6afbd251b227c166e1b6c02e002fa8e23084a46367270a25b9460896da28eba7

General

Target

大飞破解版/一键启动.exe
Size

3.9MB
MD5

6f5d22c868cb66606b78926f3d0969b1
SHA1

1457dea770fa3038f76a8d161582f0ff29c7be0e
SHA256

67a8097b6b2754334e667d69e381e79f4cab5a25cd708679c58bcd50754f8de2
SHA512

6c4aad38b3cdc3741fd8e18828b90156ee1f65e9fa59d679bc84d84020d0bcf0001bc6daf413dff65272f5ca3372b024bb5945a6c2f8929a9c98f9fcba04ab29
SSDEEP

98304:NBVZB/g2p6FYskEhipqdwkLQHHhsSYt8d7+94qoa+N/:336+skCfsKSOo+93G

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000caac4dfa5f9fde378aa126d90ff8bfd4b0caa5ad93bb475144930b597421a1a2000000000e8000000002000020000000063f0ab4dabc9ef2c4e23ffd1ed435a4f54b952c6b41a66525eb45b9235cd4a32000000009f9beddacd512432f4e65eef9d549e6345cf45660f1f45274a52e6ce520458d400000000fe9cb491cb8f6505d4e793d33695440ce88c9f67913f5d0d886d71d581d8bb8ad9dc171455fd46d00723e316391c5f92e06aedc5c4ec42b09f211c378f8b64d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000000d90f1ae636a266dbf6e8eeb5c7d5af60e43cabec80250b6cf764d7269eb19d1000000000e800000000200002000000015a645809290d0f1a5480f847268351c6f150fd11fe8222e563b70cee6024095900000008ab2fe17d67ddadf309be517b91aa72d304314912fe4bdcd8e0b2e9b7f86d158cb5e810bd6aa500ee5c391c8ac9910d0778a822f978c5e8c09e4030263e7f6bcc86a89ccb11004da802ed280152b314c92aaef320f3cd0ef27c313c29aa4ec0dea0a430acacca6ea512ff2c023654c0211bc0607d2f36b96666e2f26b32a6eccbf9bc120c2d6dab645eadb5f5136144140000000fd83ca7c15a8b1625102f7ad9737346831d7c83e394a3c210fa06a74fcbfbd38f036ce7f05f8c842ef53a225c1e9fd45623fc6f9f2a807ae4d3caec93b520308	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376263649"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30af0c80df01d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CB1A6F0-6DD2-11ED-8B07-42F1C931D1AB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

580 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

一键启动.exeiexplore.exeIEXPLORE.EXE

pid process

848 一键启动.exe
848 一键启动.exe
848 一键启动.exe
848 一键启动.exe
580 iexplore.exe
580 iexplore.exe
1552 IEXPLORE.EXE
1552 IEXPLORE.EXE

pid	process
580	iexplore.exe

pid	process
848	一键启动.exe
848	一键启动.exe
848	一键启动.exe
848	一键启动.exe
580	iexplore.exe
580	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

一键启动.exeexplorer.exeiexplore.exe

description	pid	process	target process
PID 848 wrote to memory of 1308	848	一键启动.exe	explorer.exe
PID 848 wrote to memory of 1308	848	一键启动.exe	explorer.exe
PID 848 wrote to memory of 1308	848	一键启动.exe	explorer.exe
PID 848 wrote to memory of 1308	848	一键启动.exe	explorer.exe
PID 872 wrote to memory of 580	872	explorer.exe	iexplore.exe
PID 872 wrote to memory of 580	872	explorer.exe	iexplore.exe
PID 872 wrote to memory of 580	872	explorer.exe	iexplore.exe
PID 580 wrote to memory of 1552	580	iexplore.exe	IEXPLORE.EXE
PID 580 wrote to memory of 1552	580	iexplore.exe	IEXPLORE.EXE
PID 580 wrote to memory of 1552	580	iexplore.exe	IEXPLORE.EXE
PID 580 wrote to memory of 1552	580	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\大飞破解版\一键启动.exe
"C:\Users\Admin\AppData\Local\Temp\大飞破解版\一键启动.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "http://bbs.yxlm.la/forum.php"
  2⤵
  PID:1308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://bbs.yxlm.la/forum.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\06FSG51N.txt

Filesize
608B

MD5
220561dc45eb5f09ce504d0b56085b6d

SHA1
c6f303a46cb6ee947d85507e0b91edc5673d481c

SHA256
32e5dd9a20205eb32ba8ace37686270948af6d4eeebe7e2c363c1058733bc35d

SHA512
0008b8c29ffc54ece42d2caae673e79800229e026c7669ea854c53f8572554336660f24ce660c9a8e83debeec0432f79654971225312dc4f69540b6ff96ca890

Download Submit
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/872-58-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1308-55-0x0000000000000000-mapping.dmp

Download
memory/1308-57-0x00000000740E1000-0x00000000740E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing