87107a93f0fc99ac08b89ced063c11da8fec364ed9444e38058534bfe8cc7e72

General

Target

陌兮说说批量删除.exe
Size

968KB
MD5

9b3b208c70578960c3422393fde22272
SHA1

3b3f1137430712ab06db77af3986133386ec49cb
SHA256

f05e8dd266cd881ac12c3e5c09454cd38d8e2e15519e0b8c25744893f4160444
SHA512

61933d6ac45f5337150f958d70d013bbe5309e4612deebcbc157dbde54a68618c25c00e2b4be6fe081df5530bfb88eb03bf898524e34dfb90b7a887e1bf0c09f
SSDEEP

12288:n7VDKNvwOWrljyXFKJ8xaxJNcCD+jf2Ue3yqbER5nWFpPoSBd5Dg:nxDK4tyVKexyNbR3ycXbl5Dg

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/1796-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1796-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe陌兮说说批量删除.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "44"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376067614"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e6b5321700d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000d83d4c9f963a8a1d44a7cd889c383699ad18bd3c2772395ae8250fc5744e65ba000000000e8000000002000020000000c25c05a99c3ced272852bfc19a17b04133ce1b542446ef2e9fb5c4cfce04b96d200000000d87392a42ad09854cfbfeb2b4d10e4a859e016e45341bf6361cd8355c2c58304000000077157d8201f42ca16828cb138d6b981923e80d27a2665efaaa9de4eb8bc8d01a65dd0dcc5816409749949fc5c784b2fc015e075fff130c79ff1aa717866f0246	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{22B40FA1-6C0A-11ED-A15A-6A950B37D0A0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\xui.ptlogin2.qq.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\xui.ptlogin2.qq.com\ = "44"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000000d9e5476948a6b8d708458011ba34df2b19ecff646a7b1f414feeeaa47aade45000000000e8000000002000020000000b20aae44d94c1a0bcfb69d68bd64d68c8f1578d6deb29340273051cd77545f7f900000003f944e9081cae60f3aff970d53c3236c618b81ded01267b0a6c6bf4949a6fa1083ae3b8d2679e2904916c396e27aad0a0560fbfc95349bae14a4ad8c2fbba3a454b62043ac14dfa878120d3ef7f0108111a33ff1861e8c6d27361fefc1bbefda21668d42a6fa71844d3e221e1bfb55ac2481fb78ca1473e7310e4ff79aeef2e809591260a873d4fc37581191583066c440000000b519053887ba7d0a40cde19657f9f811cf6007ee308f00e60ddd016e182d5fc0dabb19b8817760e9e3b26fcc44ca0ea0744803f71a19da596a4c7da1deb3a685	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	陌兮说说批量删除.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

陌兮说说批量删除.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	陌兮说说批量删除.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	陌兮说说批量删除.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	陌兮说说批量删除.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1352 iexplore.exe

pid	process
1352	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

陌兮说说批量删除.exeiexplore.exeIEXPLORE.EXE

pid	process
1796	陌兮说说批量删除.exe
1796	陌兮说说批量删除.exe
1796	陌兮说说批量删除.exe
1796	陌兮说说批量删除.exe
1796	陌兮说说批量删除.exe
1352	iexplore.exe
1352	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

陌兮说说批量删除.exeiexplore.exe

description	pid	process	target process
PID 1796 wrote to memory of 1352	1796	陌兮说说批量删除.exe	iexplore.exe
PID 1796 wrote to memory of 1352	1796	陌兮说说批量删除.exe	iexplore.exe
PID 1796 wrote to memory of 1352	1796	陌兮说说批量删除.exe	iexplore.exe
PID 1796 wrote to memory of 1352	1796	陌兮说说批量删除.exe	iexplore.exe
PID 1352 wrote to memory of 1584	1352	iexplore.exe	IEXPLORE.EXE
PID 1352 wrote to memory of 1584	1352	iexplore.exe	IEXPLORE.EXE
PID 1352 wrote to memory of 1584	1352	iexplore.exe	IEXPLORE.EXE
PID 1352 wrote to memory of 1584	1352	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\陌兮说说批量删除.exe
"C:\Users\Admin\AppData\Local\Temp\陌兮说说批量删除.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://user.qzone.qq.com/510448903/main
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
789ea482d724593374273ad1f5eb371d

SHA1
2c014d688a1859239e2cd9d772beda5c0546a8ed

SHA256
08875f8d4d1773c0025e7a41f2124ea39b7dcb1d049ecc1d2846f5ec1f604df2

SHA512
bf670eb31f143d595ce3d18bb36f045e2524f1f7d2d9103bf589b25188920082a35c99212526b4c8655a11bdd169658be0060848b744da7430020b94361ed0a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeb2968ec79974165ca551b63bacde3d

SHA1
d0991b141fccc168cd6fe4a6ac1b19ae4af5724c

SHA256
813a0526676630c8e0cbf8dd5d8247531903a7ccff697f346a9fdccb2124b9df

SHA512
ec555d50410d4bb8bd649489ff5234cae73f9099cddc786ae8059adcaff5b1e730a6bd87c7f8e9a0098a12b23787d2f991025753c54017f28d05a4dd931ccc56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89731919ae7e030723330420f6da009d

SHA1
9d9a2137c56eec0374d9c4e44b2e8be9254a7d64

SHA256
0766acc8c9ff20f43982f2fb787b415ed37c71a59f43efa893f0b4dcf3c5bbc5

SHA512
a7fce745fe76a2eb939a3b51137297b4068ee6e8653f54f936a32dc11c610ced3e2669666fc97135b8f143966fee262a4d341d0af05732688e6bb9c3e18b4092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat

Filesize
5KB

MD5
43c84b4ed8ab01db5e8cd531bde6cc21

SHA1
f7a5c0cceacfe603ff8c2b2f299e6e5c3926df02

SHA256
0f7e4bd609dc035daaf1a9cb52a360fec190b8fbe7b761374e7efbc0b5ed61a2

SHA512
4d0d1abd24f3fb2c9ce35885be7f634c619ca8aa7a94c814987c419b5cf0b5f0716e5dd79cc7c16c374e12ddcc704fbee4cc2bfb2c5f90ed9adc024f2cb4bc2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OC1CO5CD.txt

Filesize
601B

MD5
67fd905f76763b90a0073d8ff4e9c885

SHA1
b59aabfd71818ef538b600f3ef4b132815b41fba

SHA256
597440d0955a680da5e2a6b718d3d66da00c70ab31ea9c65e33644542941df6f

SHA512
1a676950207cfbf2cef8aac90fe7de38825bdf26794c9b900234acb36aad48046765ae9b14eee4f6a6ee547cdd5b04e7845bbde2a491ff01dcf6d521978547d8

Download Submit
memory/1796-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1796-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1796-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads