356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86

Analysis

max time kernel
183s
max time network
229s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe
Size

1.1MB
MD5

bf0f22c0a8be55c152da5c8b27a3041b
SHA1

a7454adc9ca7dcd5b5b01d62f00528c4a7684f57
SHA256

356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86
SHA512

e4a931d956be9995fb622faaeebd898e3db68de5063b2996b0e6f520d207c42b1e95b7655bd2d1278a3a9eaf8482f7527e5d83297adcb6287c592e05b64f694d
SSDEEP

24576:nNseVg7kAfPSoaLLt/9UrcoC+X3ZR+zU3MxN3/zzeBV2zzx:nNLVg9fq/JOch+X33+zU3MT/zze+zF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1788	Setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1748-55-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1748-62-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe
1788	Setup.exe
1788	Setup.exe
1788	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "152"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "334"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "1488"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "11706"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "23210"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32814"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\baidu\URL = "http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "35098"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "20818"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "28908"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "4878"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "21948"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "25494"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "31177"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{700E1F11-78DB-11ED-8045-767CA9D977BF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "273"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18534"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21973"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "246"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "7162"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "2618"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "16274"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "31168"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "109"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "311"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "7162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "10576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "4878"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "23210"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "27778"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "baidu"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "258"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "17404"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "22027"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "31192"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "31684"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "32814"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "246"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "19688"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16274"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2618"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "3748"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "9446"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "24340"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "334"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "6008"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "7162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "37382"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "184"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "311"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "334"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "10576"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.9365.info"	Setup.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.9365.info"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(H)"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\Command	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe % http://www.9365.info"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\ÊôÐÔ(&R)\Command	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\HideAsDeletePerUser	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\InfoTip = "Internet Explorer ä¯ÀÀÆ÷"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\Attributes = "0"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\DefaultIcon	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\HideFolderVerbs	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\ = "C:\\Windows\\SysWow64\\ieframe.dll,-190"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ = "Internet Explorer"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\ÊôÐÔ(&R)	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\HideOnDesktopPerUser	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\WantsParseDisplayName	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe
Token: SeBackupPrivilege	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe
Token: SeRestorePrivilege	1788	Setup.exe
Token: SeBackupPrivilege	1788	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1464	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1464	iexplore.exe
1464	iexplore.exe
556	IEXPLORE.EXE
556	IEXPLORE.EXE
556	IEXPLORE.EXE
556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1748 wrote to memory of 1788	1748	356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe	28
PID 1788 wrote to memory of 1464	1788	Setup.exe	29
PID 1788 wrote to memory of 1464	1788	Setup.exe	29
PID 1788 wrote to memory of 1464	1788	Setup.exe	29
PID 1788 wrote to memory of 1464	1788	Setup.exe	29
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1788 wrote to memory of 340	1788	Setup.exe	30
PID 1464 wrote to memory of 556	1464	iexplore.exe	33
PID 1464 wrote to memory of 556	1464	iexplore.exe	33
PID 1464 wrote to memory of 556	1464	iexplore.exe	33
PID 1464 wrote to memory of 556	1464	iexplore.exe	33
PID 1464 wrote to memory of 556	1464	iexplore.exe	33
PID 1464 wrote to memory of 556	1464	iexplore.exe	33
PID 1464 wrote to memory of 556	1464	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe
"C:\Users\Admin\AppData\Local\Temp\356418109b6500ee66960791ea8a5a9dd77ef1b3f4818d15d3684d2f796dab86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\temp\Setup.exe
  "C:\Windows\temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?8059
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\temp\baieksjo.bat
    3⤵
    PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57481b5090cd9913350a195273f1f729

SHA1
aae237c91dd00843c51ad48457fa5508d1a0750e

SHA256
8116d38599f64e6af2ab0d2f0e709394ad85c27287748c0e9b52d8a780c6f95b

SHA512
ba6574bb3e7d3af2d4aefc248a89121edf187ae9b1a34c34461830cc4caeeff108beee80b197f82bb5b33969d31a653427895a805465cae9898faf3e4c9dc8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
562B

MD5
d739ddbda1cbe88ec0d0008a9e358aea

SHA1
d678a6a455ad0b9131520edc2f2a978d6bc71d23

SHA256
945688a12575bb819928ae1923da1418dffc4eb1a04a51786634ce52ceb2314a

SHA512
ca57be2200c1a91e02012342f33d938c4998bfa1ae103bd0c9aa1e180ba96fdfbcf6ee118f870170f8a4e697cec3835d3ac80b3c5ee3f15e5ef712bec2f0ea9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9M92TKNZ.txt

Filesize
608B

MD5
d6c382e02638ed8748f77a2b237412da

SHA1
deddb991025127efe8946b661544a0e974ef4b2f

SHA256
d1fdfafdba510d659ea647347cb33111d80c24be7c031638f1d1b8a83503f86c

SHA512
5ed7ef52fab043fe42cc15777296eac5640cf5237f5591b82c596da80beb2293985be287c301c7126e6c80f69eddfc637d21565af202e40b642693d98f392edf

Download Submit
C:\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
C:\Windows\temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
C:\Windows\temp\baieksjo.bat

Filesize
94B

MD5
71d9daa6586985cf41a7fd902c7c8a38

SHA1
fb6d18bebe05d5d2908c2b06b0b8e44f36002b14

SHA256
187e1de762626dde5c1ce86fddb6406f014cb75c4a2b6ebc1c9502145901dd7b

SHA512
619190d93532f50188aa4cccef481cdab2e3674a9a1dc9c68ffb56744d93e36cd508d5c6310b2f8adf96f8c5aebebb63ab345133b82e3ebe725f93a60a0e1481

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
memory/1748-58-0x0000000000820000-0x0000000000843000-memory.dmp

Filesize
140KB

Download
memory/1748-62-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1748-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1748-57-0x0000000000820000-0x0000000000843000-memory.dmp

Filesize
140KB

Download
memory/1748-56-0x0000000000820000-0x0000000000843000-memory.dmp

Filesize
140KB

Download
memory/1748-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads