Analysis
-
max time kernel
6s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 09:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
146e70b1687cbb1945a16ed3a67d2f00.exe
Resource
win7-20231129-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
146e70b1687cbb1945a16ed3a67d2f00.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
146e70b1687cbb1945a16ed3a67d2f00.exe
-
Size
212KB
-
MD5
146e70b1687cbb1945a16ed3a67d2f00
-
SHA1
d7e4154bf745127a2398670ce2cc61dc5aff5de9
-
SHA256
15bba9991785867a584da328baccd762dacdc3ba94c596b3c6da1311b2b9ef43
-
SHA512
409228fe917f98b7647f35c02384947816b800a19fddb9ad2cc47b1e2898b60b16a1d511bfc9048f4a6fcb1eedde7fe43869f98d68d397cfaa47e690ddcdf220
-
SSDEEP
6144:YmyioqJ+gokVoxaoroaHoAkUjoPvNyGzlscMwZwVta1zu+Dms:YvioRLAyGzlN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 212 Program Files2257HL.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\t.ico 146e70b1687cbb1945a16ed3a67d2f00.exe File opened for modification \??\c:\Program Files\Common Files\d.ico 146e70b1687cbb1945a16ed3a67d2f00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?2012" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hdh 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?2012" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?2012" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\h35 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.h35 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hdh 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htb\ 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?2012" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htb 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hli\ 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?2012" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hyx 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htb 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.5ijunshi.com/?2012" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hli 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico" 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hli 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\ 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hyx 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\ 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx" 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hpf\ 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hpf 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hpf 146e70b1687cbb1945a16ed3a67d2f00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\h35\ 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon 146e70b1687cbb1945a16ed3a67d2f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command 146e70b1687cbb1945a16ed3a67d2f00.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 816 146e70b1687cbb1945a16ed3a67d2f00.exe 212 Program Files2257HL.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 816 wrote to memory of 212 816 146e70b1687cbb1945a16ed3a67d2f00.exe 28 PID 816 wrote to memory of 212 816 146e70b1687cbb1945a16ed3a67d2f00.exe 28 PID 816 wrote to memory of 212 816 146e70b1687cbb1945a16ed3a67d2f00.exe 28 PID 212 wrote to memory of 4284 212 Program Files2257HL.exe 92 PID 212 wrote to memory of 4284 212 Program Files2257HL.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\146e70b1687cbb1945a16ed3a67d2f00.exe"C:\Users\Admin\AppData\Local\Temp\146e70b1687cbb1945a16ed3a67d2f00.exe"1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\Program Files2257HL.exe"c:\Program Files2257HL.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Program Files\Internet Explorer\IEXPLORE.exe"C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php3⤵
- Modifies Internet Explorer settings
PID:4284 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4284 CREDAT:17410 /prefetch:24⤵PID:2528
-
-
-
C:\Program Files\Internet Explorer\IEXPLORE.exe"C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html3⤵PID:3224
-
-
-
C:\Windows\SysWOW64\WScript.ExeWScript.Exe jies.bak.vbs2⤵PID:2736
-