8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602

General

Target

8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Size

2.6MB
MD5

3969d66217dd5e9294e3bc12238ec015
SHA1

8b11c927db8cadd7f110f5bfbc484da0a24d30b0
SHA256

8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602
SHA512

20e457477c83b989fefa85408b0a5d297f9c1a88269ef14de501196cbada0ab3894ba1ba35a77667773ea933b4f2e2832265eb5dd631fc6f39b9b2c314ca87a5
SSDEEP

24576:6hEONbTbDIUKq07ftBbjS30BOVCl24NyGz4AdME9jP4OZ1EOjOOtEP5Q1iZK/8q7:6hXwBjjEOqqQWPbdY6HMEb

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2128-143-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-145-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-146-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-147-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-148-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-150-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-152-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-154-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-156-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-158-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-160-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-162-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-164-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-166-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-168-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-170-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-172-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-174-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-176-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-178-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-180-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-182-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-184-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-186-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx
behavioral2/memory/2128-188-0x00000000024A0000-0x00000000024DE000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\51pc114.cn	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51pc114.cn\NumberOfSubdomains = "1"	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51pc114.cn\Total = "63"	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51pc114.cn	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.51pc114.cn	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ad.51pc114.cn\ = "63"	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
2128	8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe

C:\Users\Admin\AppData\Local\Temp\8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe
"C:\Users\Admin\AppData\Local\Temp\8b5ae71879cf11664bf2e4e5d40c0d6b207925d1bf26d726c8f5042daf7e8602.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\IO3YU2P7\t.captcha.qq[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\c_login_2[1].js

Filesize
204KB

MD5
5c56c7e2ce8b0c51b12fcac5a0ad69ef

SHA1
0ef50cd1d00728be4f7ada4f6d8495e3996e7a3f

SHA256
a884159d750c77a6c2edd5f904277c81def28b0d24c5ddee9e9d18bf6c8cdc83

SHA512
22f1f1828102c00c4a94643818b0011acb6bfc8c98b8656272c1d1152fca1ab64cdf62b20680eb0381c465b9cc5adde20ee526efb36ed8a8a1f79b6a2c33a0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N30005\WebBrowser2.fne

Filesize
256KB

MD5
3a3d1dceb97ed5d5910bafa045792079

SHA1
e165fe1cad177b536899926bb4d7a87b9ad8e750

SHA256
10d234ec2a647149e418af38ab0ddc93f263847400b3cb8ebd54417cf75850e4

SHA512
ef49cbe023b298f1e0bfc1e79f64b53d121b5a546a892f5b04550550890d045ecc29d34461ca1e222707c0428714e48a7b4459a38c066478be3dc64b72190776

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N30005\WebBrowser2.fne

Filesize
256KB

MD5
3a3d1dceb97ed5d5910bafa045792079

SHA1
e165fe1cad177b536899926bb4d7a87b9ad8e750

SHA256
10d234ec2a647149e418af38ab0ddc93f263847400b3cb8ebd54417cf75850e4

SHA512
ef49cbe023b298f1e0bfc1e79f64b53d121b5a546a892f5b04550550890d045ecc29d34461ca1e222707c0428714e48a7b4459a38c066478be3dc64b72190776

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N30005\iext.fnr

Filesize
204KB

MD5
856495a1605bfc7f62086d482b502c6f

SHA1
86ecc67a784bc69157d664850d489aab64f5f912

SHA256
8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

SHA512
35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N30005\iext.fnr

Filesize
204KB

MD5
856495a1605bfc7f62086d482b502c6f

SHA1
86ecc67a784bc69157d664850d489aab64f5f912

SHA256
8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

SHA512
35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N30005\krnln.fnr

Filesize
1.2MB

MD5
ce8ca9c229b592c80748d9fb6b2665c3

SHA1
c6b51efc54890ea1c000b62f6802fb1d52cddfe4

SHA256
7407075cd36939f1afdf9e4b15e6b2339367c80ce2affe63028833e47dbc4e13

SHA512
f09268a626ff955e2660047d9cae8ee13917baf0626534e157d334cd37985e1db22c46702e666496c77aa7227432a2182e151a7d342853ef1a375b87806c5f8b

Download Submit
memory/2128-154-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-180-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-133-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2128-156-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-158-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-160-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-162-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-164-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-166-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-168-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-170-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-172-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-174-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-176-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-178-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-152-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-182-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-184-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-186-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-188-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-150-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-148-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-192-0x0000000004950000-0x0000000004994000-memory.dmp

Filesize
272KB

Download
memory/2128-147-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-199-0x0000000004B30000-0x0000000004B71000-memory.dmp

Filesize
260KB

Download
memory/2128-146-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-217-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2128-280-0x000000000BC00000-0x000000000BD00000-memory.dmp

Filesize
1024KB

Download
memory/2128-282-0x000000000BC00000-0x000000000BD00000-memory.dmp

Filesize
1024KB

Download
memory/2128-145-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download
memory/2128-143-0x00000000024A0000-0x00000000024DE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing