f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f

General

Target

f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Size

208KB
MD5

d770b3b7796bbf4caca7d8885cddf5a7
SHA1

6278c627b967a0f46201cd77e48338d7061271c8
SHA256

f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f
SHA512

69c481f6227854cfb6c43d7a5ed1324f3d1fe4964a40b52e7549d5770c7b481f1931e76f8251edefb3fef9be60dbf81b9b6e74ce9509b3b66b5c350410215f2d
SSDEEP

6144:gc7/0wU6orOacpyXaDmlc0IuQM97WfMbeRmDmq:gdwU6oXcaWvv6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Program FilesMN7A56.exe

pid process

5068 Program FilesMN7A56.exe

pid	process
5068	Program FilesMN7A56.exe

Drops file in Program Files directory 2 IoCs

Processes:

f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXEIEXPLORE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401d67fb38ffd801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307108fd38ffd801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{09627E1E-6B2C-11ED-BF5F-42A3CC74B480} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb00000000020000000000106600000001000020000000f2927fc87f61ee1625f30b3ef79d1807b31fb76a537bb9ab47d728d9f81822fa000000000e80000000020000200000006e70fe3743e90718b2aa78836e9ed2923b51880c699e8864d54ed77ab69aa7cf200000004e06b1fe305a0274e9469ae59d4ef8252685e9b0cf2c4266c0ce3933b91646df40000000000405c2349e7e5b77c37dd76358f046a0150e2d419e7023cdf83991d95e01dfb51de8e6aeb5219627c884f5d3edc156e01d73198681cba4b200ab8123d852af	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375972270"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000079dde9086b4cf4346565a036bf2d6ca2ab5cc526fe5bfaa486947eec97662930000000000e8000000002000020000000f3604deb3494c9032205de19de5e8e3d63c09a7716a263a4481b8829cf3fc01f200000003d18fec523e5004fbbc887948a83eca880f0662d4950ee60720d49997a1fd9c3400000009c23189a876acf4109d6d94593d7b0330ae6c4f91a6a694473a230af91795ca4f3fd06527028da5568ebbfc0f3e589f7a266026f68c2f23da50bbde7ce5cb995	IEXPLORE.exe

Modifies registry class 60 IoCs

Processes:

f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1121"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1121"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.35yes.com/?1121"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1121"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1121"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1121"	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

176 IEXPLORE.exe

pid	process
176	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exeProgram FilesMN7A56.exeIEXPLORE.exeIEXPLORE.EXE

pid	process
4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
5068	Program FilesMN7A56.exe
176	IEXPLORE.exe
176	IEXPLORE.exe
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exeProgram FilesMN7A56.exeIEXPLORE.exe

description	pid	process	target process
PID 4500 wrote to memory of 5068	4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe	Program FilesMN7A56.exe
PID 4500 wrote to memory of 5068	4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe	Program FilesMN7A56.exe
PID 4500 wrote to memory of 5068	4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe	Program FilesMN7A56.exe
PID 5068 wrote to memory of 176	5068	Program FilesMN7A56.exe	IEXPLORE.exe
PID 5068 wrote to memory of 176	5068	Program FilesMN7A56.exe	IEXPLORE.exe
PID 176 wrote to memory of 1100	176	IEXPLORE.exe	IEXPLORE.EXE
PID 176 wrote to memory of 1100	176	IEXPLORE.exe	IEXPLORE.EXE
PID 176 wrote to memory of 1100	176	IEXPLORE.exe	IEXPLORE.EXE
PID 5068 wrote to memory of 4512	5068	Program FilesMN7A56.exe	IEXPLORE.exe
PID 5068 wrote to memory of 4512	5068	Program FilesMN7A56.exe	IEXPLORE.exe
PID 4500 wrote to memory of 2088	4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe	WScript.Exe
PID 4500 wrote to memory of 2088	4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe	WScript.Exe
PID 4500 wrote to memory of 2088	4500	f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe	WScript.Exe

C:\Users\Admin\AppData\Local\Temp\f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
"C:\Users\Admin\AppData\Local\Temp\f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500

\??\c:\Program FilesMN7A56.exe
"c:\Program FilesMN7A56.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:176 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forxuyan_0977.html
3⤵
- Modifies Internet Explorer settings
PID:4512

C:\Windows\SysWOW64\WScript.Exe
WScript.Exe jies.bak.vbs
2⤵
PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesMN7A56.exe

Filesize
36KB

MD5
a91cff9803cf5bb08f09c68aaf5ef210

SHA1
9852297d7ec88991da07bcbcb7da523430e77f1a

SHA256
fa6ba38aab07265d78c589d23317074e0edaf9777b321a132be9b7044078d7f2

SHA512
1fe6b5db7d27a1ce8468bd2560c49ee6129e0f7fc9fb9847f58009051e00771e132a070c6d0ab7b829f30ecb2f227174954a2b4431e4aa3c2b4b8119158c5b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
92cb80c5994e0a192e2abd64a4b65122

SHA1
011cc840d3785bae845facb5c36eae8763106533

SHA256
db3564396bfdf5a635c37b374da65eb6ce64e0935ea7478bf8522e8a5b05330a

SHA512
3bc02ad4aa06aaae5d3f63e5f25af5bc1554d8b9031435a5686f3ecf56c09e7c17439c4cfe1888800b83bc2e5c602e199c6c5e3239a1c39e7ad26403680d631d

Download Submit
\??\c:\Program FilesMN7A56.exe

Filesize
36KB

MD5
a91cff9803cf5bb08f09c68aaf5ef210

SHA1
9852297d7ec88991da07bcbcb7da523430e77f1a

SHA256
fa6ba38aab07265d78c589d23317074e0edaf9777b321a132be9b7044078d7f2

SHA512
1fe6b5db7d27a1ce8468bd2560c49ee6129e0f7fc9fb9847f58009051e00771e132a070c6d0ab7b829f30ecb2f227174954a2b4431e4aa3c2b4b8119158c5b7a

Download Submit
memory/2088-139-0x0000000000000000-mapping.dmp

Download
memory/5068-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads