53f3ec84c576030aa0ae3b2c25c5999e8efa5fd924ec4a2d09c3368a12b82f92

Analysis

max time kernel
297s
max time network
401s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zonesszanpinglun-v1.0/QQ空间秒赞秒评论（秒赞贴吧）.exe
Size

1.6MB
MD5

f29d9bca9f069a84076593270496e3a1
SHA1

a6f907bd2dfdd4ab81f9ebe3cb070c5430ed8632
SHA256

d30c3cf612a35cf8bd52582f006afb580ebdad17c648a09b54cf6bbb2fd6ee57
SHA512

4915962d2ead9bf33433d778b34abd2ccad4367d8adf191ec0d9e7551bfc8fa5d0e50d60fee4fa1feef8e3bff3d9c3c285e3d7513743afed1221fd3f9c8c7dbf
SSDEEP

24576:B6m4SE6FSbxSDQxlTZaqdiXSp0c02uFG6dAk3CMbES:BXEJAAlTZaqdwk0c05HGibN

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-55-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3719"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "23073"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "31031"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "35068"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "7133"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "10547"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "19659"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "82"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "153"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "196"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376201781"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "82"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "293"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "258"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "293"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "9417"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "35068"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "196"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "1459"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "31133"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "31186"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "275"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "8287"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "18529"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "24203"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25357"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "32808"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "33938"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "4849"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "12831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "19659"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "24203"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8287"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "180"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6003"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "6003"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "7133"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "12831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "31067"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "31186"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "31654"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "7133"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "13961"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "31031"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "37352"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
844	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
844	iexplore.exe
844	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe
1940	QQ空间秒赞秒评论（秒赞贴吧）.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 844	1940	QQ空间秒赞秒评论（秒赞贴吧）.exe	30
PID 1940 wrote to memory of 844	1940	QQ空间秒赞秒评论（秒赞贴吧）.exe	30
PID 1940 wrote to memory of 844	1940	QQ空间秒赞秒评论（秒赞贴吧）.exe	30
PID 1940 wrote to memory of 844	1940	QQ空间秒赞秒评论（秒赞贴吧）.exe	30
PID 844 wrote to memory of 2020	844	iexplore.exe	31
PID 844 wrote to memory of 2020	844	iexplore.exe	31
PID 844 wrote to memory of 2020	844	iexplore.exe	31
PID 844 wrote to memory of 2020	844	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\zonesszanpinglun-v1.0\QQ空间秒赞秒评论（秒赞贴吧）.exe
"C:\Users\Admin\AppData\Local\Temp\zonesszanpinglun-v1.0\QQ空间秒赞秒评论（秒赞贴吧）.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?k520000000000
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3042bde809910967ac2bd5ad5164d97a

SHA1
c216b67ba51db8b27dc8625096630febc8558e8c

SHA256
bcc46290cf1b4e92eee6f54ee5d59b3ed460b27370bac5d6405badc55b5079dd

SHA512
2cb968abfb363358cfdfd49b2b05a48aeba0ab4ca3f2e128904baa54c9f5700c78d2e2d4a2087c29945cda8babe7b83cf453b62e8aa8572fe1a21aa49bf2f465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dae50322026e10df9fc8cca40b94834

SHA1
be1aa057d97b0826b4f54def671bf4aebbe9abf2

SHA256
61d531dffb8856c5b34e7301000371f5f1b1b57875d363a28ee562906e17696e

SHA512
08a5ef5025b93b72f9f4710ee8b13b95955fa0bd446ce70e2196cc4bf4e7e05f4bc34e07639b9c3dc6c5be3720b267c20434b9b706f5232a4fc4075ae0bb1a5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\83XC4OG2.txt

Filesize
608B

MD5
628ee8cfb8a1fb700dac13ddd3281d40

SHA1
4b0f151eb7c18e950dd30461402c7a29e1ce1d2a

SHA256
33de9fc4eaedee6bf3f3d61ced7c58c8fd5e3249699fd562f23a0d4860e6957f

SHA512
13d34168de822ae9a68d36adec819b4f5c4ff81fbf7bac16d9fbe7fc4d01c7fbe827977ed269a38d8031db956afa5462148074d0f2509087e5d9c115d4adb578

Download Submit
memory/1940-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/1940-55-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download