79eba95155306bb40322960e71813d3e073f56dd427857ef2bd0985b6b15f733

Analysis

max time kernel
146s
max time network
171s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e228a6ae12748e92fad02d2f32b41da.exe
Size

108KB
MD5

3e228a6ae12748e92fad02d2f32b41da
SHA1

c908a9b3f11a09931883d7725aaf6ee0764696c2
SHA256

79eba95155306bb40322960e71813d3e073f56dd427857ef2bd0985b6b15f733
SHA512

88088c7f8279d0a05e898e5aff9f369a563c08c6ed36c56af1581cac4da8a79be405e6829015f789795bf124ec487ac3904646aea6aafb6cf106e0db296df69b
SSDEEP

1536:cXoahnLiXUnpncVZRoOvnpKZb+1dG4ZsfLKBFbfcOOT8bTnNhsnXRQ:xUQwnc/RoOxKN+1dG6sLCF4OmmTNhi

Score

7^/10

adware evasion persistence stealer trojan

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDB24A.pif	3e228a6ae12748e92fad02d2f32b41da.exe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDB24A.pif	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe
2100	KCYFRIE8.EXE

Loads dropped DLL 4 IoCs

pid	Process
1708	3e228a6ae12748e92fad02d2f32b41da.exe
1708	3e228a6ae12748e92fad02d2f32b41da.exe
1708	3e228a6ae12748e92fad02d2f32b41da.exe
2100	KCYFRIE8.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\ZMCYJZ\2EKRHPLT4I4.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File opened for modification	C:\Program Files\ZMCYJZ\2EKRHPLT4I4.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File created	C:\Program Files\ZMCYJZ\KZFM7O.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File opened for modification	C:\Program Files\ZMCYJZ\KZFM7O.exe	3e228a6ae12748e92fad02d2f32b41da.exe
File created	C:\Program Files\AU1WQ83GGV\D509ZWF.exe	KCYFRIE8.EXE
File opened for modification	C:\Program Files\AU1WQ83GGV\D509ZWF.exe	KCYFRIE8.EXE
File created	C:\Program Files\AU1WQ83GGV\0HZUT1TGJ1P.exe	KCYFRIE8.EXE
File opened for modification	C:\Program Files\AU1WQ83GGV\0HZUT1TGJ1P.exe	KCYFRIE8.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\wlotcfsdjaxnjhy.dll	3e228a6ae12748e92fad02d2f32b41da.exe.exe
File created	C:\Windows\WLOTCFSDJAXNJHY.txt	3e228a6ae12748e92fad02d2f32b41da.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\ = "xunlei Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8EC3AF15-5E74-204A-92F4-DEB03A62AF6F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "c:\\windows\\wlotcfsdjaxnjhy.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2604	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1708	3e228a6ae12748e92fad02d2f32b41da.exe
1708	3e228a6ae12748e92fad02d2f32b41da.exe
2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe
2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe
2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe
2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe
2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe
2100	KCYFRIE8.EXE
2100	KCYFRIE8.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2492	1708	3e228a6ae12748e92fad02d2f32b41da.exe	28
PID 1708 wrote to memory of 2492	1708	3e228a6ae12748e92fad02d2f32b41da.exe	28
PID 1708 wrote to memory of 2492	1708	3e228a6ae12748e92fad02d2f32b41da.exe	28
PID 1708 wrote to memory of 2492	1708	3e228a6ae12748e92fad02d2f32b41da.exe	28
PID 2492 wrote to memory of 2100	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	29
PID 2492 wrote to memory of 2100	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	29
PID 2492 wrote to memory of 2100	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	29
PID 2492 wrote to memory of 2100	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	29
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2556	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	30
PID 2492 wrote to memory of 2640	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	31
PID 2492 wrote to memory of 2640	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	31
PID 2492 wrote to memory of 2640	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	31
PID 2492 wrote to memory of 2640	2492	3e228a6ae12748e92fad02d2f32b41da.exe.exe	31
PID 2640 wrote to memory of 2604	2640	cmd.exe	33
PID 2640 wrote to memory of 2604	2640	cmd.exe	33
PID 2640 wrote to memory of 2604	2640	cmd.exe	33
PID 2640 wrote to memory of 2604	2640	cmd.exe	33
PID 2640 wrote to memory of 2628	2640	cmd.exe	34
PID 2640 wrote to memory of 2628	2640	cmd.exe	34
PID 2640 wrote to memory of 2628	2640	cmd.exe	34
PID 2640 wrote to memory of 2628	2640	cmd.exe	34
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2648	2640	cmd.exe	35
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 2660	2640	cmd.exe	36
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1100	2640	cmd.exe	37
PID 2640 wrote to memory of 1384	2640	cmd.exe	38
PID 2640 wrote to memory of 1384	2640	cmd.exe	38
PID 2640 wrote to memory of 1384	2640	cmd.exe	38
PID 2640 wrote to memory of 1384	2640	cmd.exe	38
PID 2640 wrote to memory of 2148	2640	cmd.exe	39
PID 2640 wrote to memory of 2148	2640	cmd.exe	39
PID 2640 wrote to memory of 2148	2640	cmd.exe	39
PID 2640 wrote to memory of 2148	2640	cmd.exe	39
PID 2640 wrote to memory of 1192	2640	cmd.exe	40
PID 2640 wrote to memory of 1192	2640	cmd.exe	40
PID 2640 wrote to memory of 1192	2640	cmd.exe	40
PID 2640 wrote to memory of 1192	2640	cmd.exe	40
PID 2640 wrote to memory of 2412	2640	cmd.exe	41
PID 2640 wrote to memory of 2412	2640	cmd.exe	41
PID 2640 wrote to memory of 2412	2640	cmd.exe	41
PID 2640 wrote to memory of 2412	2640	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe
"C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe.exe
  C:\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\KCYFRIE8.EXE
    "C:\KCYFRIE8.EXE" WLOTCFSDJAXNJHY
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2100
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "c:\windows\wlotcfsdjaxnjhy.dll"
    3⤵
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\78PCYQ230UWM.BAT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2604
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
      4⤵
      Modifies Internet Explorer settings
      PID:2628
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s scrrun.dll
      4⤵
      Modifies registry class
      PID:2648
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s msvidctl.dll
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s jscript.dll
      4⤵
      Modifies registry class
      PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
      4⤵
      Modifies Internet Explorer settings
      PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
      4⤵
      Modifies Internet Explorer settings
      PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
      4⤵
      Modifies Internet Explorer settings
      PID:1192
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
      4⤵
      Modifies Internet Explorer settings
      PID:2412
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s vbscript.dll
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s itss.dll
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
      4⤵
      Modifies Internet Explorer settings
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
      4⤵
      Modifies Internet Explorer settings
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\78PCYQ230UWM.BAT

Filesize
1KB

MD5
52c972f9deb8192ccde1c648220271fa

SHA1
e4839843fc6c8d950e17c64ae31cce74e36733a3

SHA256
f44f8df295aa00d2c7668940de1c3b4eb29f8f40b4bb72a4948d2bcb5c8e5d80

SHA512
e3098da4852421126281bd93dabf13cb2e25897b8bbb71fbcc0aae41bf6cace92cbd71c78c74a77c39ab4de4cc2227e2ba53d71533333ce98cba1106d67f2075

Download Submit
C:\KCYFRIE8.EXE

Filesize
18KB

MD5
284ce4bcdb46ee5f52db9f03b92322ce

SHA1
326d2a3b84f7be7f67a3002afe2d6dfd615be0cb

SHA256
339f3b265a4d49461e2151bffd1c23bb520eb0f62d4be6e34b2a10bfead141c0

SHA512
976d08b4249cf1e6cd9931a02efc3c3afbb76d14c4d3e4b4e35f1768a3372d13c07fe32922a0af1f7c4055317821ab6acdfe6646ede827958f8d401035811f05

Download Submit
\??\c:\windows\wlotcfsdjaxnjhy.dll

Filesize
28KB

MD5
63bb6a005523fdcbd61837ce779c7fe4

SHA1
1d5bb3e4ab9b51f5a57a55aa8158df674c4d5f5b

SHA256
0de62e885ab33cf593834da32fb53bf75b241b450189f652825b847b63e3dba8

SHA512
08975d3254f1e11bbc0f8c9425b494afe254ad07177ef22b203638f9942c4321a6cd7fdd12e345063b068c87e9fce9b1994368317e4b57608bf8ba1b2fdcea5e

Download Submit
\??\c:\windows\wlotcfsdjaxnjhy.txt

Filesize
64KB

MD5
38ae321054766975a9253d515db3cec4

SHA1
29e2687378650a854f6876fe152a53191cf0a70e

SHA256
880ca4ac7921c6161222f6e137626567c8951835d02be627dc72917a04d4dde0

SHA512
8f7243a98cd9b71564a982465740ffde09de680c218577f0c37779b2ded3e3a4595cfd21eb811703201b34970bc1a5e2244c02ba623d483eaf8083b9f52515b6

Download Submit
\Users\Admin\AppData\Local\Temp\3e228a6ae12748e92fad02d2f32b41da.exe.exe

Filesize
64KB

MD5
eab9f568147acf44e89576978244ec32

SHA1
985586346cb0a61e3f94ded925316f091c643066

SHA256
7f95048f6d8cb41289f53f49dc609d5bc78d10d4a5ef815a72caa89b69f4cc46

SHA512
b996fe81d661eea29b6c3eb64f8b4096ebc2d35d7d2f8265af2f0ce1d0305fafc45842dae5084e977a23bcdba63320aeea87321bcc9a59e565835ec9efaaf2c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads