7863a4154372312d41464306d46a517cee9176d00d8a6d3cc2e2acef4959a7c7

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5a58103eb09a66b161577a6ee903fe.exe
Size

16KB
MD5

3c5a58103eb09a66b161577a6ee903fe
SHA1

8c662f1c0bfe855c62fe51887365973a328ae2c2
SHA256

7863a4154372312d41464306d46a517cee9176d00d8a6d3cc2e2acef4959a7c7
SHA512

9e4d6e55f67e84912c80cfc87bdf8529af898ba77f75b0c3d727ff6ec0e3cafe131cafdd73a99ae7390841dc2934088876b17930ab215816cd3bb0b305d3c5a6
SSDEEP

384:ab0NOI+ZxLx2t7O0FYMKyS46UydIcMbCvoNEkj:m02Zx05fKyS46UuIcn0

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3c5a58103eb09a66b161577a6ee903fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3c5a58103eb09a66b161577a6ee903fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	3c5a58103eb09a66b161577a6ee903fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3c5a58103eb09a66b161577a6ee903fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/59156.html"	3c5a58103eb09a66b161577a6ee903fe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internat Explorer.url	3c5a58103eb09a66b161577a6ee903fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3c5a58103eb09a66b161577a6ee903fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	3c5a58103eb09a66b161577a6ee903fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3c5a58103eb09a66b161577a6ee903fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3c5a58103eb09a66b161577a6ee903fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/59156.html"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3c5a58103eb09a66b161577a6ee903fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/59156.html"	3c5a58103eb09a66b161577a6ee903fe.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/59156.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2692	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe
Token: SeBackupPrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe
Token: SeRestorePrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe
Token: SeBackupPrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe
Token: SeDebugPrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe
Token: SeRestorePrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe
Token: SeBackupPrivilege	3004	3c5a58103eb09a66b161577a6ee903fe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3004	3c5a58103eb09a66b161577a6ee903fe.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2968	3004	3c5a58103eb09a66b161577a6ee903fe.exe	28
PID 3004 wrote to memory of 2716	3004	3c5a58103eb09a66b161577a6ee903fe.exe	32
PID 3004 wrote to memory of 2716	3004	3c5a58103eb09a66b161577a6ee903fe.exe	32
PID 3004 wrote to memory of 2716	3004	3c5a58103eb09a66b161577a6ee903fe.exe	32
PID 3004 wrote to memory of 2716	3004	3c5a58103eb09a66b161577a6ee903fe.exe	32
PID 2716 wrote to memory of 2692	2716	cmd.exe	29
PID 2716 wrote to memory of 2692	2716	cmd.exe	29
PID 2716 wrote to memory of 2692	2716	cmd.exe	29
PID 2716 wrote to memory of 2692	2716	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\3c5a58103eb09a66b161577a6ee903fe.exe
"C:\Users\Admin\AppData\Local\Temp\3c5a58103eb09a66b161577a6ee903fe.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack.dll,DelNodeRunDLL32 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
1⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempIE.reg

Filesize
2KB

MD5
fef68b590b43b11a9e385210ba8b8939

SHA1
f8f157861ec1e10a243ace736a1aa3288ef55946

SHA256
1afcb3e0000a97d2d9933645184898c7dd618ac6f0d90db10e48f49c36bc19a9

SHA512
727344490ff3cb45d9aeac034a0947081edd94d8f981aea1e8bd496402ef26a896003ad30290d65f3c04e691b00016ff0eb0042b2b7d1e777802f2acabe96967

Download Submit
memory/3004-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3004-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3004-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads