bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7

Analysis

max time kernel
98s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
Size

622KB
MD5

c1cabb2e37a93e1b52741e4db2a42867
SHA1

e0323afd4cbf5a07b455c296e1864fe540b66a52
SHA256

bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7
SHA512

d64055c8c1876a33e9151c131638905c8e0a27fd80268022dc491dacbb86b95f0b8df41642a2703fa8151c0018836df2e18b439a65a6281caebee3e6f5bc253a
SSDEEP

12288:D5O2a583b9SeSuKqkOhF/kD+mne9yi35hRySuaKN3atO6XchbtFJJHvzLZyW0:DI3eL7SuxFkajoKRyVNKt7XGx7LZf0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1208	filmtvdy.exe.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	cmd.exe
2040	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zq.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\Internet ExpIorer.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\taobao.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\zq.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\免费电影.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\yx.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\systemkj.vbs	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\taobao.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\激情爽片.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\zq.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\FilmTVkk.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\hosok.bat	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\ss.reg	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\systemkj.vbs	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\taobao.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\Internet ExpIorer.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\ico.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\ss.reg	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\淘宝购物.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\腾讯QQ.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\yx.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\yx.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\FilmTVkk.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\kuaijie.bat	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\sp.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\zq.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\淘宝购物.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\yx.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\Internet ExpIorer.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\FilmTVkk.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\qq.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\systemok.vbs	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\腾讯QQ.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7080027	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\ico.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\mm.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\mm.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\zq.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\sy.reg	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\filmtvdy.exe.exe	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\yx.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\zq.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\yx.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\hosok.bat	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\qq.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\FilmTVkk.ico	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\sp.url	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\sy.reg	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\systemok.vbs	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\Internet ExpIorer.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\filmtvdy.exe.exe	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\kuaijie.bat	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File created	C:\Windows\SysWOW64\激情爽片.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
File opened for modification	C:\Windows\SysWOW64\免费电影.lnk	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	filmtvdy.exe.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebc86bcc18fa0b4083ac8fba140bdb640000000002000000000010660000000100002000000037f8174c6e07aa01e2184a911afb4544d53a73c6df7792f6a4da40c8fdbd4b36000000000e8000000002000020000000a69c5162cd1c1f22b727a5741dce3e4947324e4b31317539a83404f046bc9b4090000000fc3f158b7e3867c008eaaa98b0f59e71c24bd8f20760b5d3a47ecd859b8cef5346604b75257c1cb706ab94e1604a29c8ea4ee4a123597eb737c79d07b89ed274e3ace2c80595e11d8650682d6abaa23ff79bc983f7393cdc45c70205cd70814e4b8befe3b2d07da3168b32a447b93c2ede5dff47b9f5cac25981401bf1535408b163952b67b58e075b9977a8f26da69740000000d4c2779235a3943750b3adcc5e13fb6b17b821a7820becadd14f953a8f72ee8e0021328750fb2b5aa24f0c4cd5152d74eebcce137138b3d2c3fd0edd947a3c5a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377041002"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebc86bcc18fa0b4083ac8fba140bdb64000000000200000000001066000000010000200000000a305edf9427bfb2a14d50716a35e177b4bbe167c8890a86f702510bde1b4d96000000000e80000000020000200000009079690b79ad410fdcf86db33bd943757e2080985c2ea0d13896afc535881681200000000890c8492e7b3109ecf9f073d5edb16be8429ece5db5648a52f0e9e4086eb1a84000000086fcd2ca63d4558001e33609de46fde817cba87345a94d39e069f1bd18d7ea4bc0de026be5b9b0ccdb8120bb7cce799d1a4300a81323489cebf9d7a8f616d3d8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{802D9D81-74E4-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205ef769f108d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.7802.com/"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
396	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2008	rundll32.exe
Token: SeRestorePrivilege	2008	rundll32.exe
Token: SeRestorePrivilege	2008	rundll32.exe
Token: SeRestorePrivilege	2008	rundll32.exe
Token: SeRestorePrivilege	2008	rundll32.exe
Token: SeRestorePrivilege	2008	rundll32.exe
Token: SeRestorePrivilege	2008	rundll32.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1368	iexplore.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1208	filmtvdy.exe.exe
1208	filmtvdy.exe.exe
1368	iexplore.exe
1368	iexplore.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1664	1688	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe	27
PID 1688 wrote to memory of 1664	1688	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe	27
PID 1688 wrote to memory of 1664	1688	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe	27
PID 1688 wrote to memory of 1664	1688	bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe	27
PID 1664 wrote to memory of 2040	1664	WScript.exe	28
PID 1664 wrote to memory of 2040	1664	WScript.exe	28
PID 1664 wrote to memory of 2040	1664	WScript.exe	28
PID 1664 wrote to memory of 2040	1664	WScript.exe	28
PID 2040 wrote to memory of 2036	2040	cmd.exe	30
PID 2040 wrote to memory of 2036	2040	cmd.exe	30
PID 2040 wrote to memory of 2036	2040	cmd.exe	30
PID 2040 wrote to memory of 2036	2040	cmd.exe	30
PID 2040 wrote to memory of 1052	2040	cmd.exe	31
PID 2040 wrote to memory of 1052	2040	cmd.exe	31
PID 2040 wrote to memory of 1052	2040	cmd.exe	31
PID 2040 wrote to memory of 1052	2040	cmd.exe	31
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2040 wrote to memory of 2008	2040	cmd.exe	32
PID 2008 wrote to memory of 1232	2008	rundll32.exe	33
PID 2008 wrote to memory of 1232	2008	rundll32.exe	33
PID 2008 wrote to memory of 1232	2008	rundll32.exe	33
PID 2008 wrote to memory of 1232	2008	rundll32.exe	33
PID 1232 wrote to memory of 580	1232	runonce.exe	34
PID 1232 wrote to memory of 580	1232	runonce.exe	34
PID 1232 wrote to memory of 580	1232	runonce.exe	34
PID 1232 wrote to memory of 580	1232	runonce.exe	34
PID 2040 wrote to memory of 396	2040	cmd.exe	36
PID 2040 wrote to memory of 396	2040	cmd.exe	36
PID 2040 wrote to memory of 396	2040	cmd.exe	36
PID 2040 wrote to memory of 396	2040	cmd.exe	36
PID 2040 wrote to memory of 1368	2040	cmd.exe	37
PID 2040 wrote to memory of 1368	2040	cmd.exe	37
PID 2040 wrote to memory of 1368	2040	cmd.exe	37
PID 2040 wrote to memory of 1368	2040	cmd.exe	37
PID 2040 wrote to memory of 1208	2040	cmd.exe	38
PID 2040 wrote to memory of 1208	2040	cmd.exe	38
PID 2040 wrote to memory of 1208	2040	cmd.exe	38
PID 2040 wrote to memory of 1208	2040	cmd.exe	38
PID 2040 wrote to memory of 1676	2040	cmd.exe	39
PID 2040 wrote to memory of 1676	2040	cmd.exe	39
PID 2040 wrote to memory of 1676	2040	cmd.exe	39
PID 2040 wrote to memory of 1676	2040	cmd.exe	39
PID 2040 wrote to memory of 1428	2040	cmd.exe	40
PID 2040 wrote to memory of 1428	2040	cmd.exe	40
PID 2040 wrote to memory of 1428	2040	cmd.exe	40
PID 2040 wrote to memory of 1428	2040	cmd.exe	40
PID 1368 wrote to memory of 1980	1368	iexplore.exe	42
PID 1368 wrote to memory of 1980	1368	iexplore.exe	42
PID 1368 wrote to memory of 1980	1368	iexplore.exe	42
PID 1368 wrote to memory of 1980	1368	iexplore.exe	42

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1676	attrib.exe
1428	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe
"C:\Users\Admin\AppData\Local\Temp\bc0462735776c401e0998d4c595a5dd7fa740ade386f0eb28d36901febc2cdf7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\systemok.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\WINDOWS\system32\hosok.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:580
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s sy.reg
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Runs .reg file with regedit
      PID:396
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.7802.com/index1.html
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1980
  - - C:\Windows\SysWOW64\filmtvdy.exe.exe
      filmtvdy.exe.exe
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\╫└├µ\*.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S
      4⤵
      Views/modifies file attributes
      PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TmpInf.inf

Filesize
58B

MD5
ef482bb78b8fff6cf20ec2ff9a677a93

SHA1
7613c5c62b89e63dc686c0f4007c4a77a4a77335

SHA256
7fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d

SHA512
b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d44a4dd5b83128dce46c7114f4db5eab

SHA1
bf333c8ffc19e3a135a88936d719fe8318a5ff83

SHA256
41b6f1caad71b91d3b59f09d50b06be04ab61d5b44628fb15920720df4dc291d

SHA512
45b53a55da19c18ef9ba439b7865cc8ed8411094a0bc107abdcc9937fd0703e09524988f8ffc1829b0c5b243c579db33d930694eb05bbbadd5ba37aacf3494a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\876132G0.txt

Filesize
608B

MD5
2ba8ec742897ac0913ff9929b4e2a8af

SHA1
815539dd9602427685631f9e6362ddeaf8ae1cc8

SHA256
7888a6a662e4ddc19fd9bee6ed274c23b3cec5df0058ff06dd4ac30ccb38992b

SHA512
680a208b848782c115a8a80f91138c8e7f6dd72e1929353de95789117af873d255f619b4c92a306222ff3dd705d14944471afa8f47904bef2a3a47a258232da1

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\┐ß╬╥═°┬τ╡τ╩╙.lnk

Filesize
750B

MD5
b9f15477397d9f3ae25c17e4b2dd3cee

SHA1
6e3fd0d8bae6f821050f41bda9f8cb875085e311

SHA256
b17d6cda34f2a70222343052d6191d38a93dc2341b84592c9051272ebb8da89d

SHA512
bb4231db0aa11c48d51e709d565636c02f324c19d1a5fa88c62f3c700deb4bfff78f3a4c3d7351734476a2c9631157e9fee66cf573fc5e68cfacd7c154c44f94

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorrer Σ»└└╞≈.lnk

Filesize
825B

MD5
2f64577dbeb2275e301096c25180a7b6

SHA1
d703e4a8bb1e7a6a317640652686c385e99edc9d

SHA256
9f254befa16579f526e7d1343a7c5818b9a428ba0bea31f669b5ed09159912da

SHA512
2f203ba67016de5c5cc686a4f6d9f2ce6c2f8f3d0aa2427c9e890345f5497322a4c161a312a233be0a9a0c2e3880679be2d30498a760108eeb8050ccae95af40

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk

Filesize
1KB

MD5
fb9855d026204d0942d4f78aa62c6372

SHA1
a2d1b75036866d486578a54383aa05102be677fe

SHA256
fc0670a3787a9a07e3bbb08397ee5212ee26f58d9ebd4a34928861014e6b0c1f

SHA512
ab4e9869c866f5e3b778c57f7331809fd0b6e78aa180e4d9229c67c813dfd1628e9dc02016a47dc56d4d99d3cb81f51bfbcbe191cb0f84acb14a8792c25597dc

Download Submit
C:\WINDOWS\SysWOW64\hosok.bat

Filesize
3KB

MD5
149a41054f981207166cd66b3c641bbb

SHA1
b0e4a78ca1c52b1eff082673a5f02e9c3d85670e

SHA256
76c45084389de35324e588734b5728e7990dd059393a802a9287abeae193a874

SHA512
e1f33651d19d41683d99bad4aeb653b20917aae2869670f9e24354840cb1ae6881204c2ce1ce3a36ba7a1afd125a8c2caf6d025a3e70c0d2e18dc497c86f66e7

Download Submit
C:\Windows\SysWOW64\FilmTVkk.lnk

Filesize
750B

MD5
b9f15477397d9f3ae25c17e4b2dd3cee

SHA1
6e3fd0d8bae6f821050f41bda9f8cb875085e311

SHA256
b17d6cda34f2a70222343052d6191d38a93dc2341b84592c9051272ebb8da89d

SHA512
bb4231db0aa11c48d51e709d565636c02f324c19d1a5fa88c62f3c700deb4bfff78f3a4c3d7351734476a2c9631157e9fee66cf573fc5e68cfacd7c154c44f94

Download Submit
C:\Windows\SysWOW64\Internet ExpIorer.lnk

Filesize
825B

MD5
2f64577dbeb2275e301096c25180a7b6

SHA1
d703e4a8bb1e7a6a317640652686c385e99edc9d

SHA256
9f254befa16579f526e7d1343a7c5818b9a428ba0bea31f669b5ed09159912da

SHA512
2f203ba67016de5c5cc686a4f6d9f2ce6c2f8f3d0aa2427c9e890345f5497322a4c161a312a233be0a9a0c2e3880679be2d30498a760108eeb8050ccae95af40

Download Submit
C:\Windows\SysWOW64\filmtvdy.exe.exe

Filesize
1.1MB

MD5
61ff06afacdddff1693edb20bf75af9a

SHA1
1760aa47666f051c1688b0f973cfc578381e0a1d

SHA256
1ab04818fa81b13c12ada62eb2dc9bb3e8d87b45a23109411d4e5e04b6b29324

SHA512
a25df9cd9f48e7545ebb095702517aa1bfe8355c0fc25845d5c1e68e284fcc7b505979eedcb92cf318368327f12ddfb2fc2d408f7c68531dd9c0ab81033666d7

Download Submit
C:\Windows\SysWOW64\filmtvdy.exe.exe

Filesize
1.1MB

MD5
61ff06afacdddff1693edb20bf75af9a

SHA1
1760aa47666f051c1688b0f973cfc578381e0a1d

SHA256
1ab04818fa81b13c12ada62eb2dc9bb3e8d87b45a23109411d4e5e04b6b29324

SHA512
a25df9cd9f48e7545ebb095702517aa1bfe8355c0fc25845d5c1e68e284fcc7b505979eedcb92cf318368327f12ddfb2fc2d408f7c68531dd9c0ab81033666d7

Download Submit
C:\Windows\SysWOW64\sy.reg

Filesize
136B

MD5
fd42ca99744ac43b0b142086e086a10f

SHA1
364cec2b17c4432c051cbe8a13e58fd601755d66

SHA256
5a82dcac1ae4fafc2c80ac355cb806cbd5d41cab252e156d25d7304bec12fd79

SHA512
e78de61feb7c46307e2485aba97665cb75b819f8958b17894ea4270090939534e2f3e1355dcfa975d642b62616c553735c134a8dd73d322237e06acaaef14827

Download Submit
C:\Windows\SysWOW64\systemok.vbs

Filesize
67B

MD5
f03e7702a11c470021bcddc98a64b383

SHA1
694e8b23752071e2892cf881b41627cb5db67517

SHA256
cdcbdd321373c5897e3d8d14ba5604ae53c259f06de4f65cd6953339838a19f8

SHA512
357be3b87ac7576fd2f7a72d3ee911104b8cfb6cf709ce11b8e02043b9e10349247731e7abeac3a9d10d20d31fe0632cb67cdca5fe6e1aa397b76436a5b886a2

Download Submit
C:\Windows\SysWOW64\yx.lnk

Filesize
1KB

MD5
fb9855d026204d0942d4f78aa62c6372

SHA1
a2d1b75036866d486578a54383aa05102be677fe

SHA256
fc0670a3787a9a07e3bbb08397ee5212ee26f58d9ebd4a34928861014e6b0c1f

SHA512
ab4e9869c866f5e3b778c57f7331809fd0b6e78aa180e4d9229c67c813dfd1628e9dc02016a47dc56d4d99d3cb81f51bfbcbe191cb0f84acb14a8792c25597dc

Download Submit
C:\Windows\SysWOW64\zq.lnk

Filesize
1KB

MD5
1994ec6880ae00688c6486af5ba1b795

SHA1
4708a94bb94548ce069281956fca9175fcee8b2b

SHA256
598c410101300bf7c331e03e271f3640ec76a6e7bb1df656d0a562ea1225213a

SHA512
71302662e3a0723563fd0b11eac536059c2e32b28d40484848beae000f46897d0f34e0f5214a44891d3bd50d2c5fdb836fe303a2f443742616f7fb6d37dec9d1

Download Submit
\Windows\SysWOW64\filmtvdy.exe.exe

Filesize
1.1MB

MD5
61ff06afacdddff1693edb20bf75af9a

SHA1
1760aa47666f051c1688b0f973cfc578381e0a1d

SHA256
1ab04818fa81b13c12ada62eb2dc9bb3e8d87b45a23109411d4e5e04b6b29324

SHA512
a25df9cd9f48e7545ebb095702517aa1bfe8355c0fc25845d5c1e68e284fcc7b505979eedcb92cf318368327f12ddfb2fc2d408f7c68531dd9c0ab81033666d7

Download Submit
\Windows\SysWOW64\filmtvdy.exe.exe

Filesize
1.1MB

MD5
61ff06afacdddff1693edb20bf75af9a

SHA1
1760aa47666f051c1688b0f973cfc578381e0a1d

SHA256
1ab04818fa81b13c12ada62eb2dc9bb3e8d87b45a23109411d4e5e04b6b29324

SHA512
a25df9cd9f48e7545ebb095702517aa1bfe8355c0fc25845d5c1e68e284fcc7b505979eedcb92cf318368327f12ddfb2fc2d408f7c68531dd9c0ab81033666d7

Download Submit
memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads