d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894

Analysis

max time kernel
20s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Size

806KB
MD5

ba54c52a68c91f9ce3aef7141aaaa79f
SHA1

380cf7acea31d605ae0aa815a9d82f08c7e58444
SHA256

d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894
SHA512

5748b6e1a7b6a8a1a7927f6eca635a32f6056d8dda29d7f8f9862f1b58d9afa213e4ccb4e4f0379e9d3f055d0bfa2e74b1e58db33dd8d9af1d5553e70744a6a1
SSDEEP

12288:wEncCP0UpnIIxU8H3Ek9aL4cLdWe4AJSWxxL9cs/unEIZUlxOnY7a+p:FcaAIxL3EkyrLdLLzdIKxQXU

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File created	C:\WINDOWS\system32\drivers\etc\hosts	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msscp.reg	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File opened for modification	C:\Windows\SysWOW64\msscp.reg	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\taobao.ico	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File opened for modification	C:\Program Files\Common Files\System\taobao.ico	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\web\Index.htm	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File opened for modification	C:\Windows\web\Index.html	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File created	C:\Windows\web\Inde.html	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File created	C:\Windows\web\Index.htm	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
File created	C:\Windows\web\Index.html	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.a585.com"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.a585.com"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\System\\taobao.ico"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideFolderVerbs	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\ = "´ò¿ªÌÔ±¦Íø(&T)"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\Attributes = "0"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.html"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\Attributes = "0"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "11423"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\WantsParseDisplayName	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\WantsParseDisplayName	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ = "ÌÔ±¦Íø£¡"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.htm"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideOnDesktopPerUser	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideOnDesktopPerUser	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20221207"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideFolderVerbs	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ = "Internet Explorer"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1408	regedit.exe
432	regedit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1408	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	28
PID 1748 wrote to memory of 1408	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	28
PID 1748 wrote to memory of 1408	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	28
PID 1748 wrote to memory of 1408	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	28
PID 1748 wrote to memory of 892	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	29
PID 1748 wrote to memory of 892	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	29
PID 1748 wrote to memory of 892	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	29
PID 1748 wrote to memory of 892	1748	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	29
PID 892 wrote to memory of 432	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	30
PID 892 wrote to memory of 432	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	30
PID 892 wrote to memory of 432	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	30
PID 892 wrote to memory of 432	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	30
PID 892 wrote to memory of 748	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	31
PID 892 wrote to memory of 748	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	31
PID 892 wrote to memory of 748	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	31
PID 892 wrote to memory of 748	892	d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe	31
PID 748 wrote to memory of 1088	748	IEXPLORE.EXE	32
PID 748 wrote to memory of 1088	748	IEXPLORE.EXE	32
PID 748 wrote to memory of 1088	748	IEXPLORE.EXE	32
PID 748 wrote to memory of 1088	748	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
"C:\Users\Admin\AppData\Local\Temp\d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1408
- C:\Users\Admin\AppData\Local\Temp\d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
  C:\Users\Admin\AppData\Local\Temp\d64c2735353f152f8ccc948f991e6ddf1faa6b87da201ab28dc2c3bac7891894.exe
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
    3⤵
    - Runs .reg file with regedit
    PID:432
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
      4⤵
      Modifies Internet Explorer settings
      PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\taobao.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\WINDOWS\system32\drivers\etc\hosts

Filesize
3KB

MD5
03fb23367b5dea12d340109e2fb399c4

SHA1
2835b4de8e0a69f556c19aa1215a9a91b30489ee

SHA256
c1c4255cca3acb213b6e51c2bbf52ab047fd73884b2c666c815633317ad5a057

SHA512
0dd2998b54bee3303a0ed723814ef73f04fc4da8fa567a3d9e6be431ddfb4e62639e6ba0f3d6aa062771f5d49722ca732e4a14c1313f68ad6f0ae7cda218c1b1

Download Submit
C:\Windows\SysWOW64\msscp.reg

Filesize
228B

MD5
2d06a424ad1c7611ea9caad93892ea26

SHA1
a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8

SHA256
8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c

SHA512
3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

Download Submit
C:\Windows\SysWOW64\msscp.reg

Filesize
228B

MD5
2d06a424ad1c7611ea9caad93892ea26

SHA1
a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8

SHA256
8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c

SHA512
3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

Download Submit
memory/892-64-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/892-68-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1748-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1748-59-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1748-61-0x0000000002D80000-0x0000000002E5D000-memory.dmp

Filesize
884KB

Download
memory/1748-69-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads