902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7

Analysis

max time kernel
42s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Size

806KB
MD5

3f9dbdad249935651eb0026d138c906b
SHA1

69b0fe8ae2e1d97838dfeb6ab09008c83b22d6f4
SHA256

902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7
SHA512

c223388456b265ea6a488ebf31febc0690d35e06be87991ae7dfbbd44b52c89e18ef4b4b66e3f353a51ae81f1e2345c96bcd9a3633034f4e3fc6c0f544bcbd3d
SSDEEP

12288:xEncCP0UpnIIxU8H3Ek9aL4cLdWmcAMSWxxLdTT/unEIZUlxOnY7a+S:scaAIxL3EkyrLdsLldIKxQX/

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File created	C:\WINDOWS\system32\drivers\etc\hosts	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msscp.reg	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File opened for modification	C:\Windows\SysWOW64\msscp.reg	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\taobao.ico	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File opened for modification	C:\Program Files\Common Files\System\taobao.ico	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\web\Index.htm	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File created	C:\Windows\web\Index.html	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File opened for modification	C:\Windows\web\Index.htm	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File opened for modification	C:\Windows\web\Index.html	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
File created	C:\Windows\web\Inde.html	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.a585.com"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.a585.com"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\Attributes = "0"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20221207"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\WantsParseDisplayName	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ = "Internet Explorer"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\WantsParseDisplayName	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideFolderVerbs	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\System\\taobao.ico"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\ = "´ò¿ªÌÔ±¦Íø(&T)"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.htm"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\Attributes = "0"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideFolderVerbs	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ = "ÌÔ±¦Íø£¡"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.html"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideOnDesktopPerUser	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "201450"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1"	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideOnDesktopPerUser	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1396	regedit.exe
2040	regedit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1396	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	27
PID 824 wrote to memory of 1396	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	27
PID 824 wrote to memory of 1396	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	27
PID 824 wrote to memory of 1396	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	27
PID 824 wrote to memory of 1756	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	28
PID 824 wrote to memory of 1756	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	28
PID 824 wrote to memory of 1756	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	28
PID 824 wrote to memory of 1756	824	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	28
PID 1756 wrote to memory of 2040	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	29
PID 1756 wrote to memory of 2040	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	29
PID 1756 wrote to memory of 2040	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	29
PID 1756 wrote to memory of 2040	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	29
PID 1756 wrote to memory of 1448	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	30
PID 1756 wrote to memory of 1448	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	30
PID 1756 wrote to memory of 1448	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	30
PID 1756 wrote to memory of 1448	1756	902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe	30
PID 1448 wrote to memory of 1608	1448	IEXPLORE.EXE	31
PID 1448 wrote to memory of 1608	1448	IEXPLORE.EXE	31
PID 1448 wrote to memory of 1608	1448	IEXPLORE.EXE	31
PID 1448 wrote to memory of 1608	1448	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
"C:\Users\Admin\AppData\Local\Temp\902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
  C:\Users\Admin\AppData\Local\Temp\902bbb765ee439b7e745253a564e1e120da66baaa6444f5ec011ef627e97c8f7.exe
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
    3⤵
    - Runs .reg file with regedit
    PID:2040
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
      4⤵
      Modifies Internet Explorer settings
      PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\taobao.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\WINDOWS\system32\drivers\etc\hosts

Filesize
3KB

MD5
f64f5b6c44ea0aea08df27e259d8c718

SHA1
d1545148a21ca5b005d60205b9002c0cbe0c9b24

SHA256
ce0045305ae86126c24b063bf225df9c8eecc69395b239097daffe7dd9d8d5ec

SHA512
0dfaf8a2670284e0922c1164444533b4d8eab2fe12c494a3bd353638555dab9d07007e89f263a5ba83d78bfa5c39a5b7c63c776e642d9bc4d508a21db02ae831

Download Submit
C:\Windows\SysWOW64\msscp.reg

Filesize
228B

MD5
2d06a424ad1c7611ea9caad93892ea26

SHA1
a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8

SHA256
8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c

SHA512
3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

Download Submit
C:\Windows\SysWOW64\msscp.reg

Filesize
228B

MD5
2d06a424ad1c7611ea9caad93892ea26

SHA1
a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8

SHA256
8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c

SHA512
3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

Download Submit
memory/824-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/824-64-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/824-65-0x0000000002010000-0x00000000020ED000-memory.dmp

Filesize
884KB

Download
memory/824-69-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1756-66-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1756-68-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads