b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d

General

Target

b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Size

212KB
MD5

2b3a6012b42172a7ba03a220f50bc13b
SHA1

b50678f42f08dbf12633b9ad0e2c09d2182905b7
SHA256

b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d
SHA512

8edd83146c45d5e486bc411649f148216944bb8e6e9055d5852a33395999ddd4457b5cbcf6ba1114a750ac9f750153beaa73f9718307fde680d39f12df2765f6
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmG:dHp/urb4A1WdBfp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Program Files447A5R.exe

pid process

2524 Program Files447A5R.exe

pid	process
2524	Program Files447A5R.exe

Drops file in Program Files directory 2 IoCs

Processes:

b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D01F1E2A-6B94-11ED-B8D8-7295FC24CA51} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f00000000020000000000106600000001000020000000af298f134e4943d1b630f63f301627c5e59e50433f8a93937b453b1e678c24e0000000000e8000000002000020000000a5d18f55cc70935955a6b87008a7b6e1526f6d8af2f3ff1a18f9879be75296732000000021f662e0b7d72e74ac0f266e6d5ee24d917a48271d4a3a01368fa88e02d6694240000000e94256f1e169549094a2fd41557e3ed204a52a6da88b69fe6a5f644b3eb53786c320702dddc91a7160ab9328d765a91daa413cb1a4677ea8dddff1e199a298d2	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c064d1b0a1ffd801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998433"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2688546199"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2783544925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f0000000002000000000010660000000100002000000035be84d15569eed639bcc05dd28bd358e7ca1ed9949d598e303be6f38233f083000000000e8000000002000020000000e887b9b213afab933e3d5c476c8aeae13ee220397238b075f24fb63fdee5d384200000008fb6b3160a2f9e96eabf25917f24a0505d46fcb0988f7e00f9eeefdf7133c33e4000000080580536da3444f57f9c443216446c3d3510ea2608a64a68a765e3689606cc175b99606e67e334912d95517591b7a1162160c99502af4c3c17f604accdf30ea2	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998433"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2688546199"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e09083b7a1ffd801	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376017216"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998433"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe

Modifies registry class 60 IoCs

Processes:

b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

3044 IEXPLORE.exe

pid	process
3044	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exeProgram Files447A5R.exeIEXPLORE.exeIEXPLORE.EXE

pid	process
4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
2524	Program Files447A5R.exe
3044	IEXPLORE.exe
3044	IEXPLORE.exe
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exeProgram Files447A5R.exeIEXPLORE.exe

description	pid	process	target process
PID 4396 wrote to memory of 2524	4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe	Program Files447A5R.exe
PID 4396 wrote to memory of 2524	4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe	Program Files447A5R.exe
PID 4396 wrote to memory of 2524	4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe	Program Files447A5R.exe
PID 2524 wrote to memory of 3044	2524	Program Files447A5R.exe	IEXPLORE.exe
PID 2524 wrote to memory of 3044	2524	Program Files447A5R.exe	IEXPLORE.exe
PID 2524 wrote to memory of 3408	2524	Program Files447A5R.exe	IEXPLORE.exe
PID 2524 wrote to memory of 3408	2524	Program Files447A5R.exe	IEXPLORE.exe
PID 3044 wrote to memory of 3460	3044	IEXPLORE.exe	IEXPLORE.EXE
PID 3044 wrote to memory of 3460	3044	IEXPLORE.exe	IEXPLORE.EXE
PID 3044 wrote to memory of 3460	3044	IEXPLORE.exe	IEXPLORE.EXE
PID 4396 wrote to memory of 1236	4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe	WScript.Exe
PID 4396 wrote to memory of 1236	4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe	WScript.Exe
PID 4396 wrote to memory of 1236	4396	b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe	WScript.Exe

C:\Users\Admin\AppData\Local\Temp\b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe
"C:\Users\Admin\AppData\Local\Temp\b7a8127390cba3c0b02c43aba68198b1e9ed74eb6713981f407e572c44d6aa4d.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396
- \??\c:\Program Files447A5R.exe
  "c:\Program Files447A5R.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3460
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    PID:3408
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files447A5R.exe

Filesize
36KB

MD5
3c65241b4a99de1f1a31d3ec4e602fea

SHA1
dfb7f0e248b975e1d25eb82012994e318a57b63e

SHA256
8a1967afaea47b7b86f5a07d0a771072d53484e26045843b43b9c047b3a41110

SHA512
a785c952c011e4453fa7d4a886e0b7856180c2124dca3802236bc7032625280a5cdf6d387fc30f5558bc189c241e7b1d50ea98096fcdb96bd060711407335c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
d92b2c577e84a9ecb8cb58d9a4da5fcf

SHA1
7a992a0f45d2918c5666de1420a7f033f2905d20

SHA256
6d712e89c8e837129d4c965789b38bbdf41afac77e221f39de2d95dd5831bd17

SHA512
f8b146fac6a084876fece5d43b1168bab0c6fee340baaea730a02d7c81bc189802d41ec124ab2b06ba5f4fd7af5ed6b5d03a1fbc409f690f7a033663a6f737c3

Download Submit
\??\c:\Program Files447A5R.exe

Filesize
36KB

MD5
3c65241b4a99de1f1a31d3ec4e602fea

SHA1
dfb7f0e248b975e1d25eb82012994e318a57b63e

SHA256
8a1967afaea47b7b86f5a07d0a771072d53484e26045843b43b9c047b3a41110

SHA512
a785c952c011e4453fa7d4a886e0b7856180c2124dca3802236bc7032625280a5cdf6d387fc30f5558bc189c241e7b1d50ea98096fcdb96bd060711407335c87

Download Submit
memory/1236-139-0x0000000000000000-mapping.dmp

Download
memory/2524-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads