iexplore.exe
PID 716 wrote to memory of 4156	716	download.exe	iexplore.exe
PID 716 wrote to memory of 4156	716	download.exe	iexplore.exe
PID 4156 wrote to memory of 3448	4156	iexplore.exe	IEXPLORE.EXE
PID 4156 wrote to memory of 3448	4156	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 1380	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 1380	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 1380	1160	iexplore.exe	IEXPLORE.EXE
PID 716 wrote to memory of 4864	716	download.exe	taskkill.exe
PID 716 wrote to memory of 4864	716	download.exe	taskkill.exe
PID 716 wrote to memory of 4864	716	download.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe
"C:\Users\Admin\AppData\Local\Temp\db9de9d915e8e40f79009f53091e2fbf3b240ff597e03229fadfd8aa4b3ad0f5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876

C:\game.exe
C:\game.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3804

C:\Program Files\Microsoft IExplorer\Hijack.exe
"C:\Program Files\Microsoft IExplorer\Hijack.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2480

C:\hahagame.exe
C:\hahagame.exe /sp- /silent /norestart /verysilent
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\is-20MSS.tmp\hahagame.tmp
"C:\Users\Admin\AppData\Local\Temp\is-20MSS.tmp\hahagame.tmp" /SL5="$5011E,1630806,72704,C:\hahagame.exe" /sp- /silent /norestart /verysilent
3⤵
- Executes dropped EXE
PID:4400

C:\maxthon.exe
C:\maxthon.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\todeletetif.bat
4⤵
PID:2792

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.hahayouxi.com/act/ConfigDownLoadList.html
4⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.hahayouxi.com/act/ConfigDownLoadList.html
5⤵
PID:3448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 4156
4⤵
- Kills process with taskkill
PID:4864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?qq163s&77za
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:17416 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft IExplorer\Hijack.exe

Filesize
40KB

MD5
e7615c4630d9e6306a7abf28811e7f3f

SHA1
aef9e163f60c996525fafb829a119bd2b2235500

SHA256
8fadc0f28512d5740db9b121a68e54f9a95110a54344d1c4196cf87c69040095

SHA512
94039d77867378f8254e3bddfc1fea92c7f374f249929832db4dfac6a53d6cce01c6bf3c922366ce3fe6abcabe1d51a8f4ff4ad365db389dfeb7addb76e95b8a

Download Submit
C:\Program Files\Microsoft IExplorer\Hijack.exe

Filesize
40KB

MD5
e7615c4630d9e6306a7abf28811e7f3f

SHA1
aef9e163f60c996525fafb829a119bd2b2235500

SHA256
8fadc0f28512d5740db9b121a68e54f9a95110a54344d1c4196cf87c69040095

SHA512
94039d77867378f8254e3bddfc1fea92c7f374f249929832db4dfac6a53d6cce01c6bf3c922366ce3fe6abcabe1d51a8f4ff4ad365db389dfeb7addb76e95b8a

Download Submit
C:\Program Files\Microsoft IExplorer\lpk.exe

Filesize
48KB

MD5
84746244b7a93c72e55914813acd1b2f

SHA1
aedef3c1871b6221bdb31b3deae72c2f003b912b

SHA256
84e55844e6e9c6ce0dc483ca9a9795a36a65b41a7c6224bd0261840c5336d0bf

SHA512
7fdd94caa85b4dedd14dc84c027e1d2946eeab0afc31717aeddac051bf91d5bb9e7383b13bf99b1e537d57508671b7cdd4ef9a8713b4b90a13db73033e62333d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
1KB

MD5
55e7ee77e714c2172e0649935cca331f

SHA1
817beee0b9713e2269b0851043a04cff68122a8b

SHA256
55e2b46e6c9b3fe344c1eea9c527387790f90270f39ecf6b052a3cbbfbd44ce6

SHA512
6ef6e7bc831fc1fc8a4d47005436c32e34c8817eb96d4835083761f105ddef3c24eab8912d8f8d85f76a7e6b1a620554d7ff264d97cacf8fad9d330b2a4798e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
492B

MD5
3223b455e6c168e5fbe8dc42a47128f8

SHA1
a675f9fb792535117b46d79450af8ddece95538b

SHA256
b46958f4a6a7cc2caba6f01872a4915b713c73066722f9284b916f1df9fc8c27

SHA512
d41a1f4e00519a4f1b7fe50cb72bfa7ef54750047074f750059fadc564e6eedae10d74c251a91d8efa442059ba88a4218b2cfea3be009f3781a33f2275648798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1BEC1248-69B4-11ED-B5DD-F675107A8182}.dat

Filesize
3KB

MD5
3322a071d83e0048c61bd01be2f0ecbf

SHA1
74c0774f19965305855b51011205326d188d8bc3

SHA256
4360c9aaa1246a5e60172c24765878d2c5d8f95a0020a25e50ef42b97126c498

SHA512
33199bb655db541e84186d4108bc21456ac05a164e8a30c94f4f7ee85e3d359ff7c5c01bd1dc71445983b211bf4b66a967a24cf8636c61e2e3578b6d0dc064db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1BF0D401-69B4-11ED-B5DD-F675107A8182}.dat

Filesize
5KB

MD5
96617f438a59769909ac87184d193528

SHA1
44854e536dcde1e81b07afc541ee8a80d0a26b02

SHA256
6b5d195e5e6687e93b971be4b51f72dbfbbcf3c5a608a113a029d63b89fecb69

SHA512
d891342522aad1be2c2678c9cfae64d5a7fec400e48efd081ec5f54e13e07aaa4aac8c5e496f46c526d7e898767c9ad054d61916dd70ccf2e8937ce89a5d1276

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.exe

Filesize
44KB

MD5
1e61219ddacbfc81d6459142ce054085

SHA1
230216b0deca51883c62c3735a11191c6fa94887

SHA256
f3deeafe0b5b9828c118f67d7f89f7da0d41b0189025998b28f6d63f51507774

SHA512
3ad181a849f7344094a0cdff71d54338318bd3440ff2c0bde6c1d158ca954b273b1f6388b54044b5d92d9cec7c8b3e260de94f0a5ac80136ba17d2bd2c5b960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.exe

Filesize
44KB

MD5
1e61219ddacbfc81d6459142ce054085

SHA1
230216b0deca51883c62c3735a11191c6fa94887

SHA256
f3deeafe0b5b9828c118f67d7f89f7da0d41b0189025998b28f6d63f51507774

SHA512
3ad181a849f7344094a0cdff71d54338318bd3440ff2c0bde6c1d158ca954b273b1f6388b54044b5d92d9cec7c8b3e260de94f0a5ac80136ba17d2bd2c5b960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20MSS.tmp\hahagame.tmp

Filesize
682KB

MD5
d0699dfc3ff2c8980f167c7ab586dfcc

SHA1
c3f4aa0a542c01a0251782e48b313cbb7c5941a7

SHA256
52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

SHA512
ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20MSS.tmp\hahagame.tmp

Filesize
682KB

MD5
d0699dfc3ff2c8980f167c7ab586dfcc

SHA1
c3f4aa0a542c01a0251782e48b313cbb7c5941a7

SHA256
52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

SHA512
ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\todeletetif.bat

Filesize
95B

MD5
cd490fc0b8299edb479fe88c9245808a

SHA1
63ef98f15756c129ac1977864c845d90c427881b

SHA256
30baa4c3ad9a57399678728d9cfd8fb2456005b794e45df84383c115e357e0d6

SHA512
efd2077ad9b62ff946f9943d435c12a07e598a074026c0ba3e50db1f96aae6fa484d10c3048bd91855bbd7b7cf6c439082678709eec0d5a8012e4c3fca7faf38

Download Submit
C:\game.exe

Filesize
131KB

MD5
538e78852cd7606ae3f04aadcc4a14c8

SHA1
0bc949fc684dd99fd240281c0849900c8bae96b6

SHA256
570a465834da90b5d7607da5d9335dd4bc9271d684e87323120fbce0869eda42

SHA512
19c3853a7d089a913d3404e741dc8c364f7bf4a499cdb5a883edb20135a7ca4a56d4fc75710781831a0033cad54611cbd052193a277f493317fa19d5b22b6cb1

Download Submit
C:\game.exe

Filesize
131KB

MD5
538e78852cd7606ae3f04aadcc4a14c8

SHA1
0bc949fc684dd99fd240281c0849900c8bae96b6

SHA256
570a465834da90b5d7607da5d9335dd4bc9271d684e87323120fbce0869eda42

SHA512
19c3853a7d089a913d3404e741dc8c364f7bf4a499cdb5a883edb20135a7ca4a56d4fc75710781831a0033cad54611cbd052193a277f493317fa19d5b22b6cb1

Download Submit
C:\hahagame.exe

Filesize
1.8MB

MD5
0b80274947513ef334429c0c666b3c53

SHA1
eb8f8ea8b3dc913c361adcfa4f790935083c4bf9

SHA256
4e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be

SHA512
07ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213

Download Submit
C:\hahagame.exe

Filesize
1.8MB

MD5
0b80274947513ef334429c0c666b3c53

SHA1
eb8f8ea8b3dc913c361adcfa4f790935083c4bf9

SHA256
4e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be

SHA512
07ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213

Download Submit
C:\maxthon.exe

Filesize
159KB

MD5
7bce9c46da8425ef61167f87e69cb53f

SHA1
7eaebc37924cfd6f166549aaaf063985017cce62

SHA256
1ad7a77aae1cf61a4d72cb381310d6222b46d94707372a3a5dfe03923c2971a7

SHA512
8ac9315b32654d77f675931ff257cb631a1bca7b4b905b12f1e4490c6b053f96d4989740e5e9631de2f027df51871a8dca5d506d8ca0e3e1faa3060b2ae76783

Download Submit
C:\maxthon.exe

Filesize
159KB

MD5
7bce9c46da8425ef61167f87e69cb53f

SHA1
7eaebc37924cfd6f166549aaaf063985017cce62

SHA256
1ad7a77aae1cf61a4d72cb381310d6222b46d94707372a3a5dfe03923c2971a7

SHA512
8ac9315b32654d77f675931ff257cb631a1bca7b4b905b12f1e4490c6b053f96d4989740e5e9631de2f027df51871a8dca5d506d8ca0e3e1faa3060b2ae76783

Download Submit
memory/716-150-0x0000000000000000-mapping.dmp

Download
memory/1380-146-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-151-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-135-0x0000000000000000-mapping.dmp

Download
memory/2480-147-0x0000000000000000-mapping.dmp

Download
memory/2792-163-0x0000000000000000-mapping.dmp

Download
memory/3804-132-0x0000000000000000-mapping.dmp

Download
memory/4400-143-0x0000000000000000-mapping.dmp

Download
memory/4556-139-0x0000000000000000-mapping.dmp

Download
memory/4864-165-0x0000000000000000-mapping.dmp

Download