c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a

Analysis

max time kernel
118s
max time network
174s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
Size

1.4MB
MD5

16998e10023323dae5dcf8e401c00619
SHA1

645a43cfaf2751f3a9af02bf9a6ff60fe71fcbdc
SHA256

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a
SHA512

445464cf76514dd55ad3e83ff8fb5f77978f41e2fca5262778a77edae4f28d494a429bb248142457e52bcf42ed6cc96b52253aa7ad830829c971c657f7f68f66
SSDEEP

24576:5kr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNPV9:a/4Qf4pxPctqG8IllnxvdsxZ4UtV9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

pid	process
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

Drops file in Program Files directory 20 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

description	ioc	process
File created	C:\Program Files (x86)\soft144702\B_0220110205020219470214020202.txt	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\wl06079.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\FlashIcon.ico	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\GoogleËÑË÷.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\dailytips.ini	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File opened for modification	C:\Program Files (x86)\jishu_144702\jishu_144702.ini	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\d_1402.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\newnew.ini	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\MiniJJ_12318.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\pipi_dae_381.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\newnew.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\ImgCache\www.2144.net_favicon.ico	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\a	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\0220110205020219470214020202.txt	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f046a5c99dffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000378e0ce56ecd982daf431b71c8cbcd99806c0fe24d04c01599c9723a2cace5cd000000000e8000000002000020000000c531cba9407b893f0d7f392fab4d42252a2b369f99f18dc9fba7266d1fd446a32000000099224a3c8767db22c3cd0556c9c7eb327c878c049ebc836a3cc9c4323fdbcd9540000000af4f2e0e655a78ea9675d0dea793b3b4093a9a24a769a061688748fb7358e5407476b378b10e85c4b3a16e81b045f8aaf5f037b716fc8d6921449ea2c098eec5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CFCE2E21-6B90-11ED-A70D-7AAB9C3024C2} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CFFC3B31-6B90-11ED-A70D-7AAB9C3024C2} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000ea61541d24c911796ca97db8a690bda8835760f5288a5a4eb4fabd831688ee70000000000e8000000002000020000000e2571f8f5b563acde19c1678b998be22f839af8467d9bc71c11d6c3711a27b0290000000019db2b3f0d59666018ec166d792d0d033c55a38c419102c34836ef30809268f4a15623fed90a33292eb7baf7aa7bf3f29f280b56dd8f48269fb9692834d1a9110146312d963a6bc65b4945b5f58f5d9451923f5b47f2c2744ef9af008803b37f9fb58877531dd76c45e3e34f6eee5749bafaa45e3f3d4858350139d86541e16d35ae99e69b2539f3bd4580ff8c8d637400000000852c3a5501079a92d8486b82f84cd4521a1cdabffc3d7b18e8e98dd6359e4ccdde24706e8980a9556b745d5a37e5d98e688b9072b08a5d247bb2ba62309bb1b	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376015518"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

pid	process
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1456 IEXPLORE.EXE
320 IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1456	IEXPLORE.EXE
1456	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEWscript.exeIEXPLORE.EXE

description	pid	process	target process
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 972	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 972 wrote to memory of 1456	972	IEXPLORE.EXE	IEXPLORE.EXE
PID 972 wrote to memory of 1456	972	IEXPLORE.EXE	IEXPLORE.EXE
PID 972 wrote to memory of 1456	972	IEXPLORE.EXE	IEXPLORE.EXE
PID 972 wrote to memory of 1456	972	IEXPLORE.EXE	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 1068	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1640 wrote to memory of 380	1640	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 1068 wrote to memory of 320	1068	IEXPLORE.EXE	IEXPLORE.EXE
PID 1068 wrote to memory of 320	1068	IEXPLORE.EXE	IEXPLORE.EXE
PID 1068 wrote to memory of 320	1068	IEXPLORE.EXE	IEXPLORE.EXE
PID 1068 wrote to memory of 320	1068	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 1456 wrote to memory of 1864	1456	IEXPLORE.EXE	IEXPLORE.EXE
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 380 wrote to memory of 1852	380	Wscript.exe	cmd.exe
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE
PID 320 wrote to memory of 772	320	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
"C:\Users\Admin\AppData\Local\Temp\c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
2⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:340993 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\Wscript.exe
"C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft144702\b_1402.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\soft144702\300.bat" "
3⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft144702\300.bat

Filesize
3KB

MD5
165b7bf64213af84c0d03cd568ba2559

SHA1
22199f998b0631f453908456c390016513e16fc2

SHA256
86f8b77278173279537e8db926128c15a16ba224aa407c2510089fd1c8d804eb

SHA512
9cd7257579d8ab94242d8784226b931ae506fa10f5e2d45976e5fe43d82204d233b97e4d6293beb87f9a05cea4dd004e543b5b57981577c9abcdd917c74a3c70

Download Submit
C:\Program Files (x86)\soft144702\b_1402.vbs

Filesize
247B

MD5
df75945f5fea363c78bd0ab224bc613f

SHA1
059f062dafaae3c49e8c7f4a6ea6d47313c26c61

SHA256
8a594a9e49dd0b80d945e7d2c6c0b97f77701a34e19e697d2b2ebe2251f76d51

SHA512
543dd590a2e8ec5f5b55c1e3419689dd1a7d10ab842b4a8c78a284429e1d6cdd42c7dfe8503124c8645725d4f23467c387db3ee1873bc264e47c7b8b9bfeafc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54376b5df7e87fc48ab56b3372d65c4a

SHA1
a99c5d820321fdd8508bedb203024da841b32409

SHA256
c566b5bced491cf0a4c60a9cee503567cd41d2e0c1af0699cb73492f4655b752

SHA512
dadac2d88fa7ff94820c8d152251cb0b4f36a1d539c54318260d7cb5a56b03d3fb878ccf68ba817a811f4a13620889346b2fb309c143758c324ec9a757732ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFCE2E21-6B90-11ED-A70D-7AAB9C3024C2}.dat

Filesize
5KB

MD5
3e93450046063481fc277352d181abb5

SHA1
aa10f88c9c5e3efeb9cd1cbd185af0be1aea3b11

SHA256
11dc4a67dd6f599c35c49f7d580fd4355f404f4c3f506b787cf43c4f548a34ed

SHA512
fba0c463729bba2ffde6ed4851e04a1b3b02a4ac4f70fd553b3793e414f5a870cc81725b487656dfb7206fc34a67b7dd9530441a7363bd56c1d3c04ec71ebfdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QXE6NGIE.txt

Filesize
600B

MD5
7fe5c90ad0270c733afff84af9e862bf

SHA1
caacaf3fe8296096a5ac4fb31097611db7765956

SHA256
6f3188bd186ee606d339e369d1ffeb7ec4ccd36a8272a0355bde992753c5c3b3

SHA512
ca7d5d0ffd37d336bcba30b967f27eabab73c1ca665d093e3f4e94b3dc817ad9eefb59695dc08fc4f37024fe80e2cdf3571874cc762b956c982aff5ba2259210

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
647742c11cf5368d8f7573ab44973abb

SHA1
673ad062d03ea79db5288d8455750b084fdc9274

SHA256
5208591809fa0f478342604f0ab04d5191ddb518dff602e8f76eae03efc256db

SHA512
6fbcc737210669b3efe4777107b098f385f31a5fd3a06aeab1bd4b1269e37a700f9e376c48cb7b0ed34dc07dba0577d117c58f24d51e0c39e37861241b5b8120

Download Submit
\Program Files (x86)\jishu_144702\jishu_144702.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Program Files (x86)\jishu_144702\jishu_144702.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy54A7.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
memory/380-60-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1852-64-0x0000000000000000-mapping.dmp

Download