83c57af3c89d8fc5d6e1efbe5f7ef59dd64edcb9e59d9e2803874b43b60bc271

General

Target

稀饭辅助_去广告11-7.exe
Size

2.3MB
MD5

680fad43e9c2df802bcbdb3e790bc3b6
SHA1

f3b1c55e89002d8fb9c8ee70a869eef3202bb7de
SHA256

60dfe1b896737ae3afd404377b9b455572f60c67412f7603d539c8d84d30d038
SHA512

9fc3e773e22e7e79f247b15445820b8e74c4c1b30d113b455d9883f4897faed63bf24741d6496b90c0f3acd76dc49f425eb486e9b8ea9251bd9d521991370312
SSDEEP

49152:pDR0XoyeJ/VvRSNkcA5+nQuavP+V6fnyj6M4xmxMPBDpCbJHWH:p2oNV5SNkcPnmvXvX9xi+pCNH

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04b33793200d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9557B3C1-6C25-11ED-87F1-C6AD45B766F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000003b1e1855bc6fc96d2b49ee5553bb2ef6ab542906c464fcbb1780ee04409e6d1a000000000e80000000020000200000007666001325ade1a00c04a4142885f8d32f35c23e79ca7334bd5cefcf3501100d20000000976c1f4c9e07b19bfe7d5141a2df9a139205de3c1b816c05cadc03ceed36f0cd400000008f79017b9c82006f2a3ac6e3d30c400bd320d62929c4f5031fe259d03ca95da96c467021a8aafb772a09be198d72cd0cb4ea20d2c545063b22820491c51b862a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000092153768777fd43d604aad55713d1e1158112e4f213877477a4834b48934bc9f000000000e80000000020000200000008f2caae67200c8dcd7451af83578ce009160424a84224ca8593909e17b260c56900000003e7e105321f6fa0ddded9386ef63b66b7b73a346a10b830d1ff22f539dd70729f7d57bba53739cb1a402032737c02d7649f284ffae72286d6ef0ebd59ea937bc2a4248853572b34223d2919ef912ccf66e3877970b11c0019204e38609e3825a32c72ee9d4e4376efa47581fa6b2f82c82b06c5229b0f4fc2cccd6ec6d1387c9057ba2549928fc486611940035e7e1a9400000002898c3d7d2f9535246f957987ed11a4d5bf077b41c5dcdb81f958aa9deb00bd28973700cb9ebf63edc5ce5d86c01d8d102c7c845b518de151e18d9adf86d4dd1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376079408"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

稀饭辅助_去广告11-7.exe

pid	process
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1636 iexplore.exe

pid	process
1636	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

稀饭辅助_去广告11-7.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1796	稀饭辅助_去广告11-7.exe
1636	iexplore.exe
1636	iexplore.exe
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

稀饭辅助_去广告11-7.exeiexplore.exe

description	pid	process	target process
PID 1796 wrote to memory of 1636	1796	稀饭辅助_去广告11-7.exe	iexplore.exe
PID 1796 wrote to memory of 1636	1796	稀饭辅助_去广告11-7.exe	iexplore.exe
PID 1796 wrote to memory of 1636	1796	稀饭辅助_去广告11-7.exe	iexplore.exe
PID 1796 wrote to memory of 1636	1796	稀饭辅助_去广告11-7.exe	iexplore.exe
PID 1636 wrote to memory of 1060	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 1060	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 1060	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 1060	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 812	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 812	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 812	1636	iexplore.exe	IEXPLORE.EXE
PID 1636 wrote to memory of 812	1636	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\稀饭辅助_去广告11-7.exe
"C:\Users\Admin\AppData\Local\Temp\稀饭辅助_去广告11-7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qingguox.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:209927 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JTBQOTJ9.txt

Filesize
608B

MD5
b0e31b3bd5184f32e917e04c83e13882

SHA1
bc306e1f1a8feffccc8dafd4656beb1d5365e579

SHA256
8ca8bff3473be434bb6ed90033cf75f9a9be1fd4f96add9d9c59f862551e723c

SHA512
f7a75b42ae9b478d42cd2c4aae4eabef7f6aab7da59658ffcc9f36a4d95c504e62f2f27c33aed4cf71150300ff05e91ffa72c5427df4844afb5d25a1290bed2f

Download Submit
memory/1796-54-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download
memory/1796-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1796-56-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads