82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
Size

432KB
MD5

3c60a6ea610482a9612aea96e6517c95
SHA1

7963db5687f8a51671e5a3f092f873897f90d6de
SHA256

82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b
SHA512

d48d2a0ae196eeaad2f14c629497c4751d54b8158dc5a03fa54bc2a930c8f810639df1e1b6a42e5353a571c0a643314dd3b817277ec2e5d65858123dfa620047
SSDEEP

12288:KtlYXUZbHwqM0N9JNY4DuPwnUmct4DuPrCw:KzYXUZb/M0N9JN1DnW6Dup

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	regedit.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	xiaobat.exe

Loads dropped DLL 5 IoCs

pid	Process
896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
1488	xiaobat.exe
1488	xiaobat.exe
1488	xiaobat.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\i\gl_3.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\srh_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\topbg03.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\topbg04.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\css\sd_1.css	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\index.htm	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\gl_3.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\topbg04.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\srh_5.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\funb.js	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\gl_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\logo.jpg	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\gl_2.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\srh_2.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\srh_5.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\Thumbs.db	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\srh_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\srh_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\srh_2.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\sd_1.css	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\Thumbs.db	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\banner.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\srh_4.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\Thumbs.db	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\srh_4.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\Internet Explore.lnk	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\srh_3.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\Thumbs.db	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\images\css\sd_1.css	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\funb.js	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\gl_4.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\topbg01.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\gl_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\sd_1.css	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\srh_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\xiaobat.exe	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\gl_2.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\zj_2.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\topbg02.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\topbg03.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\topbg05.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\zj_2.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\xiaobat.exe	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\gl_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\srh_3.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\Internet Explore.lnk	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\gl_1.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\gl_5.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\banner.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\css	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\index.htm	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File created	C:\WINDOWS\SysWOW64\i\banner.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\gl_5.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\topbg01.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\topbg02.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\banner.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\gl_4.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\i\topbg05.gif	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
File opened for modification	C:\WINDOWS\SysWOW64\images\logo.jpg	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\xiaobat.bat	xiaobat.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\jiantou.reg	cmd.exe
File opened for modification	C:\Windows\jiantou.reg	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.5qbb.com"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.5qbb.com"	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	regedit.exe

Runs .reg file with regedit 3 IoCs

pid	Process
1912	regedit.exe
1416	regedit.exe
1196	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 896 wrote to memory of 1488	896	82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe	27
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1488 wrote to memory of 1276	1488	xiaobat.exe	30
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1648	1276	cmd.exe	31
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1588	1276	cmd.exe	32
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1196	1276	cmd.exe	33
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 1092	1276	cmd.exe	34
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 596	1276	cmd.exe	35
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 1912	1276	cmd.exe	36
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 768	1276	cmd.exe	37
PID 1276 wrote to memory of 1768	1276	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe
"C:\Users\Admin\AppData\Local\Temp\82d3b3fc7e680c3fd90fce8ed8c112c79234434ab25f21cdec4b5aa797c7576b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:896
- C:\WINDOWS\SysWOW64\xiaobat.exe
  "C:\WINDOWS\system32\xiaobat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\WINDOWS\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\xiaobat.bat""
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000000 /f
      4⤵
      Disables RegEdit via registry modification
      PID:1648
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 00000000 /f
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1588
  - - C:\WINDOWS\SysWOW64\regedit.exe
      REGEDIT /S "C:\Users\Admin\AppData\Local\Temp.\DefOpen.reg"
      4⤵
      Blocks application from running via registry modification
      Runs .reg file with regedit
      PID:1196
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d http://www.5qbb.com /f
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:1092
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t reg_sz /d http://www.5qbb.com /f
      4⤵
      Modifies Internet Explorer settings
      PID:596
  - - C:\WINDOWS\SysWOW64\regedit.exe
      regedit /s C:\Windows\jiantou.reg
      4⤵
      Modifies registry class
      Runs .reg file with regedit
      PID:1912
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t reg_dword /d 00000000 /f
      4⤵
      PID:768
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 00000000 /f
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      PID:1768
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 00000001 /f
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2040
  - - C:\WINDOWS\SysWOW64\msiexec.exe
      msiexec /regserver
      4⤵
      PID:1808
  - - C:\WINDOWS\SysWOW64\regedit.exe
      REGEDIT /S "C:\Users\Admin\AppData\Local\Temp.\DefOpen.reg"
      4⤵
      Runs .reg file with regedit
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\xiaobat.bat

Filesize
2KB

MD5
07d3d7f770715b2e3488d36968e1bae0

SHA1
f5dfe78673876e06c8d29ba406d5c575b26d36c1

SHA256
6d7a7fc20b9613f42b91b9257dfe4d9a74915970888805ab6e4010bb53b1f2f4

SHA512
86536eba4f0d40e9e5790708b641632baecd86b76b620995e4455fb660ae5399c254a4cacb66672cae0b8c8cfbb9435bc61b7f96178b76749b11fbdad722c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\DefOpen.reg

Filesize
415B

MD5
0e52984faa4b02c6a481e0369b8782dd

SHA1
c8b7d131af7b144df1aeb01fc9257d5934b52272

SHA256
ebf551ab321e7d09b36c521f48249844e21bcc8937a738a495d12ece75ffc35c

SHA512
f135e7c21762773cedd44289d964675434771c805bc3f800e70b0fba427118714ad49d9fc62fdd8790bdab68be5df62f2f5c776cdbdb3c0e1531ddaf4b270051

Download Submit
C:\Users\Admin\AppData\Local\Temp\DefOpen.reg

Filesize
177B

MD5
a3b554a9d5f2c8306e57c872ec536920

SHA1
5e40765c3693ce402b5ca968840a3e73989cb5f4

SHA256
276369b87966e9a46c65601f9cee42103599806ee6ed6b36faf1863808bd9440

SHA512
22821311fd6203c450dc4846203ce23830fa3280f25f811dfea8d7e7988607415db4544807eab3c19b8feb9a5c6d42c0dda7533f0018a48e5d6f374bae6ca8e9

Download Submit
C:\WINDOWS\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
C:\Windows\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
C:\Windows\jiantou.reg

Filesize
129B

MD5
a2d95ae638ce4b14357c46de3e575cfa

SHA1
3f8ee00f17676d5899ee25895477cd566b544abd

SHA256
180885b4a0ddf6a090daacb6dd0078c06e9ef6903b6594df769aa35b3e547041

SHA512
1d8cbcf527f7b16d79a9eab20db0238e473bcb900f9dda4fffa73ffdc908da32591d453203c572c91c9af38ed371c07364486e299e46a5b058283385de3c0564

Download Submit
\Windows\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
\Windows\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
\Windows\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
\Windows\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
\Windows\SysWOW64\xiaobat.exe

Filesize
392KB

MD5
23b839431305bdae0172701b42c3a6da

SHA1
2f69a246680945b0faa80acf15b5efca98261252

SHA256
41452c4368f0aa03e74fd9b8360d233662b7bd86f9c9c49e56bd833a2f5ef4b7

SHA512
e2fc5b8bc4833ba5755f2ea1e183818543bb372138c05221a68744b9da0c215ea54e65d15644e21ebe8982681ea983ae091ddc0d8af2b66918e8f280b6b6e7bf

Download Submit
memory/596-77-0x0000000000000000-mapping.dmp

Download
memory/768-82-0x0000000000000000-mapping.dmp

Download
memory/896-59-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1092-75-0x0000000000000000-mapping.dmp

Download
memory/1196-72-0x0000000000000000-mapping.dmp

Download
memory/1276-65-0x0000000000000000-mapping.dmp

Download
memory/1416-90-0x0000000000000000-mapping.dmp

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1588-70-0x0000000000000000-mapping.dmp

Download
memory/1648-68-0x0000000000000000-mapping.dmp

Download
memory/1768-84-0x0000000000000000-mapping.dmp

Download
memory/1808-88-0x0000000000000000-mapping.dmp

Download
memory/1912-79-0x0000000000000000-mapping.dmp

Download
memory/2040-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads