a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7

Analysis

max time kernel
149s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 01:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Size

20KB
MD5

0db9bf4df357b08dc64ba90ec3a6f02d
SHA1

54d35a7bcdb9e5edec4dee3e5446f68b276f0757
SHA256

a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7
SHA512

960239f7c6d633b24294bdd39f666a1a74923248279afe4c5d49bc66ea99f36e9ccd70d5b662f85938b1d1676664c4f5c58729afffcc4a55c79b6b7e8a893496
SSDEEP

384:YliWnkWyJKiy2L8Xz5jOuJw1c1Pfukbdu8OE1d3F0l99mo62nQ1t:YFkJKizWl3Jw1wKE1d10pm6a

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\Debugger = "C:\\Windows\\system32\\vista.exe"	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vista.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
File created	C:\Windows\SysWOW64\Flower.dll	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
File opened for modification	C:\Windows\SysWOW64\Flower.dll	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\vista.exe	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70859a9ac507d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB11B531-73B8-11ED-B7CC-CE23F931F8E9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcbde02af9965a40ad5c89c2448814f100000000020000000000106600000001000020000000b12cdb8f83147842c56b121af3a898a3663f5f8d218709c1f8d40f3506912b12000000000e800000000200002000000065f3ca35d635bfbe24baafdee9ab1c5b572a7fba7917378c59bc893949ce10bb2000000058cb85c6b5d984beb87803ab06bbdf93805b0afc9d3489aa9725e6c5c55c0b6d40000000d11cbfc2745030b558b3ac3542744091fb0f658ff48a4ef3c90277b30d9be713c2d2b8c65cf9471b333c27729da7694745641026cdc3047680628d3965cffc69	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcbde02af9965a40ad5c89c2448814f10000000002000000000010660000000100002000000021fc4a5866590c6354c5ee4fa62f9d02b6e0937948b4718490930a0ae9eb7f68000000000e8000000002000020000000aadfd937d565f205dee6fe08bb17aca69b35553798810380c105b7ae37128616900000003239029a15597423792ec45062f0398d09ebd67528fd0de89c7a266f206321bff0f2a7d7530cc9d5fbe4cdc770785445ef20fc819538c48e1abbb6100fd198ea84bd4c365a844c2c7a69748077770fb04b7b3b6b7f7f9b23cbc26824a3b35e176994997dda8c38ea0a3559ef7bf1192c4ed4b3b0601a6088b3ec68f5eb032455bde6251dd55cbf7f4c50fab057fee08d400000007dfe1b66847f03cb5c4ed860854f67bc88926186b398525da909e8c2015a1f4e1c404893cc9cfe99a717aad9a401335835055a91b47f8ea52f5c5403c9d8b554	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1268	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1208	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1208	1268	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe	27
PID 1268 wrote to memory of 1208	1268	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe	27
PID 1268 wrote to memory of 1208	1268	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe	27
PID 1268 wrote to memory of 1208	1268	a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe	27
PID 1208 wrote to memory of 1136	1208	IEXPLORE.EXE	29
PID 1208 wrote to memory of 1136	1208	IEXPLORE.EXE	29
PID 1208 wrote to memory of 1136	1208	IEXPLORE.EXE	29
PID 1208 wrote to memory of 1136	1208	IEXPLORE.EXE	29

C:\Users\Admin\AppData\Local\Temp\a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe
"C:\Users\Admin\AppData\Local\Temp\a3873db97f648db8f8993197aa0a099777a3d8dc93467c71aa6add0e658336f7.exe"
1⤵
- Sets file execution options in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  Open http://www.tyw10.cn/ronaldo.asp?=TestA
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads