b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056

Analysis

max time kernel
194s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Size

104KB
MD5

2c46e758200bdae00d795f06f8f0234a
SHA1

c050af649f70f7284c0da7101abbf77e62032a94
SHA256

b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056
SHA512

121a28a34e77f094f0c978cc2085ca9c882e68400f5e63562d850ade62e5eb0d66fa8953562262b08b3226cb3bc5e7cfd94fe4cc2f864dd40f29c621b4f27fa6
SSDEEP

1536:T/eA8BQWrI0Scqy/IVjiZUPyE5nMqmRTCkc9x+HejfAclG25DmQT:rchsXpy/iWZ85nIRekciwfDmQT

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4544	Program FilesZAG5B1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023170-135.dat	upx
behavioral2/files/0x0007000000023170-136.dat	upx
behavioral2/memory/4544-139-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2D3EF2F5-7978-11ED-919F-D668443210E4} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000002b22deec5c2abd502754a87749f71a11f4912cd4621c52a30c2e23256649cde0000000000e8000000002000020000000e86dafabdbf97971c460ea85ca618e3e0af5a5e888a93b3825e42139df3b3f6c20000000712475ad0887bf7dd01cdacc5a35c90385782b63b1ccf62835ad112218ec356940000000b83fa6b23d824fcb8d932d7563c45805bbfc9f878abb72793c06b7ca4db3ee3bd5a6fc8fa3ccdce8aa8d3176ae8863b183a15388f7b099f91e761b8aa3ff8205	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e35013850dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "160322010"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "160322010"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377544269"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000003a129fdddabbaa085686fb75c2a14f85716032fd21b2919ccafce78b15e1a641000000000e80000000020000200000003fa5a497e75e55c4e5b92719226b3af516fb1b6443fdcd5ed3e964b64edd074420000000f025bc7e2c42a0df275e8b7c7e1937ea7e6f3e86966ffcfb19b6d4bc623f09814000000000676b9b2fd300b5c969982b7fadd9e0bbbd2ac99a495ee02df334f1de72ed0d9b7570585dcc38cb5e2fe1da247593c69278f2ee566ca767f8729630a340da72	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001989"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60351209850dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001989"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1121"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1121"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1121"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1121"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1121"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.35yes.com/?1121"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3772	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
4544	Program FilesZAG5B1.exe
3772	iexplore.exe
3772	iexplore.exe
3192	IEXPLORE.EXE
3192	IEXPLORE.EXE
3192	IEXPLORE.EXE
3192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 4544	344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe	81
PID 344 wrote to memory of 4544	344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe	81
PID 344 wrote to memory of 4544	344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe	81
PID 4544 wrote to memory of 3772	4544	Program FilesZAG5B1.exe	83
PID 4544 wrote to memory of 3772	4544	Program FilesZAG5B1.exe	83
PID 3772 wrote to memory of 3192	3772	iexplore.exe	85
PID 3772 wrote to memory of 3192	3772	iexplore.exe	85
PID 3772 wrote to memory of 3192	3772	iexplore.exe	85
PID 344 wrote to memory of 3028	344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe	87
PID 344 wrote to memory of 3028	344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe	87
PID 344 wrote to memory of 3028	344	b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe	87

C:\Users\Admin\AppData\Local\Temp\b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
"C:\Users\Admin\AppData\Local\Temp\b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344
- \??\c:\Program FilesZAG5B1.exe
  "c:\Program FilesZAG5B1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3772 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3192
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesZAG5B1.exe

Filesize
10KB

MD5
5fb76aacca286e60c0c207ae75683a16

SHA1
df65c7d454704e3c0930aacec5f377a9759aaf36

SHA256
566694fc762386dd3c52bfa31beb3c5dd88a2aa5c55b6c440bd0ad6a013592c0

SHA512
3f5441b352ae696c721a79ea13126e12f07ba90b8e1df52f415513c4acd542b3fef3104c33eed80387cd8e6e763b5517af6b24f2ecbf1767638f5a4587361d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
e54d1c02c487a883fc9825d3fd8f86d1

SHA1
403e8640d815494766e4fb71a447a330aa10c54b

SHA256
e5f16a7d0aa26df9c87925c43fbfe051f821d6a0a86efa27ba6b25f662579313

SHA512
1873b1e510b6ab557e177b5bc29832286af118fe0b0994a1cc3ab3a275cd6dc1ca77f32772d252a9d58e6573e81b9d8da1c0a045d3fc2c3eb7f9412dfdb7e1bf

Download Submit
\??\c:\Program FilesZAG5B1.exe

Filesize
10KB

MD5
5fb76aacca286e60c0c207ae75683a16

SHA1
df65c7d454704e3c0930aacec5f377a9759aaf36

SHA256
566694fc762386dd3c52bfa31beb3c5dd88a2aa5c55b6c440bd0ad6a013592c0

SHA512
3f5441b352ae696c721a79ea13126e12f07ba90b8e1df52f415513c4acd542b3fef3104c33eed80387cd8e6e763b5517af6b24f2ecbf1767638f5a4587361d15

Download Submit
memory/4544-139-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download