501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2

General

Target

501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe
Size

96KB
MD5

43da37325f9dd657f52ce61ee4975e9f
SHA1

a98a87bb01b4ebad04842037395b14ec2a95384d
SHA256

501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2
SHA512

74bc9d1ea6c37c591915b348ffdee8dde65160a062b3528d6895775ea715294b0870464bd7db76b9dc2236c658dd21c546a75a207d0b11ae33fee799808c07fb
SSDEEP

1536:YfUiAbz9nEhVfTEpaBBVRA/tlhVDT9p6mQ2eYd:Ysxbz9EXTzCtPVg2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1888 cmd.exe

pid	process
1888	cmd.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376028187"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000001bc5b70c3f07686ddeb10f78f2f2a11c1c83ed582c5974c274717ca0454a7854000000000e80000000020000200000001039b3b8ab39ca2613694d1d0a3b5968a6f7359238275715563643ae5f9d69c020000000c3095aa9a45dcfb55cd6ee8d1ce0179e1a4fe720ced32c477570e861e61f016940000000d353ef4a611f0cceccfb878f68aa17776e3d7827f7d465b91e813c0eaac2bd29d8bbea934467189d52c65e4da9d117d4d4844964bdf85d9c0a7c7f1b1e6421d0	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402efd44bbffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000007e49979b1e080c6911508ae29553dc5bb9ed3dd59c7a8de9b2c41622f8e47e67000000000e80000000020000200000004a6517e422eafe8ea5d206c7c3412bb226f77f79120c09bc2439cb508b351fa69000000057196f1c8897b01b1c69a23be3a334d1dcdf633b0e1078967d5e7367d0eec78da48b0adf63ffcb63b6f391df89322806ebab9885a8c9b0b480e99bc09e5511614aa58bf15c89cc91ab0b23b0206e41c1a267bace415030ff520188c2168e0b3d0bb86154b353d1c2f6c22c15bd9a943384fe78f1ff10aeae5cafc33dc88d73bd2b7f69222e5d248f519833d4ba6fb7a74000000017fc2b4d13b2788002c9da2720109debdd245b667890b85860c732318cd9cacfeeec758934fc849ab77fdaa7e16e3ba2248522c1e85e019f99c918908dbc8d9e	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{549ECC01-6BAE-11ED-AB9E-FE63F52BA449} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe

description pid process

Token: SeIncBasePriorityPrivilege 860 501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2040 IEXPLORE.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe

pid	process
2040	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE
696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exeIEXPLORE.EXE

description	pid	process	target process
PID 860 wrote to memory of 2040	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	IEXPLORE.EXE
PID 860 wrote to memory of 2040	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	IEXPLORE.EXE
PID 860 wrote to memory of 2040	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	IEXPLORE.EXE
PID 860 wrote to memory of 2040	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 696	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 696	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 696	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 696	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 860 wrote to memory of 1888	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	cmd.exe
PID 860 wrote to memory of 1888	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	cmd.exe
PID 860 wrote to memory of 1888	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	cmd.exe
PID 860 wrote to memory of 1888	860	501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe
"C:\Users\Admin\AppData\Local\Temp\501176b2580c1d5a83b735e2a02cd9951976db3f2548cd922987def731fb19a2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down5.tian-kong.com
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\501176~1.EXE
2⤵
- Deletes itself
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N470OL9P.txt

Filesize
608B

MD5
3a8d5fd1be8f4f64804538c4a6d6f2e4

SHA1
46adbfa00bc270c05c56e742438fa50bcfed91d2

SHA256
8f489477700110c87dcc89e4c789e17527f4be2ddb5bec0eadedd89f7abf2078

SHA512
3d6ef7ff31c6ff3a8c76444158dd838cfca9c1f8331ae94911bb6aafbcf64e0d5ddba8ef54676abd63103759d9236fd6d3420a01a47ac8feb41fa18b1586efef

Download Submit
memory/860-56-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/860-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1888-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads