2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df

Analysis

max time kernel
126s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-04-2023 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
Size

539KB
MD5

b6a7b3fc99d71c87afc3856856cb4602
SHA1

997c27f1efa078dcd3c7c17424979ac8607d38c1
SHA256

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df
SHA512

310465f12490ca1a91dd93d3a77bc68654ad33bdd168a9cc5e73e7f2cbcaac3778e40557d621b07d997bd40332359ea29aa012009d245053651f32244e3e060a
SSDEEP

12288:qSBNOlXxDWKz7K8mNuwBwDhwd261vF14YrcbEnq5JujEC+aW9L:zY01ObwS0jEC+aW9L

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

pid process

2040 2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Launcher	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Launcher	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

description ioc process

File opened for modification \??\PhysicalDrive0 2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

pid	process
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a0000000002000000000010660000000100002000000018d22c769365dabbe01f8fbd333881a665d9623cc9928ae2f5c98dd2ff4cf6bf000000000e8000000002000020000000573de0539af1f113cca46e1ab70b7bc1275add1fbd5a19a27b33e7f8dc584c819000000071d73fb812f8609f3768d646224b28cfbeecbb166171ab24948469eb83740804f999bd46523b0e477067f0ee216d864c15248c4afbfde6aedf2735d0286793160d97b9baeab40505519d1dc0d71636c387f7f410ab22b8356a0d17f67aa64bf60d0f56ed9ddb673f7e30f2a9f74a972409f8a3aea593ba94b98f75150d8eb21ae0ac8fcc4b025667c4cb8a545f72d8dc40000000352ed27981b5f777f0e3e63dac7d00f6e05b725e6813e15b2f7b5f893bc5bb153154dae54ac4e2a0d1d9d05a3269bda1a81b185d0cd596a9154bf664390fb9a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a0000000002000000000010660000000100002000000088de432df8424f57459f641c1e3c08fb7d555110d684d890429fd369447b6bcd000000000e800000000200002000000002a57a96163d01a3c6f2fb24c63f88c72998516f9be928c4afa2859c3bf0b8872000000085cf3418bc81aca932807d23e0efa00248fc5c150673e54183d1f9f8509e5f4740000000d792717f7b94103dde2517b4dbc63f67c24a564070dcff30177afd5301060d6a5d4fac1ca805d7f676241cce7908dd5b01c010ba0f29e5d3a87aa16314124b18	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8094aa5de568d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387591162"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81716471-D4D8-11ED-B5F0-D28FF4BEF639} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

pid	process
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1664 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1664 iexplore.exe
1664 iexplore.exe
700 IEXPLORE.EXE
700 IEXPLORE.EXE
700 IEXPLORE.EXE
700 IEXPLORE.EXE

pid	process
1664	iexplore.exe

pid	process
1664	iexplore.exe
1664	iexplore.exe
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exeiexplore.exe

description	pid	process	target process
PID 2040 wrote to memory of 1664	2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe	iexplore.exe
PID 2040 wrote to memory of 1664	2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe	iexplore.exe
PID 2040 wrote to memory of 1664	2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe	iexplore.exe
PID 2040 wrote to memory of 1664	2040	2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe	iexplore.exe
PID 1664 wrote to memory of 700	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 700	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 700	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 700	1664	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe
"C:\Users\Admin\AppData\Local\Temp\2730f3fde032339327806f31b491fb4254718f4ce607d6d18f17f14259b107df.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://baoku.360.cn/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Security Software Discovery

T1063

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
2KB

MD5
b89d0790998ffce54f3492dd57a8f515

SHA1
8db7ddc3275e99279703e7d22c0525515fdeb64a

SHA256
8b95a9134a8139b7d225cc16379acb33dd12ddcd6937386f83b3a448455458e6

SHA512
b434ae0ad7842b5a7bcc23de326fc2e4aa09d46814b10f49a19a7b6d6a09a0c27718d1bf8b91f4dcee29de9cbd95abf3dcb84774b596e3af009dbc5bbf5155c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
c97719e1ef3b8a984fefecd795e00952

SHA1
840ddea4fb5b5bd686561ca3773e41ec0bb6eebc

SHA256
b2e05305cab46dd563531bf03b63104237845b7279f7b986d8659bf63f3de3a0

SHA512
bb24c4e897b044615c19d1d8496d73c8ed2a058d44167099616c9f02707409ca3a50d39ff4a1d644586fbda3bf797f2b62251a631b7379c39f9a912d446c54b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
488B

MD5
1f33d1d68de3ef136d447dfb3098eea2

SHA1
f32cfe9130f5fe6bbb75a6586b1569a876d12ca8

SHA256
829b7cbc771aa0fce79cf127d7084287936fe44777b3286fe902701ff5314b3d

SHA512
73ae35a2ae56ac034f9ee558ca4e9300b67782451441320212d5bf6d0c5998dbdc9898142d40d810ca52de196d6340100bc650f955f800115c1104134f92d55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2ce28f616ac68f12c4b6261abc3cd9fd

SHA1
0af2b459ea1dd87f67ef5afd1e875a14bed34f27

SHA256
ae93c873cfd6b52bcf411e22f784d7888656f1394bdcbbadc39bc1bfed6b59f9

SHA512
a01db1da0f9add0e075c3d8c7d9e7eb374533112a3372dd0ed7869f4a2e906ab3aec68a212340f9e9a8b0cfbadf09132c8d56ca3ef4be143564e0eea70b1b72b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
784346848e8cc76d43f29a7fb87d7a68

SHA1
fec08b35ce1a15a728e13dece58b07bade8bef65

SHA256
955f5230f6fa19ee5c3821bdbfcf744128d7698c027a62e49d80ebb0bd084803

SHA512
fc747e4743df026e98c3df6c6d4b7aff5127b5a775f61b31eb4fd5a93bb8c7713abdcd169cb76a530d0efc4669d6ac05919d0877f3e503d8ad3b694a07f072a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
a67fe312246758ff5bb961d90e3843e6

SHA1
3134f832bbb77ca1a3733c746aefb3523073fca0

SHA256
bfbf1ce90cde0542fd5bb25c9972b67b81033f8bb1016b43405744175ace5d1e

SHA512
bf91fe57292303ba51dd1772d16c6787f01c5d4f7ce10cb32ee38ad46ad082ce58c1bc8aba2a6c361dc20e4e5456b54cf16a6d463c7469ca8c71d426b40ff517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
57cb4b63acd44b8f2c4c6fda389f27b9

SHA1
0d8bb3e8b6d8b6ca3f09e66bdda1b19cf60ef519

SHA256
5c1e5a7f730d6772e1eb61fb6d51f9e9cfe86f887b7371e65b4bdc29eea6904d

SHA512
f0d645cc1b3cc05ba4d7778883affc33c7ecc93a16a7601e5acc981068d9c5089db9e6a92a2ad8610dbeb35c20aec4d7bfa8027cd450dcf512b9ec81d3aa2cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4e06e2f4cb63263d6d94ad7aef4fce9a

SHA1
5fcabb2f519cb68aca36af9904e1d805e492fbbe

SHA256
e83a7057b24bb972a2971a72735a23a4df0395518037acc8c0353ee99d57cf0f

SHA512
f4be8afd0b006cf3df1097a2a721b8509a28ff7e488c40d93207e4387f0151fdee750c67f6b5e227fa8e2f4627237ae8b0b93c8ecb98e0b0ccfacd2aa9f36953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2bb428b3db68b7dc7180f9a2c0b89cf1

SHA1
b1ad4833142cd70a0f9efcbfa70b175a799334e4

SHA256
3a2a76ae4294e3c0e74ec16b21427dd66075f10249e6d35d302d6e28de4d12d7

SHA512
e49cba435933e55546ad8cd991e50d1d22c566b8a0a1c5267bfcf4d80d35c2be6e0ec3f309fed3a1bd7d4df14caa8721f40e8586a6e6ddca7078ff549bac5e46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d24cd9fc018e21a67af9856b2bc44e67

SHA1
da9d008f41d637faed03c98e35bc8b524fad4e1f

SHA256
0e40e564e9d4608dae37c728d73beeaabfd6d7bf2a72ca58c67597b601e89abf

SHA512
efb36fce3b832b92f4d5478b39ed80c245359968b3b5593d9db6bd52d121dbed7624f1e12d83936236153a616423288656e531fbafb92f89e860e85729b9199d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d81caf6cb3b5b503b9e3cf0c3e8eaf7c

SHA1
809fb1b9cbcd995868a0d9f8e1c046fc3ac974c2

SHA256
cb91c0e48b1198c8a660e5e8dcf12c1ce88e56419019b22bbcd9ea358c6e9b4a

SHA512
302f8f974d269519acc55ba120a89d2b6030f29dbd7da414aa0517f5c9d4ed33c69007ab7f6989c0def3d3d7d488d4b18a975a485ace6b0e5d4ed61438648f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d8cc13ac7ac9b2eb234f25d0276ca69a

SHA1
c6d63e26e16e3287c496f6dda895994177684122

SHA256
b34147d788af34b69cf44e0b3be79c9fd181d275fd2ab316e54c6ee358788467

SHA512
fa3f1b17463e3caedc60902a85e4003e2d3d2c3c16d613925351468f0f41b71b4e0bcbfc1fd7ac95219f8ab6f0459ba367419093033c50a15881668936b63703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ad091c0fa568d7ba04a518fe4a1e8b52

SHA1
bb5ac9d7ad58c82e4400f4b09f2ec36ba4d1422d

SHA256
f4a2b41f1bd0ffa7edb4dc3ec8d7cac3dda1fffe7318a5613d0e94d876717ea8

SHA512
4f3c8de25ad3f65359e10cbf1e0ced284eebbd55e66a60669ce575eac29e06055192a84f42a5121d26b298f0021b14b43e460e62563866941cdf51a23535c76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
17485994d9b71e0d8708f37f51859361

SHA1
bfebb1b9841b7cecf879b41a9d10fabb51b33580

SHA256
91562a37069142622787cc61afe83504750550a0679a14dc334717b8fab5933d

SHA512
d6fff68de0922262cef89b254e58ac33fc997c1de86347252753ae15c94901038ca053ec001e832b2ac4699400ce65489aea9eab7aeabcd6f3821f9b8cee77c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
97e337573723da2aec9c5b1147d62d4e

SHA1
82b6051e2a4fc21f4e077af27285889b304bc115

SHA256
58e48e7a1504e469c8fd170e58532aba2549872a0c2e68d330d421b6fe289a04

SHA512
c7e8dcbc1854f29a5e7fdf9002ee0aac9b38bda344d1ef26ddb00f9202d28d91da74a3afb2cf6692854268180afec092fbfa896ece9a892bb0321b85bfa2f890

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8440249e2104b3945b9cea95c78ae9f2

SHA1
6295ef3c2c3baaba261ec6f4a9e53323ede6a24e

SHA256
bcf737536db69534b108b3974e8c218589aa718113af7d77e66779c7ae013371

SHA512
1c2493597e31f64d2feab0275a4c0da20545b7451dfde7c962d932ed9f92d44dda072e08963f99493698800bec07244f584372111730353bb5b89a75a1ae97e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
f8ba4727da0f2206aea196cba4b213bf

SHA1
a79a0fafa44181cdfe502243fe5fd2a8a13c5225

SHA256
1677620b5cc2ccd64a4886e6f46da686b0562a76be0c7297c2e860d3f8e6a486

SHA512
4de59859babec772528a49093d7ee269c50afa6706b30d234861cee85d4f3ff76da8b7ee0d0d96ac1c236d5f98ef2d3d60561e7bbde42a63f9cf01d149f3fada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\idyde9r\imagestore.dat
Filesize
8KB

MD5
49926368aaf7a93e00bba03618e6a867

SHA1
7c0437780fb025e921fcc42056e363e54621c937

SHA256
fa436d0ba5b88164a999f014d4ffbca2dc3eb08236a9688465607fb119c7606d

SHA512
1335e9fbfd2c8887af21d67368c1cc69f36c8e517bef1432da3d3426b46df051d1335815552affb534d581d5fd731254ed5cbec8f54c0de8f3487c3918d8123a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIMPJA9E\favicon[2].ico
Filesize
4KB

MD5
0594c8476c1957012bbc496cc29da604

SHA1
4bc600a1cfe87d89ce3cd94179534493ccb03676

SHA256
2306f37c1ddc67dde8d831c24d9e5db7ce391047736a7921f8935d3774a59b64

SHA512
bc0f041f3f51bc1cfb7a63e81833358d4baf660ba81cb74e2220a2f07d775ab6cc34032cb9f0728f7489974df15608c4e40a7b221879e7bb7e813ecfce61c49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab28C7.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B50.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8Y2Q4H68.txt
Filesize
600B

MD5
f4f01cd5534a668f1f1726049e5bfa40

SHA1
565ac40d2e6532341a7366b5e8d0e058f2f345f2

SHA256
e2eb70f25050ac6cb782b8edcc9f2304789880c56ce502b09e6858f2854a8518

SHA512
b11a94429254bd28f553ca1de7620fe1bc98be1809187c94b7ceef382c9e1aeb78f24629fdad7db6847b14d65a7e53f9c3f983c80e2af5a539add98f789e8bfb

Download Submit
\Users\Admin\AppData\Local\Temp\cUfTsMjLkUeGoHyV\360ini.dll
Filesize
4.2MB

MD5
11f2c5eb90ee5bfb92ca6d83f699dd58

SHA1
b3b83df9bb699e69280ccf13fc46473f2c82ef51

SHA256
6a1045a9947b3d401c027360af042b16f642be10426ccda65a9e705314c483f9

SHA512
0eeb2363e013e8f3b9ee75c8e190a8d992791d174f9035f5aec7ba25a18e73e1c0076c5f7946597f9644fda6bdd28a5ea5a730aed1b067ac4269abb5f71017db

Download Submit
memory/2040-54-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download