6a4e8525cfcecb6f890ded675d5efc9cc5c4a5445714e80f9d2ff9871fa1e05f

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c03c7f9588341061e002b066c28aeae.exe
Size

37KB
MD5

4c03c7f9588341061e002b066c28aeae
SHA1

aa283c132ed7f9aefd030529e711aa00f40c5e25
SHA256

6a4e8525cfcecb6f890ded675d5efc9cc5c4a5445714e80f9d2ff9871fa1e05f
SHA512

f88feef44b97553654edc35c3eae2adcd9366e7ed61deaa94ccfa85b9fcd7e18f18ed4d8b071391ee6c64b78ca7d8a1be93cddfb010e47658f81b8d8816616aa
SSDEEP

768:jrZymAZ/BdL/iC2Uf0kFwzcweZbhfPE1kZpIQTP03tDK0mxFc9EvGxEF+:HZ5AZ/b/n2Uf03pe/E1kZnsdDzAlvGx5

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Mousie = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger = "C:\\Windows\\system32\\Mousie.exe"	4c03c7f9588341061e002b066c28aeae.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mousie.exe	4c03c7f9588341061e002b066c28aeae.exe
File opened for modification	C:\Windows\SysWOW64\Mousie.exe	4c03c7f9588341061e002b066c28aeae.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A1AFE51-AE49-11EE-8427-464D43A133DD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe
1984	4c03c7f9588341061e002b066c28aeae.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	4c03c7f9588341061e002b066c28aeae.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2852	1984	4c03c7f9588341061e002b066c28aeae.exe	28
PID 1984 wrote to memory of 2852	1984	4c03c7f9588341061e002b066c28aeae.exe	28
PID 1984 wrote to memory of 2852	1984	4c03c7f9588341061e002b066c28aeae.exe	28
PID 1984 wrote to memory of 2852	1984	4c03c7f9588341061e002b066c28aeae.exe	28
PID 2852 wrote to memory of 2784	2852	IEXPLORE.EXE	29
PID 2852 wrote to memory of 2784	2852	IEXPLORE.EXE	29
PID 2852 wrote to memory of 2784	2852	IEXPLORE.EXE	29
PID 2852 wrote to memory of 2784	2852	IEXPLORE.EXE	29

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	4c03c7f9588341061e002b066c28aeae.exe

C:\Users\Admin\AppData\Local\Temp\4c03c7f9588341061e002b066c28aeae.exe
"C:\Users\Admin\AppData\Local\Temp\4c03c7f9588341061e002b066c28aeae.exe"
1⤵
- Adds policy Run key to start application
- Sets file execution options in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  Open http://www.xx.com/tj.htm(°üº¬51ÀµÈÕßÍ³¼Æ´úÂë)
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54edd31484c3cc0531c59bab63002d4d

SHA1
b885154168c2be53762932074048643746072473

SHA256
4144bf3197dd7b46d5a40be67c52ace035b7b1ab5caeae2a28f08ea6a65ac087

SHA512
49d843f7b621d81ebaa0ddd5862ae7e07e759ae96af8813c5c3210cac97800dd70ebe118992767af05902bcd36c5f26877acdeeea2f52b1693d8440d52adc770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4910184e16afdc01112597e6a91399fb

SHA1
9e48a296c477a30bc9b09657d025a2941fc76ece

SHA256
8c26856418a4664f635b17a8814c21bc7b4b23365473ff477f1eabc9975f3a49

SHA512
e56b574b4d8dc3db719d8dbc3ef46186d9844812dfcd711b091fe62cd100f737de58b4215f5c30b6a0511a461a0f3f7877de5877e9538d6f28cc75ecf75efddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f1a7c460d2aebac3fd03d5d45885682

SHA1
d5c05dce7a9b0bc63f28362ce99005d8c2d6d71f

SHA256
705b46614cc4c324d537b57667cf0075944a4c1c8c094174b875e02b95af43fc

SHA512
0c50eb8234cc89aec263b3de158352a6f6c9d6763f291c6262cd7c6cb76fb92696cd12f01c2d6ef719b0da534d91e13c24b28ae294356067f0a5a7e1e99bf147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98544b9e76014b12fd57f7bc66ed32d9

SHA1
5b56ce54c20f327cf65ad511bef9a52cfbfabeae

SHA256
519842491f40e5aa6ddcbf91e5c47f90eb8aafd2b6e917a9144d019401df1c95

SHA512
3d5488e787a3105e7e3eabf35225e7aecff82e60cf9d5e9cbb97d701e64ea16d879cd568b62a2e6c90f46f5cc102e583969a4e8ae4f6557e5f0fca95034514bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f26311a9cd7e592ee333e200b4f35527

SHA1
d07b67231530070320fd3ebed05a6d9b46c048c6

SHA256
d530fa5d29a074142b6a1ba1ae2bf35e3017ae63ccd89a91f5802baccdfcdcb3

SHA512
3190f9b6133d42efaa2d6d530d61937dc12f006fc5bb720a40224abe7b5464cd21a9a25b7c8f8011b59c0cfc8f6b99e8caa33d7c6165b498d4c0803e9d2cd1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CD4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3DC2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1984-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1984-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1984-2-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/1984-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download