c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d

Analysis

max time kernel
174s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
Size

310KB
MD5

b1557186dc30a5120c69e413abe7a6e9
SHA1

09bbdda905d0ceba9ccbf79bc244fd606a15cfcd
SHA256

c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d
SHA512

905404e48164df451cad116c44f01242b0ecc6343fec647c106839099c0c28edc6fdbb23bdac5a42c2cb8376bd0fdf57ba3bea515b9f3790ed86068bc136b348
SSDEEP

6144:TNa6yjO+gfvFmabK14lpLjm8yDWy9eCCHqAv3Q63Y3trqBhJ+IbYJ1:Tc6yjRYm0D/Rw/CKMNSF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\5507b18389a3a44088d98f9c301958a8.tmp	expand.exe
File created	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\5e0caeae2046ee4ebc021bce58dcac54.tmp	expand.exe
File opened for modification	C:\progra~1\ico\meiv.ico	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe
File created	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\ac99ab7c89ebe346bc1d8585258fb6c2.tmp	expand.exe
File created	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\9ec5c2c7c6eb214b86c159efdd26144e.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File created	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\c32415107ad0004680bb5b997d03717b.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File created	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\585132a605608d458fdc59132726ef7d.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File opened for modification	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp	expand.exe
File opened for modification	C:\progra~1\ico\4620b8f8c6bc4627b33dec9e58e9139e$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\progra~1\ico\{BAD8E283-EDB0-4291-A1B2-F4D6139AEBBD}	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3652952345"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3648264916"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000906"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5CE0864-753D-11ED-919F-5EDCA19B148A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000906"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000906"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3652795559"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3648264916"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3648264916"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5D068EB-753D-11ED-919F-5EDCA19B148A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000906"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3652795559"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3652952345"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000906"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5CE2F74-753D-11ED-919F-5EDCA19B148A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3648264916"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000906"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
940	iexplore.exe
4984	iexplore.exe
4796	iexplore.exe
4260	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
940	iexplore.exe
940	iexplore.exe
4796	iexplore.exe
4796	iexplore.exe
4984	iexplore.exe
4984	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1456	IEXPLORE.EXE
1456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4848	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	83
PID 2188 wrote to memory of 4848	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	83
PID 2188 wrote to memory of 4848	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	83
PID 2188 wrote to memory of 1500	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	82
PID 2188 wrote to memory of 1500	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	82
PID 2188 wrote to memory of 1500	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	82
PID 4848 wrote to memory of 224	4848	cmd.exe	86
PID 4848 wrote to memory of 224	4848	cmd.exe	86
PID 4848 wrote to memory of 224	4848	cmd.exe	86
PID 2404 wrote to memory of 4260	2404	explorer.exe	91
PID 2404 wrote to memory of 4260	2404	explorer.exe	91
PID 2188 wrote to memory of 940	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	92
PID 2188 wrote to memory of 940	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	92
PID 2188 wrote to memory of 4984	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	93
PID 2188 wrote to memory of 4984	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	93
PID 2188 wrote to memory of 4796	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	94
PID 2188 wrote to memory of 4796	2188	c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe	94
PID 940 wrote to memory of 1768	940	iexplore.exe	97
PID 940 wrote to memory of 1768	940	iexplore.exe	97
PID 940 wrote to memory of 1768	940	iexplore.exe	97
PID 4260 wrote to memory of 3668	4260	msedge.exe	98
PID 4260 wrote to memory of 3668	4260	msedge.exe	98
PID 4796 wrote to memory of 1196	4796	iexplore.exe	99
PID 4796 wrote to memory of 1196	4796	iexplore.exe	99
PID 4796 wrote to memory of 1196	4796	iexplore.exe	99
PID 4984 wrote to memory of 1456	4984	iexplore.exe	96
PID 4984 wrote to memory of 1456	4984	iexplore.exe	96
PID 4984 wrote to memory of 1456	4984	iexplore.exe	96
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103
PID 4260 wrote to memory of 2972	4260	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe
"C:\Users\Admin\AppData\Local\Temp\c8d2037d30a81620a6edf2789f71a50ca872ca580ad26465b09f717a8a443a1d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.v258.net/list/list16.html?mmm
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AqzD2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:224
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.q22.cc/?ukt
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1768
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1456
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4796 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.v258.net/list/list16.html?mmm
  2⤵
  - Enumerates system info in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffd3a5246f8,0x7ffd3a524708,0x7ffd3a524718
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7698479365721032998,11411106214670403218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,7698479365721032998,11411106214670403218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,7698479365721032998,11411106214670403218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
    3⤵
    PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5CE0864-753D-11ED-919F-5EDCA19B148A}.dat

Filesize
5KB

MD5
f65dff94fe7b1095886102cf51dd01de

SHA1
82180725dfec25f4b09c86b78184069ad9fe79be

SHA256
16905c276db2601911077fe324bb0283aa37f868f9b56f570c3f5bc036659dac

SHA512
c815584ed76cb159366d4d19057fc8d91ccfa95a4ba61066c39e03acb984dedbb125e4b5872aa41d379d2d53d48379c9c494f6ef5acf60641032dae28dd0d17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5CE0864-753D-11ED-919F-5EDCA19B148A}.dat

Filesize
5KB

MD5
f65dff94fe7b1095886102cf51dd01de

SHA1
82180725dfec25f4b09c86b78184069ad9fe79be

SHA256
16905c276db2601911077fe324bb0283aa37f868f9b56f570c3f5bc036659dac

SHA512
c815584ed76cb159366d4d19057fc8d91ccfa95a4ba61066c39e03acb984dedbb125e4b5872aa41d379d2d53d48379c9c494f6ef5acf60641032dae28dd0d17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5D068EB-753D-11ED-919F-5EDCA19B148A}.dat

Filesize
5KB

MD5
e51f91893ddb23cf9cc98ea498aca082

SHA1
202148e492696176b251e2ba301322ad28458eb5

SHA256
42c9dc0ff8442959856f93965b1fc503c398aac12097d2de081c416adecf739e

SHA512
a7e310de06a7cc83752dcd414e83edeead6f0913bb797035ae6a9bb2a73d4f7dae9c4476968df08e4c8beb419c40fc2b444e11884f21420b7d041b25b5b94ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqzD2.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
20KB

MD5
1319e9998cedc513c68fa6d590b6ad63

SHA1
ae95b333e88a13886994f320f5dfb4856168a710

SHA256
9a5b18efe243fbe9b9b0be3674a24080e9210436986988f3f85a4007905083bb

SHA512
d4052a899c6c310296e2f5fdf6c2031c22d2644be620cb34ddcc6b59789d82a6462daaeb34466c568be48ee975c4a5ab43143eab0792312a6cd0d49f9fbd8d3f

Download Submit
memory/2188-132-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2188-134-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2188-133-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2188-137-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download