31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe
Size

916KB
MD5

8fcd64e602cd6c95146b5490c0fddd92
SHA1

40dbf670c36428965b8942d8b4880c7b71546d4f
SHA256

31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f
SHA512

4fc1c1fa934b265a0f22634f8f1d21697bd51609dfd0108adaa7b7ea8bbf7cac3ef52e5f5f95e33e1ca99bf4f353dddee4ef47f085be9c2523a914dd58aad928
SSDEEP

24576:YbXiDT8AKoQGbg63Mq/K1W1aoMPcQkdV2zzx:YbXxeg63MqbwVPcbazF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	Setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-55-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/536-60-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe
1956	Setup.exe
1956	Setup.exe
1956	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\baidu	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "82"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "10553"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "20842"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\baidu\URL = "http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "82"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "266"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "3701"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "27778"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32322"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3689"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "4831"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "2541"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "4831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "26648"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "30038"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35736"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35745"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "249"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "2541"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "24256"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "266"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12837"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "31192"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34606"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3671"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "17405"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "25494"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "33452"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c26cbac7be74c742a7650a2ca9e081d20000000002000000000010660000000100002000000021e9538bfcfc306fbc6705bf88248fb22b5a6daa7e094598008cc0225a557a2f000000000e800000000200002000000099fe4bed1d8a7091270091b079a6a04ae2bd5e34df789f1e9c63e2b481ccc344500000002b4661d034b014f3d7527691f99d40d2e8055096ffa2db513d1241896da3e7ce4475155ec540307d9e6e3d5d5b5381e3bdaabf6c82b94d2f4863fc9b9b5cfcf28877cf010bb2ae2423e6b5065988f84640000000607b6f0a6f7e30a643705daed8c2d216eae7a8a5869aa12f4cabd9fb0855f453232f475de67b9a09d00cdbe544f908cfb409b14f823fb8fee02d4f2cdc569a2d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c26cbac7be74c742a7650a2ca9e081d200000000020000000000106600000001000020000000a9c65b19b3197eeb63cc3abe33205368de0d8fca290d1aeb2d34510a9b2533ce000000000e8000000002000020000000ccdd1e247732aaf1c2ce64d3c720cf60576e719a8ac2f3b089479cfe0e790ed990000000d39b42cac9f81841ba51124a7a725c6c7223d548d6ad2865d44a691b4a238b982be7640e243c72b76cb9142baaeba37b763bd5a306e939b03ac84879ba1490a6fd019ea0d1734e7357a2bda2b2b38ef219fa32a7397ac22204a1a55344e68b7925930f0d499148c910761d3ad361d705e3222059fb0bb2b8f69f5998ba8bc50ed02ff148c5d6f45c28f364f37c429c7e4000000069dc3df97fc10cf94b466f7b2e6ee015b1a6c174365c017ff46f906ce58ec681259d69cea4027d53c9390bae9b8e21787b9a07333d31083f92a753ccf9f290ef	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "281"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "12837"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "27778"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "31192"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97E677B1-7955-11ED-8716-EAF6071D98F9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "281"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "13991"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\2345.com\Total = "32322"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "180"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "5985"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "19689"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1411"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2345.com\ = "3671"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3701"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "4831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "24364"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "baidu"	Setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.9365.info"	Setup.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\InfoTip = "Internet Explorer ä¯ÀÀÆ÷"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\ÊôÐÔ(&R)\Command	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\DefaultIcon	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\HideFolderVerbs	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ = "Internet Explorer"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\Command	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(H)"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\WantsParseDisplayName	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe % http://www.9365.info"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\ÊôÐÔ(&R)	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\HideOnDesktopPerUser	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.9365.info"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\ = "C:\\Windows\\SysWow64\\ieframe.dll,-190"	Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\Attributes = "0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder\HideAsDeletePerUser	Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe
Token: SeBackupPrivilege	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe
Token: SeRestorePrivilege	1956	Setup.exe
Token: SeBackupPrivilege	1956	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
956	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
956	iexplore.exe
956	iexplore.exe
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 536 wrote to memory of 1956	536	31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe	28
PID 1956 wrote to memory of 956	1956	Setup.exe	29
PID 1956 wrote to memory of 956	1956	Setup.exe	29
PID 1956 wrote to memory of 956	1956	Setup.exe	29
PID 1956 wrote to memory of 956	1956	Setup.exe	29
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 1956 wrote to memory of 1452	1956	Setup.exe	30
PID 956 wrote to memory of 552	956	iexplore.exe	33
PID 956 wrote to memory of 552	956	iexplore.exe	33
PID 956 wrote to memory of 552	956	iexplore.exe	33
PID 956 wrote to memory of 552	956	iexplore.exe	33
PID 956 wrote to memory of 552	956	iexplore.exe	33
PID 956 wrote to memory of 552	956	iexplore.exe	33
PID 956 wrote to memory of 552	956	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe
"C:\Users\Admin\AppData\Local\Temp\31f5ad9280ba05df2381aca9b9189751fff733a2973038d3416de3f37648bd2f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\temp\Setup.exe
  "C:\Windows\temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?8059
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\temp\baieksjo.bat
    3⤵
    PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b895553d057e04960cc524105a709535

SHA1
b74f066959f6c1fc787f568681584649d667bce5

SHA256
6d900cdda793f924c1cc40f1e11cac45101930c9d5a1a6ef33b8a0395bc1d3f3

SHA512
edabf1e1ca290d5a661ef178090e51f93cca7bba5a9c3b0a2b7018a90e625bac24d9e30b0723e854276c9cee19d70e1cc63dfdd953228e79db9425b6cd92b820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
4KB

MD5
2d8992b2b1534cbecc562318589b93cf

SHA1
a5166af18216b5be3e577612eb192b90d549ffbe

SHA256
f41c1725482e79aec2ca0797089e289f3960459d064f2c9a6ed3bde79cd54d48

SHA512
17e3f7c97d6daef94a716b395fffcf46ebef79adc0104be6bf4bcdf59b9edcd079f39d44673f6b02d31c334f5a2eaa16071a05e04bf93e3c81e38d4ffb3e316a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FLIB5AO9.txt

Filesize
608B

MD5
051acda16f6c035e4620030a66c5d72c

SHA1
6d56112691420c4153227d2a1c55c9c86895b080

SHA256
15c0d1d000f7caa8b77644724b954da303808d94ad5bdd51eb46e131e9813f35

SHA512
cc675f4dd7389b9b33a5961b195bf3191edec55381598178bb031487d75b7e0d45553df05f9607df20a707b76152a82d1dd6a472695422d96d5e97bdb631fabe

Download Submit
C:\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
C:\Windows\temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
C:\Windows\temp\baieksjo.bat

Filesize
94B

MD5
71d9daa6586985cf41a7fd902c7c8a38

SHA1
fb6d18bebe05d5d2908c2b06b0b8e44f36002b14

SHA256
187e1de762626dde5c1ce86fddb6406f014cb75c4a2b6ebc1c9502145901dd7b

SHA512
619190d93532f50188aa4cccef481cdab2e3674a9a1dc9c68ffb56744d93e36cd508d5c6310b2f8adf96f8c5aebebb63ab345133b82e3ebe725f93a60a0e1481

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
\Windows\Temp\Setup.exe

Filesize
371KB

MD5
86726b83499bfe958ff83918bfb5e57d

SHA1
0fa513a2f7a0a97974b7161e0eb054447064b17d

SHA256
410e85778d9bc4b7f7e7f023913a92c75aceeb6e26769d4f11e33a9aef9998b2

SHA512
d91fb30bfc7d5d21cfce4388f0264ad131bba9e3ef30805364e01051686f5c472e8411dcdc3a564bc63e93bca636207a68212300bd32233f1d391dd4a4006cc5

Download Submit
memory/536-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/536-61-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/536-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/536-56-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/536-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads