04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3

General

Target

04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe
Size

28KB
MD5

4b2d2e98ea5aa01cb2ff5c4db0d9037e
SHA1

a81a5be9e1eb6cddb3d310a030f1210039f6a2e1
SHA256

04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3
SHA512

c3ed72da3f880eca02f593b2f84ca6ead73d5b4f4a688d232274e1ff60d65a369b472fc0abe728cbc1967174fc51902751a6bd951972e43fa3c3cfe9d3805b08
SSDEEP

192:rIwjyA1Y8q+7qbltEcPQd+6vJnBAtoKCrEBKvJyVHMwkrxwc3tWy:rIsx1YVrBtEcoEk9BD5RKHh8xwcQy

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\jisubianxian.com\Total = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b0c618347145c698298bfea0e612dfb2a947c7cce230fad4d33bf60b8ee56e0a000000000e8000000002000020000000a64a546cdbff3cd15f1471990c3c99004b8a1b068dca70370e592dff2bc7296090000000af4f00f01b74d2b071666d046e8839b3134223ad865fbdcb428028d7d525608946863f99d8d7798a5f5afddc73cc44937eb2cfc7b56003c3644b7cd358aec5bd747a3dec5035f5f7f3c8e81cfd2a85407aa1b50059984741ba62fa366af99d5bc111d4d76733c769498bdeb03832106717187dd939554273d47ffa043ea964e3ebaf9c59023e8acd7fe0656528b7d870400000009d069e7afbbcc4119ea738b0e16ed8c5d333ea44e4d57cd3b8f71c3760ee732d59a3dd06e108ffe5eaf1213703fa588536292d4914b261882b53065f7c0e2885	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01A92751-6D0E-11ED-AD72-5E7A81A7298C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\jisubianxian.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000893249f304dbcdccbed0aad18f96805efd925f4e9aa1572a7a9547105a9d42b9000000000e80000000020000200000006c41337a480a9e326da8e04689ed39b6ada530871253d74930252a16cfe62459200000007c97143d0662c7e72de96dd43c4d052463d50466318a617f65804910be2818b840000000f891e7188087f63901440e69a01cf1d7185be2d97b24002b1076deefffc0b0452881b63f90a17274da4c32ba25012daca36cf481780efa9e6ae83e8bf01ecc7a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376179219"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.jisubianxian.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ba82dd1a01d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.jisubianxian.com\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\jisubianxian.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1632 iexplore.exe

pid	process
1632	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exeiexplore.exeIEXPLORE.EXE

pid	process
2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe
1632	iexplore.exe
1632	iexplore.exe
456	IEXPLORE.EXE
456	IEXPLORE.EXE
456	IEXPLORE.EXE
456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exeexplorer.exeiexplore.exe

description	pid	process	target process
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 1168	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	REG.exe
PID 2016 wrote to memory of 2004	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	explorer.exe
PID 2016 wrote to memory of 2004	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	explorer.exe
PID 2016 wrote to memory of 2004	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	explorer.exe
PID 2016 wrote to memory of 2004	2016	04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe	explorer.exe
PID 1720 wrote to memory of 1632	1720	explorer.exe	iexplore.exe
PID 1720 wrote to memory of 1632	1720	explorer.exe	iexplore.exe
PID 1720 wrote to memory of 1632	1720	explorer.exe	iexplore.exe
PID 1632 wrote to memory of 456	1632	iexplore.exe	IEXPLORE.EXE
PID 1632 wrote to memory of 456	1632	iexplore.exe	IEXPLORE.EXE
PID 1632 wrote to memory of 456	1632	iexplore.exe	IEXPLORE.EXE
PID 1632 wrote to memory of 456	1632	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe
"C:\Users\Admin\AppData\Local\Temp\04bbcf6890157efdd46ea12f3a868c96cee426859b23826b92bd0afeb730b2a3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\REG.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /reg:64
2⤵
PID:1168

C:\Windows\explorer.exe
C:\Windows\explorer.exe http://www.jisubianxian.com
2⤵
PID:2004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.jisubianxian.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
888bb3741adc75396b3989f09f8f59a9

SHA1
d7f32e0e2d48e1af23df2f2a7f5fab75aeeed07f

SHA256
e5e6301d8b8249a9519daf2d34698c24224066a35f2bd8e524b2bdee163df413

SHA512
169df1519c54e3c1af85ff1380ae04a6d18b2d46efcc12fba0e28ef2f0ac0820644357630c42d8e1975d67ad2096db3310202c70c8b3dfaf5e7a80bbe2ff46e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
8KB

MD5
2058294ddd9c83ee5e0d18416d190263

SHA1
93fadfdc6b37729f8a67269f099dc7ebdd05e4c4

SHA256
1c11b320d16de15c9db9d868bc749b83df5dbe5a2242ca6757da46a7a2dfb05e

SHA512
e6f757afdd945302d599e1c7cdcbd71322739286b88404a25858ac3a2637e10fb0fb08d8a6765c5d45f4e48f9e4394a795406464187a1c29581af45662adb140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UQ130JMA.txt
Filesize
608B

MD5
80a9c118e5128a1e3175b83f98af9d90

SHA1
ef2f7c46173b5567d167d353765590a8282c0152

SHA256
98dacef4375a18b139a4b9cdcc6d194067a87525de206c331c8739dffe8d4931

SHA512
32d6d732a67b204c5cc6936bfc1a18aece1c5eff089378b2ad05d470b7c69896524598017024636bdf1ab50c824c6571f3af133ebb263eb1996a9cef4aeed31b

Download Submit
memory/1168-57-0x0000000000000000-mapping.dmp

Download
memory/2004-59-0x0000000000000000-mapping.dmp

Download
memory/2004-60-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads