3535bd6637b428d1b0c83929c62afcdaa506549a50d730eb12009f5dd20e561e

General

Target

YYsydgnfzq/yy随缘多功能辅助器[独家原创].exe
Size

1.3MB
MD5

43bfa86cad337e7395246282b9efb999
SHA1

8d0c4c5bd952ad1454c849cd8cb474ef1ab98304
SHA256

86518bc888b624e3f00198ce3acbb0e7cda8b60f5fb8e85a5200489b4a535553
SHA512

a9a60639a9090853e09b8a695e4201db4bd635a3df348e6533c94d0957fa7fde7c07a5acc0b3641ae00ab4c8ee30c45daf893c743b247a9c4282454f3abbb8fb
SSDEEP

24576:S+HygdP0DbDfEHLpIWyJrca2igv01tc4osxj5g/nRFzJ7ZHoEI:SeyxfSLE6aDgqt5xj5SRFzv

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\dm.dll	acprotect
\Windows\SysWOW64\dm.dll	acprotect
\Windows\SysWOW64\dm.dll	acprotect

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1728-55-0x0000000000400000-0x000000000064E000-memory.dmp	upx
C:\Windows\SysWOW64\dm.dll	upx
\Windows\SysWOW64\dm.dll	upx
\Windows\SysWOW64\dm.dll	upx
behavioral1/memory/1728-63-0x0000000010000000-0x00000000101AB000-memory.dmp	upx
behavioral1/memory/1728-64-0x0000000000400000-0x000000000064E000-memory.dmp	upx
behavioral1/memory/1728-67-0x0000000010000000-0x00000000101AB000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeyy随缘多功能辅助器[独家原创].exe

pid process

1652 regsvr32.exe
1728 yy随缘多功能辅助器[独家原创].exe
Drops file in System32 directory 1 IoCs

Processes:

yy随缘多功能辅助器[独家原创].exe

description ioc process

File created C:\Windows\SysWOW64\dm.dll yy随缘多功能辅助器[独家原创].exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1652	regsvr32.exe
1728	yy随缘多功能辅助器[独家原创].exe

description	ioc	process
File created	C:\Windows\SysWOW64\dm.dll	yy随缘多功能辅助器[独家原创].exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376221394"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{332941E1-6D70-11ED-8965-5263E908E3CD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000069b403949243abdd548aac120f637a6c1a4612adcd79507cdf2c903c4bb24d5c000000000e8000000002000020000000e59812182d847d16921d747bcd11f84d1540e9ef0aed4219906ffd2de2bb98ab2000000031ef472b1d7a832218b36a236d9358e417d3dcb2717bcb07a2633cd8b758476e400000003e29b9c6095eab2aa25df9afcddddfbcad2f32b427b3116fc87da2c565e223821b485d76a8df59c670b26002e33c0c9e9d929c38250a75614f505a49a4971923	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000009489d8785bcb7b2e67a84f090df63520ac8fdfb8413085a8aad16d5e8c8c1354000000000e80000000020000200000003de976cd81690b0210313c34f9ee364502d29c47cc8be0b98b4c36be7c15c1319000000088897c6bc9456db08407c26e478abfd81c7d892fcceefbfc972bf721fd9a2dc94adcd4134f4a60c92e9750068d27dafedefecd9c335dea959ed61f8875ce93bc9d41a5099e692ab09487b151c23aff5e07a74db1338387f98e560bb640130df0b414d6bd5c8fa9b819f6ae4ec9efee764ab970b56726af2c95f865e715fb5360bfab3506fa44354a4975387e94aa428d40000000db4a5e7708ba1a56287004e146bcb15ea81d4f9cac630f67279d4e5c61238a08bd59fbdaf33ab58ffb204ede7fb856b043135bb0b1902618b9ef49da9feaee1d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709b9e107d01d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 37 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Windows\\SysWow64\\dm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft"	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

yy随缘多功能辅助器[独家原创].exeiexplore.exe

pid process

1728 yy随缘多功能辅助器[独家原创].exe
664 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

yy随缘多功能辅助器[独家原创].exe

pid process

1728 yy随缘多功能辅助器[独家原创].exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

yy随缘多功能辅助器[独家原创].exeiexplore.exeIEXPLORE.EXE

pid	process
1728	yy随缘多功能辅助器[独家原创].exe
1728	yy随缘多功能辅助器[独家原创].exe
1728	yy随缘多功能辅助器[独家原创].exe
664	iexplore.exe
664	iexplore.exe
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

yy随缘多功能辅助器[独家原创].exeiexplore.exe

description	pid	process	target process
PID 1728 wrote to memory of 664	1728	yy随缘多功能辅助器[独家原创].exe	iexplore.exe
PID 1728 wrote to memory of 664	1728	yy随缘多功能辅助器[独家原创].exe	iexplore.exe
PID 1728 wrote to memory of 664	1728	yy随缘多功能辅助器[独家原创].exe	iexplore.exe
PID 1728 wrote to memory of 664	1728	yy随缘多功能辅助器[独家原创].exe	iexplore.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1292	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 1728 wrote to memory of 1652	1728	yy随缘多功能辅助器[独家原创].exe	regsvr32.exe
PID 664 wrote to memory of 1568	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 1568	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 1568	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 1568	664	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\YYsydgnfzq\yy随缘多功能辅助器[独家原创].exe
"C:\Users\Admin\AppData\Local\Temp\YYsydgnfzq\yy随缘多功能辅助器[独家原创].exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.yysyuan.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s dm.dll
2⤵
PID:1292

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\System32\dm.dll
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a7a3f3ec3a42b4476c6661745783f9b1

SHA1
cfa16c6ef9dadd808a97b169ac60d1b8ca07ddbc

SHA256
ae78ea97f9ac51a947798adc0a1243b696e81648bcea6c592b693aa79cd4aa4d

SHA512
4cacc8101c3c70f5a52e2559205bd0f7c533e4b21070696d06f3cab0b8f6449205ba83527b055002dc0038c6f2cb1333d790df5790c7b991fada2a0a80957c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a7a3f3ec3a42b4476c6661745783f9b1

SHA1
cfa16c6ef9dadd808a97b169ac60d1b8ca07ddbc

SHA256
ae78ea97f9ac51a947798adc0a1243b696e81648bcea6c592b693aa79cd4aa4d

SHA512
4cacc8101c3c70f5a52e2559205bd0f7c533e4b21070696d06f3cab0b8f6449205ba83527b055002dc0038c6f2cb1333d790df5790c7b991fada2a0a80957c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat
Filesize
9KB

MD5
dcc4cfbee061d95691210517be9ef2e5

SHA1
7bae603bb9d8c38c1d097d162f504b7e3e6c8892

SHA256
bea921d2a580d9ce30f29049e609a1cc2bf79a6c2c820f7e565521d56c7fc17f

SHA512
edbc754024fa8287aef2d3a20991ac7d47983ae6ca4e5ae44f5acc7e0f8cf8c9b48b730da8a3b38806ffa58a796c158e32411512e422bc535acb42fb778f8c31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z2KJXHM7.txt
Filesize
601B

MD5
73cf791e6617ea3b85b5c8b5529fe139

SHA1
f5fe40473a0639c736a1fd0057016b5a0adc94c2

SHA256
51ef5613793ff9abe4180936c02e84409a3625182b91d15a441412aa8742e15e

SHA512
20b0c4129dad5fb60fd891cd6efc5ed4df3c416c4c91eaa3a3046a2b3d1d65e04ccbbad9a1b54fac94cad7c6350b98c18d18c10dad11516a00ae5689e8ba08ea

Download Submit
C:\Windows\SysWOW64\dm.dll
Filesize
831KB

MD5
036b1cd5a746f04738aeac8e20bcb55a

SHA1
a2738d3941ee3b878da3944e2500a6a8b0efa761

SHA256
ddf9f7a982ef81e44c170b73dba7439dc8635e835432829a76ef20271e362072

SHA512
55ce58ec38cf947d91753344c0a6ac6f0b30e71a76c1573bea108306fc7f1a6310bfb4bdc9a7371b11c1f3fb8595c6a3d114d1c00e1134670678501cd172718a

Download Submit
\Windows\SysWOW64\dm.dll
Filesize
831KB

MD5
036b1cd5a746f04738aeac8e20bcb55a

SHA1
a2738d3941ee3b878da3944e2500a6a8b0efa761

SHA256
ddf9f7a982ef81e44c170b73dba7439dc8635e835432829a76ef20271e362072

SHA512
55ce58ec38cf947d91753344c0a6ac6f0b30e71a76c1573bea108306fc7f1a6310bfb4bdc9a7371b11c1f3fb8595c6a3d114d1c00e1134670678501cd172718a

Download Submit
\Windows\SysWOW64\dm.dll
Filesize
831KB

MD5
036b1cd5a746f04738aeac8e20bcb55a

SHA1
a2738d3941ee3b878da3944e2500a6a8b0efa761

SHA256
ddf9f7a982ef81e44c170b73dba7439dc8635e835432829a76ef20271e362072

SHA512
55ce58ec38cf947d91753344c0a6ac6f0b30e71a76c1573bea108306fc7f1a6310bfb4bdc9a7371b11c1f3fb8595c6a3d114d1c00e1134670678501cd172718a

Download Submit
memory/1292-56-0x0000000000000000-mapping.dmp

Download
memory/1652-58-0x0000000000000000-mapping.dmp

Download
memory/1728-63-0x0000000010000000-0x00000000101AB000-memory.dmp

Filesize
1.7MB

Download
memory/1728-64-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1728-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1728-67-0x0000000010000000-0x00000000101AB000-memory.dmp

Filesize
1.7MB

Download
memory/1728-55-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads