c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a

Analysis

max time kernel
73s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
Size

1.4MB
MD5

16998e10023323dae5dcf8e401c00619
SHA1

645a43cfaf2751f3a9af02bf9a6ff60fe71fcbdc
SHA256

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a
SHA512

445464cf76514dd55ad3e83ff8fb5f77978f41e2fca5262778a77edae4f28d494a429bb248142457e52bcf42ed6cc96b52253aa7ad830829c971c657f7f68f66
SSDEEP

24576:5kr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNPV9:a/4Qf4pxPctqG8IllnxvdsxZ4UtV9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exeWscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Wscript.exe

Loads dropped DLL 8 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

pid	process
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

Drops file in Program Files directory 20 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

description	ioc	process
File created	C:\Program Files (x86)\jishu_144702\sc\GoogleËÑË÷.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\B_0220110205020219470214020202.txt	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\d_1402.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\dailytips.ini	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\newnew.ini	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\pipi_dae_381.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\a	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\0220110205020219470214020202.txt	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\FlashIcon.ico	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\MiniJJ_12318.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\newnew.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\jishu_144702\ImgCache\www.2144.net_favicon.ico	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File opened for modification	C:\Program Files (x86)\jishu_144702\jishu_144702.ini	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
File created	C:\Program Files (x86)\soft144702\wl06079.exe	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998421"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "966972737"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998421"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998421"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998421"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "978692012"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d096e73c95ffd801	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "966817138"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "979474137"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000bde8223175a3ef7bdd0c856ece8b0734d6837d6fa78148bab3b40e399e96d6c8000000000e8000000002000020000000a5632a5aab79c1b3fed79ab2a7175c64a72d88245f0a2cb044b447b756ace9c2200000008bb2ac76c359c86f8c823a0f132ffdcdfe039396c6cb913a6d0f3c7a6d1360174000000018babed8b682083183b88b608fbd9ddeb3144b4cb68673ed6b9bc56429f1a52b04276d9161ccf4428d7585d7265e52adf84741e985f89de31af601273bd64482	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "966972737"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998421"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376011883"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{650012AC-6B88-11ED-A0EE-C65219BF0A09} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6517E9FF-6B88-11ED-A0EE-C65219BF0A09} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998421"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c033f13c95ffd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000008627f7259ed8cdefa04dc6d7b85a35316ab0aee973c7c05279346771898f3e8d000000000e800000000200002000000068266ca32763392043fdbd0400d60d082632eb60ca6f2a92d4f4989776c90e48200000004db68046d555a900d2a23107129bbb180d16019a4588c3d332a192ccf3b40ba340000000fd5b767823527886567b2117e3889ebf4b7fc709a83c86fa9901bf77592b0fd4626043b662e577bea81f33f34dc4e219c34690a5a917ce639d036021f22ee0ec	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "966817138"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

pid	process
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4608 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

4608 IEXPLORE.EXE
2668 IEXPLORE.EXE

pid	process
4608	IEXPLORE.EXE

pid	process
4608	IEXPLORE.EXE
2668	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
4608	IEXPLORE.EXE
4608	IEXPLORE.EXE
4580	IEXPLORE.EXE
4580	IEXPLORE.EXE
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE
4580	IEXPLORE.EXE
4580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEWscript.exe

description	pid	process	target process
PID 4972 wrote to memory of 1420	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 4972 wrote to memory of 1420	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 4972 wrote to memory of 1420	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 2668	1420	IEXPLORE.EXE	IEXPLORE.EXE
PID 1420 wrote to memory of 2668	1420	IEXPLORE.EXE	IEXPLORE.EXE
PID 4972 wrote to memory of 2384	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 4972 wrote to memory of 2384	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 4972 wrote to memory of 2384	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	IEXPLORE.EXE
PID 4972 wrote to memory of 3152	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 4972 wrote to memory of 3152	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 4972 wrote to memory of 3152	4972	c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe	Wscript.exe
PID 2384 wrote to memory of 4608	2384	IEXPLORE.EXE	IEXPLORE.EXE
PID 2384 wrote to memory of 4608	2384	IEXPLORE.EXE	IEXPLORE.EXE
PID 2668 wrote to memory of 3556	2668	IEXPLORE.EXE	IEXPLORE.EXE
PID 2668 wrote to memory of 3556	2668	IEXPLORE.EXE	IEXPLORE.EXE
PID 2668 wrote to memory of 3556	2668	IEXPLORE.EXE	IEXPLORE.EXE
PID 4608 wrote to memory of 4580	4608	IEXPLORE.EXE	IEXPLORE.EXE
PID 4608 wrote to memory of 4580	4608	IEXPLORE.EXE	IEXPLORE.EXE
PID 4608 wrote to memory of 4580	4608	IEXPLORE.EXE	IEXPLORE.EXE
PID 3152 wrote to memory of 4180	3152	Wscript.exe	cmd.exe
PID 3152 wrote to memory of 4180	3152	Wscript.exe	cmd.exe
PID 3152 wrote to memory of 4180	3152	Wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe
"C:\Users\Admin\AppData\Local\Temp\c86d68b039b597ae1e07351f2706105886972e8973561b84bc2f22e4088aa30a.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
2⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4608 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\SysWOW64\Wscript.exe
"C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft144702\b_1402.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\soft144702\300.bat" "
3⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft144702\300.bat

Filesize
3KB

MD5
165b7bf64213af84c0d03cd568ba2559

SHA1
22199f998b0631f453908456c390016513e16fc2

SHA256
86f8b77278173279537e8db926128c15a16ba224aa407c2510089fd1c8d804eb

SHA512
9cd7257579d8ab94242d8784226b931ae506fa10f5e2d45976e5fe43d82204d233b97e4d6293beb87f9a05cea4dd004e543b5b57981577c9abcdd917c74a3c70

Download Submit
C:\Program Files (x86)\soft144702\b_1402.vbs

Filesize
247B

MD5
df75945f5fea363c78bd0ab224bc613f

SHA1
059f062dafaae3c49e8c7f4a6ea6d47313c26c61

SHA256
8a594a9e49dd0b80d945e7d2c6c0b97f77701a34e19e697d2b2ebe2251f76d51

SHA512
543dd590a2e8ec5f5b55c1e3419689dd1a7d10ab842b4a8c78a284429e1d6cdd42c7dfe8503124c8645725d4f23467c387db3ee1873bc264e47c7b8b9bfeafc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
676248365412e6d4babfee909857827d

SHA1
5dc1e514d8821cf1402162858f51d0301750a640

SHA256
3118ff50fc7b5d4bfd383326ec645c876e7d90cf41a0b8c976b029beed01f6ef

SHA512
55ea83a3ef6ba68d4c4b4d85401b28b86d8017e1ecce27ef6a9389a692630fefcd05e7359011f4b196c6285647b22dd642eddcc9bde1d0b9c045ef297831d459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e63781db610008615378b14c72d29515

SHA1
a12be7f5781ccb02868df9269f3a042f6132e620

SHA256
cb0328716e39e3dc9a62bc20e869eaa07e29670bb53935bb8aa33001dc53a5db

SHA512
c7254809bc2e237b6cbe0d9441021ee4af6de27e83b2a625df7a15ac0f2ecac40423ab0b8bbe1df400c1a47784afeff60c3fb7298b27456dfaa32b58dc3221d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{650012AC-6B88-11ED-A0EE-C65219BF0A09}.dat

Filesize
4KB

MD5
bd66cbb07ed464a4ae40061b860f8323

SHA1
1a6ea35701c400734636b7eb188cc0f886f2c760

SHA256
1067e23704350a69bc0becea5d4fbc3cd3308fe77e42ddaab40b0975181e8012

SHA512
115b1b0a8c753678911013ed5a559b07d6d6dafc3352437f5f73789311d8a0e27f6b02a977ecad9429b8d0017209b1a98afe5f00d2fb94e916fb2ce314d2fc57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6517E9FF-6B88-11ED-A0EE-C65219BF0A09}.dat

Filesize
5KB

MD5
4e30afd455b611c95d3e88f2f52e455d

SHA1
129bed89609d50db33ce0d909a2315c6880429dc

SHA256
9bb4748a637243be155f7ff33b41bbe2758eb24416cdc84fe421cb9937ed0b71

SHA512
470488c09e739d0a186b1e6b33d01423a82a369159c055a418840b100238c7db0ced28ded8dabcc21eb070284d391a86b48e54a2ef69652759c97f03df0d8709

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnC932.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
2KB

MD5
d7768f88bbd369cdd1c09a62f2b55e8f

SHA1
661a8d2b23d02d874fc3925d295eb97941ed24e5

SHA256
155f66a078eaf3785e5bc72903fbb53ce6a4cac52fe201b1e838dbe396875058

SHA512
caad01a7d180c8e5f15ee81bc92b0db06bb024e9101a76d1db3e44c45965c2ab31e3aa9bebe5afd52c4a79aea397df482d7d551c40f55dd0ad91690be20c0d55

Download Submit
memory/3152-135-0x0000000000000000-mapping.dmp

Download
memory/4180-138-0x0000000000000000-mapping.dmp

Download