Overview
overview
7Static
static
12011091609.exe
windows7-x64
72011091609.exe
windows10-2004-x64
7不会安�...�.html
windows7-x64
1不会安�...�.html
windows10-2004-x64
1主题之家.html
windows7-x64
1主题之家.html
windows10-2004-x64
1安装没�...�.html
windows7-x64
1安装没�...�.html
windows10-2004-x64
1懒人上�...�.html
windows7-x64
1懒人上�...�.html
windows10-2004-x64
1桌面壁�...�.html
windows7-x64
1桌面壁�...�.html
windows10-2004-x64
1桌面美�...�.html
windows7-x64
1桌面美�...�.html
windows10-2004-x64
1Analysis
-
max time kernel
152s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
2011091609.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
2011091609.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
不会安装请点这里.html
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
不会安装请点这里.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
主题之家.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
主题之家.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
安装没效果请点这里.html
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
安装没效果请点这里.html
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
懒人上网请点这里.html
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
懒人上网请点这里.html
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
桌面壁纸-高清.html
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
桌面壁纸-高清.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
桌面美化软件.html
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
桌面美化软件.html
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
主题之家.html
-
Size
265B
-
MD5
37ef2c6740fbf2297744f81fab16f81a
-
SHA1
861e9922f9e308f9648b66c254573afdb798ce37
-
SHA256
916d15c31c84fdecb989ae5a05fe69dc190b7aff233d73b7cc7e70d5b9f26d7f
-
SHA512
7cec309861a4048ee799be6b21dddab1384e810227a29fdaf11349ca667b0b4c9667fb419b5b5d31ac562d1f1fa8bf271def513f0c2bee44638e92663502c96a
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000001132ae37095f4db640de282c06354c00000000020000000000106600000001000020000000b2b26e5384d26da50deaca04289ce24537c2cf72ac7e8c12e526f7a2584bb9f8000000000e8000000002000020000000c81e1c234ee1f414c890944a4d6bbd1cd7aef7e11d2ea1aa184393540f5ff4012000000099c74114ff3049f14240d5abc899238ef750f7f0078fc8d3c9909a50709195bf400000001aaa1ac3fbbfcfe16c8dad786b1551728af0bb5004badc6d7ff5bb5855619b1941bc296c5c5750b66978373bddfccefe4cabd6bcd7b809082ea079a24279c255 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0732ed088ffd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000001132ae37095f4db640de282c06354c000000000200000000001066000000010000200000007ea59674f41252eee86ac3500e5ea2f7bfa581416fd3bbceae1c67a823adb6dc000000000e8000000002000020000000fc247e0883675881961f5473a14e5892d3c386521091b48a2e56e45e87abb788900000003e4ba9df6bf6d2c9b13d210819285e9d5d172f58098a0effe44d0ab48ab6649e00af78646baced39a8da43ce5f1eb9f53281ea532c3cd6e71719b2ff834030ba8efaa33f9182a88abd7f3b4cbd77f8e2a0c5aa77f4ca3e3ebadc8b68e912ec2b1f0236142b3a73cadf58c194637a5e3b5e06307a7cd771808997654c22443442fb6df579290e3366b2423b136dd42fb84000000073b2b71408003a076c6f5bfb5097f4e04a25bb00b8e278a723219f65d773fce38e1ba4176b6ad13bf32ca0cca178f8c29d515c3a397f0bd33131bbdc0a1ddd5c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03E18731-6B7C-11ED-BF27-66397CAA4A34} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006566" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1500 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2000 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2000 iexplore.exe 2000 iexplore.exe 1500 IEXPLORE.EXE 1500 IEXPLORE.EXE 1500 IEXPLORE.EXE 1500 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1500 2000 iexplore.exe 29 PID 2000 wrote to memory of 1500 2000 iexplore.exe 29 PID 2000 wrote to memory of 1500 2000 iexplore.exe 29 PID 2000 wrote to memory of 1500 2000 iexplore.exe 29
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\主题之家.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1500
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD5c99fbffa141bee9ce136556b0251a54f
SHA125299514166d84968ce91e4db7e11c98ff9f115e
SHA25645f4f814fdfbfaf2c362e0daa16ec740f5e172da1c862554c0eea7a41e6e84a9
SHA5122ac97d801158c1046f44c6dda9f5e24eb8ffa4a7ca4ff417c62a78f2e15e105c98514441e7249e4b9617c20323e71a7bd10947b464663bf2e38cc197b901f32e
-
Filesize
13KB
MD5cffd43c6a2eafcc6414875229d1077b9
SHA1df9c4695992427ee2f8a3cc26dc08f602367b4ea
SHA2569aee30cf61f0493fc1de194aacfa6b14a5c291ae84f73195f93c5950d0c8ac9f
SHA512d1a09b351eaf0c5f4d377b931f97847691e9a3cb5cd2391f2c395d9adac0e61c96f9bf2ae567e31b07d9681692de70b764062b913d8603ae211b469e7c18baa3
-
Filesize
603B
MD584d0607bd998517107f73fc81f9e2ef6
SHA102ccc861a956750b6f265b384a0a8622b88970c5
SHA256c8b8841504a1c27ba9ebdf036a141aebbeba23160a6bcb5b883e68d2deb0084b
SHA512be962de992c64b543850a59f2027db7fdc28ca80ade70732505dc2082b69abc4be435705f9304d819a48927de9e70de95b420c8ec7601f1c6d94e4b8ce65c241