d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587

Analysis

max time kernel
131s
max time network
157s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Size

25KB
MD5

ac7849de3120a3ddb72af08bd426a8bd
SHA1

904eb51be8d1bf8e4b7df4bcb623676fe9fa113e
SHA256

d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587
SHA512

301ffd3a4b2696df8ca9b43929438e5b74c73fcce52122046b5fe693c71ad8332d379f294a0075254ca68d144cd64bf4cffcd2ec2e26fd75345fa6ba6f70f291
SSDEEP

384:tlT/W+52Y+nyDGJp7oFtwcp/mDpQjlp0huQSNyPVbkTtnJWAEJc3ziJ:tlTf8Y+yiJp7oQkK28VghJWAEC38

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\setup.ad	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
File opened for modification	C:\Windows\SysWOW64\setup.ad	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
File opened for modification	C:\Windows\SysWOW64\tarpurd32.dll	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\nTimes = "66"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000009fd29c79fbeb750d95c86ceafb47685cca870be81ff93f811fa6e1a47eb8d861000000000e800000000200002000000018f413928e8eeb1f720f2235278042b18c362d19260c3054428bb4d3a0760ee82000000099fcd3c8543fade6d0c1b412e0ff259c509af5c6a701420ba5c4d97b09c13e774000000044889747f685c65a6d1c8c8e12bbd12c03222aecd4aed6cb4f1093560d581feb633074c1526c9fc22ff5f7dbba796fad08ea7bd98d122f3057a0795b7ab7f0c3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377249362"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a5810f6e65aa2da77710d2cd2e87b4a963caae841ccc95be77bb6490277184af000000000e8000000002000020000000dd0ce9aec68fda16d9a7050e267b1d0931c1e802bee2ca3fae37b0b10822442d90000000de993bbb7f47d4e8fbefc80d12da152af6f6bfd88236af4cb5fa45be07def3baef23bc239bdf2732476382b1026ec6989e45f76f44007133540276a5c51ade71bcdd2c37609b36ec342afb8cb425cb7796b35d6d939b48237762230167ad8bbba3337429896df5e0d3c54a76f04030baf2b4d10bf0113649ca20802aafd761394fac66016573ea5f5d7abdd25061cfea40000000552e0a504b14a0220dfe0baf669b16524c5098f9f793241a9553428b598a745444996159e6ae84821ec123ef2f75f2cc4942c2366119d96d83511ae491c686a5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d008cf96d60ad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C7A9241-76C9-11ED-96D2-EEBA1A0FFCD1} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4E4D670-76C9-11ED-96D2-EEBA1A0FFCD1} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION\ = "1.0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\ = "pIContextMenu.ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID\ = "pIContextMenu.ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\ = "IContextMenu Shell Extension.."	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\tarpurd32.dll"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR\ = "C:\\Windows\\system32"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ = "C:\\Windows\\SysWow64\\tarpurd32.dll"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Programmable	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS\ = "0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ThreadingModel = "Apartment"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ = "pIContextMenu.ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "ShellExt"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
576	IEXPLORE.EXE
1476	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE
576	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1472	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	28
PID 968 wrote to memory of 1472	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	28
PID 968 wrote to memory of 1472	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	28
PID 968 wrote to memory of 1472	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	28
PID 1472 wrote to memory of 576	1472	iexplore.exe	29
PID 1472 wrote to memory of 576	1472	iexplore.exe	29
PID 1472 wrote to memory of 576	1472	iexplore.exe	29
PID 1472 wrote to memory of 576	1472	iexplore.exe	29
PID 576 wrote to memory of 640	576	IEXPLORE.EXE	31
PID 576 wrote to memory of 640	576	IEXPLORE.EXE	31
PID 576 wrote to memory of 640	576	IEXPLORE.EXE	31
PID 576 wrote to memory of 640	576	IEXPLORE.EXE	31
PID 968 wrote to memory of 1360	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	32
PID 968 wrote to memory of 1360	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	32
PID 968 wrote to memory of 1360	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	32
PID 968 wrote to memory of 1360	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	32
PID 1360 wrote to memory of 1476	1360	iexplore.exe	33
PID 1360 wrote to memory of 1476	1360	iexplore.exe	33
PID 1360 wrote to memory of 1476	1360	iexplore.exe	33
PID 1360 wrote to memory of 1476	1360	iexplore.exe	33
PID 968 wrote to memory of 568	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	34
PID 968 wrote to memory of 568	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	34
PID 968 wrote to memory of 568	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	34
PID 968 wrote to memory of 568	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	34
PID 568 wrote to memory of 1128	568	iexplore.exe	35
PID 568 wrote to memory of 1128	568	iexplore.exe	35
PID 568 wrote to memory of 1128	568	iexplore.exe	35
PID 568 wrote to memory of 1128	568	iexplore.exe	35
PID 968 wrote to memory of 540	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	36
PID 968 wrote to memory of 540	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	36
PID 968 wrote to memory of 540	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	36
PID 968 wrote to memory of 540	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	36
PID 576 wrote to memory of 1960	576	IEXPLORE.EXE	37
PID 576 wrote to memory of 1960	576	IEXPLORE.EXE	37
PID 576 wrote to memory of 1960	576	IEXPLORE.EXE	37
PID 576 wrote to memory of 1960	576	IEXPLORE.EXE	37
PID 540 wrote to memory of 912	540	iexplore.exe	38
PID 540 wrote to memory of 912	540	iexplore.exe	38
PID 540 wrote to memory of 912	540	iexplore.exe	38
PID 540 wrote to memory of 912	540	iexplore.exe	38
PID 1476 wrote to memory of 1872	1476	IEXPLORE.EXE	39
PID 1476 wrote to memory of 1872	1476	IEXPLORE.EXE	39
PID 1476 wrote to memory of 1872	1476	IEXPLORE.EXE	39
PID 1476 wrote to memory of 1872	1476	IEXPLORE.EXE	39
PID 968 wrote to memory of 1932	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	40
PID 968 wrote to memory of 1932	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	40
PID 968 wrote to memory of 1932	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	40
PID 968 wrote to memory of 1932	968	d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe	40

C:\Users\Admin\AppData\Local\Temp\d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe
"C:\Users\Admin\AppData\Local\Temp\d83d1ec3f265f18e9b144cecc68657c2c5f667bd99ed1ec34f2a3b2989fb0587.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:537603 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1960
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1872
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    PID:1128
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_zh.bat
  2⤵
  - Deletes itself
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9C7A9241-76C9-11ED-96D2-EEBA1A0FFCD1}.dat

Filesize
6KB

MD5
1e08b676e9ab9ff02153fcaca78b18da

SHA1
94705ca0d26f2dc8618a5cb91f101e455f54f973

SHA256
fa32cc14a46141b1e1d3a83ef768b47714d934eaca068d1d7776e451e1c2c00a

SHA512
fc31a4c7488bee4075863bdb82ef339ebc159d971758777260001ea1d02ee345b69d8cd66427ae419734ffc036add8798ae09544d20976c9017ac68692b81b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_zh.bat

Filesize
248B

MD5
f4550899a106e7b10b4365ac6231308f

SHA1
c6a1482896918945e43f11eb29fc7a26649dd3b5

SHA256
03c2e0514b45d4e7cb5d18b32e8e2e14072c37d2074e3d6f6dbd766c1ebffdf7

SHA512
622cdf7732b8288fecff0128669bc090a7b6695a4e2a18aa4b69a23c4c47a8675c29710c9fc6eb373140a86e131e6d77413deac887f3a3e8b390ee566ac121f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VQBEVZB7.txt

Filesize
608B

MD5
bc3897b870433e299070576eeb120674

SHA1
147cb9e54512b506cdd7d4236107fec566d56719

SHA256
0586c300a9641c5a6f47a0afbb46dd617b34bdcafdfd7b3bcf3f3c81de0c9237

SHA512
63bc12f55e1a526ef2cb773885c644d402f54235f77ff6f2b0dcddaca77a99cc5dcfb1ad704605d94b39adb8356e396ca178e6c189416af699cd8d5cf0bee49e

Download Submit
\Windows\SysWOW64\tarpurd32.dll

Filesize
44KB

MD5
29781a89e8c108097f39a040b5ef982b

SHA1
60f4ebf39e90c9cc1476fe5b63ba5b2b7c13b81d

SHA256
50c6fd913b670d05bfe5a473ba6bd7413b5826506ad76c8bca739d73501cb77a

SHA512
a6a8256931b1abef63424085a65af349f946e75088c59ef163e3f3376b1579908f7ed3f1c42af2e342794f5d86c3447f8ac5422853718b58a8c38d430a7f524d

Download Submit
memory/968-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/968-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download