fd5d266804443af0603bde2579991b662604575985be1543c30c9000c0332c6b

Analysis

max time kernel
141s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5056dbbeb3d8b87beaa23d5f8761b686.exe
Size

192KB
MD5

5056dbbeb3d8b87beaa23d5f8761b686
SHA1

a989943ce6984ef47dcc1c87c2734f36ec754252
SHA256

fd5d266804443af0603bde2579991b662604575985be1543c30c9000c0332c6b
SHA512

0701698a734730c7e5254e817b6ff9f05c92e7717f27d890ab0b99deda81c227418a435669d1721a67538e0d0384086f1a2827fb9c91453eed00d80bd2795384
SSDEEP

3072:8/Foc0Cbqss/3ssA3rHqRlS3YDdAN1SVaNZTFLl5Vbt8V7Wdfwn1nbmuBXrDmQI:Bc/sA3rKfSoDdA/BlFLD78V7Wdfwn1nm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2328	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2332	Program Files881J8A.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\d.ico	5056dbbeb3d8b87beaa23d5f8761b686.exe
File opened for modification	\??\c:\Program Files\Common Files\t.ico	5056dbbeb3d8b87beaa23d5f8761b686.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000005a56cddc19a35c5baabc606e12c767c2a20deec40801f4ed0cea68313537d296000000000e80000000020000200000007b7005172ab4a34a598140a9aef9111c838443b718199fc6ed4169a1c08688e59000000010363eb646410d4b8d0d4ef7c5ca4674729c1626caa8ee63d44f331b70897a614789cdbe1d932be552c3109c1f16dee1868fafd3adca02fad21d935975bb424c03a875bb33e351436d5c0e4d6e643210fce8215a20c59bba38f2643b3157ac43d57eb64f808d90181529b4f00cf6d617cfa11652e8df8046c045bed27b4ad6fca044229dc5aa54698457f24975dd5bb3400000008a20027507508c28a56b1e6039b713dd7d2abf1b605ce5982162385077010766a71c1b10a18ec859ca12cae67a4954c8da172cc5db26900242527ee206cb0d73	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9A1BCD1-AFA4-11EE-9FFF-CEEF1DCBEAFA} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411045136"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000005c0a3dde627c777edb367e367f8aedc03af7e1a3309d4682e8af4b919c69189000000000e80000000020000200000001f9a90e4563381b8d7638b607787696840db48dfe1cac531004cd28f4c5ef6272000000029c2d8912c8df5d02b39540444af5712419100ae70366c49d8a563585cf1099f40000000783ea7cc3adb917fe9f4381bb81c04dd994865f78027ac07f450b8021e30feee3ce1421b6f8635519827c2bd6bc21255d193adbc0484d1e96abae70becde79a8	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0afd290b143da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9A8E0F1-AFA4-11EE-9FFF-CEEF1DCBEAFA} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3008	IEXPLORE.exe
2620	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2552	5056dbbeb3d8b87beaa23d5f8761b686.exe
2332	Program Files881J8A.exe
3008	IEXPLORE.exe
3008	IEXPLORE.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2620	IEXPLORE.exe
2620	IEXPLORE.exe
1432	IEXPLORE.EXE
1432	IEXPLORE.EXE
1432	IEXPLORE.EXE
1432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2332	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	28
PID 2552 wrote to memory of 2332	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	28
PID 2552 wrote to memory of 2332	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	28
PID 2552 wrote to memory of 2332	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	28
PID 2332 wrote to memory of 3008	2332	Program Files881J8A.exe	30
PID 2332 wrote to memory of 3008	2332	Program Files881J8A.exe	30
PID 2332 wrote to memory of 3008	2332	Program Files881J8A.exe	30
PID 2332 wrote to memory of 3008	2332	Program Files881J8A.exe	30
PID 3008 wrote to memory of 2796	3008	IEXPLORE.exe	32
PID 3008 wrote to memory of 2796	3008	IEXPLORE.exe	32
PID 3008 wrote to memory of 2796	3008	IEXPLORE.exe	32
PID 3008 wrote to memory of 2796	3008	IEXPLORE.exe	32
PID 2332 wrote to memory of 2620	2332	Program Files881J8A.exe	33
PID 2332 wrote to memory of 2620	2332	Program Files881J8A.exe	33
PID 2332 wrote to memory of 2620	2332	Program Files881J8A.exe	33
PID 2332 wrote to memory of 2620	2332	Program Files881J8A.exe	33
PID 2552 wrote to memory of 2328	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	35
PID 2552 wrote to memory of 2328	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	35
PID 2552 wrote to memory of 2328	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	35
PID 2552 wrote to memory of 2328	2552	5056dbbeb3d8b87beaa23d5f8761b686.exe	35
PID 2620 wrote to memory of 1432	2620	IEXPLORE.exe	36
PID 2620 wrote to memory of 1432	2620	IEXPLORE.exe	36
PID 2620 wrote to memory of 1432	2620	IEXPLORE.exe	36
PID 2620 wrote to memory of 1432	2620	IEXPLORE.exe	36

C:\Users\Admin\AppData\Local\Temp\5056dbbeb3d8b87beaa23d5f8761b686.exe
"C:\Users\Admin\AppData\Local\Temp\5056dbbeb3d8b87beaa23d5f8761b686.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- \??\c:\Program Files881J8A.exe
  "c:\Program Files881J8A.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1432
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files881J8A.exe

Filesize
36KB

MD5
bc46b82e948aeda24f4a620325f27572

SHA1
c1d9869217f969cbfbda806289e7285e56b8ef94

SHA256
119907945b0ace3e829ea20a215f2dabc72d9d4d09d7d6a0f6a823674d7e80a9

SHA512
f2e445b0c3710f7e21a989dee366f11c1ee76311bd24e8eeeab0693745b58b3f68749f994e565b9c260d9859b2bc4bca64ebf29efcdca3a7fd5624dcf840ed5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a506a3876e8a594d2f7955f80af2a29

SHA1
a9ae4f0e33c355be1c6a9f83aab6c3920631af40

SHA256
f8d680bd060359e558e35aee4bd6ef8d079d55a5dc0e2bb0b7f8cf632898c400

SHA512
5dddf673acc5b67cd9aced59ec0be0ef9e537ec7dba7c796c837492afc1f750e8edf0dc9cd5b1a45d27f296c54a530b13c0492c11eb2659b5ed5719cc7f8e3de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e73da3f217be76d44970bbff84f2556

SHA1
5e1d52841c6acd5e24604ae203a4567337e0c089

SHA256
cab3513b9450158eee81c0f3ba5cd898a318a2c603f5cf2beb99beb73605427e

SHA512
ab36d445e1fb77fa32eb907c669ba51892c15eb0fa54462fcf7cc0c55012ee6a02f52975639aadb107bed278febc78174726255ea8db5e50d04b810be6af9a2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efadb643f74b9272c8711e5b86a72a9b

SHA1
ecf26fed080f0bd3ff0778138893ccb0f01f9cd8

SHA256
04339f00cb4564fe7595916688fc7527ae4bb6b7c2a0e5e365dd66159b7dd410

SHA512
b762921804501220782d1438dc68fd3f57ea7a64daeadc81c037e827a69985c4c3630fe09d27ca72babe1861ca120d2eb378d28358ab89b10081c0389002a3f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d28e4dc292c453bd773206f775d87597

SHA1
a69172b2c9ceb059c5b06012667fd5a690b64f03

SHA256
d2d44a91a828357aaa69e9d0833c1e1d4d1e4c96afef1f0cd7032cb6188efd3e

SHA512
80d274b292ec5ad6b3970385030669ab828f799ef080a8e6f1dc308d6efd7d867472cdafe58c225413507de76ad897377527cd16c41d0f51d394b005fbb77559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
776cf4e8903ab28d394f1afab885e725

SHA1
5e6723475dfaaa8bba19fe3815485ec022783eaa

SHA256
439f631b7c793a5eac263984951b3942b0b16cef42daff17a6dfe3d2d74ea3ee

SHA512
7aa3bd833142cf2413737c96f8938fd12c87ee6181e40074857e6281a78211ffbecdf9f53e5de7ecf6bd118fe337666fe7131856d0b005dcce2ceed008e29cb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65b1eced21db697f30b443969ce1c96e

SHA1
c2dcb64d98b2a496a139a18aba469fdc4692f01a

SHA256
0a9ebb7da5d907440f15a9fef9e30e0b6f3dc16c4dca249cb5201ebcf583e749

SHA512
d986aaa0901955a1ac81d524eb63d707b433e8b23766c895eeaefbd79413f7fa32af96fe0b884792bbab9fb6c9b9c3d4a948804f81047c47445f3990d49af98f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13db57fa857037177ec6017e1981abca

SHA1
df1a03090719890bf7ccb3aa2d32107c3681d3af

SHA256
755b8cc6c12046924136e099895db1ac56983f42230a35f735138efd8ed65b0a

SHA512
fd12e30effebf996d0a6cb0d8339c96f8898a805c00922557add584099664f127fc350d9fae4fc1c8d802f7d90bc43057f5480bb337eb6c5e2623f1ca0fce22a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de1b95d2b2ade608f40afd73f2b37ec3

SHA1
3e17645495767c21d0918006f5a750d2d2c4eb88

SHA256
6116efeefd335d202835eda4ef00e5c164470f02446ff7135885d41e9315efb1

SHA512
22772db67cf67304e86dbf5507eb53e27efec94ad0b6d10d7162336961497ce655f59a2846987c1221053f9ba2ac08f9b6ed69e5b20d3fa58f1092f07147e938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3759761764c2946386502b7078df1856

SHA1
0c5501cc18ec394f76945895100eb55fea897c86

SHA256
a92a124c68c25c2f7ce75ad345ec8d83a26ce5e0d2e4aae33364ed2508530e2d

SHA512
5e9379e83ea619ad4d61f0dc49a8f0c41adc19ed466b6aa80d3585bba574a744e3d542c7571b0b9ee3567e8d736a78a9cb108224fb6e5ebfb4ad7ce923d6dc81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B9A1BCD1-AFA4-11EE-9FFF-CEEF1DCBEAFA}.dat

Filesize
5KB

MD5
d5ae75d36f446a2b6d0d6d62702a4ec3

SHA1
239cbd60d6028c352aeff068033421d58f5da132

SHA256
2f8dafed7fe13628b8d3f806ec5bf8f7ee8f99717cc8be8c8fa39b16226ea2f9

SHA512
79ca131403c1b9a78f987fa0f380e8f294b618c441cbe363a616b622605de9b1fe3e58af21201cfd0beb923315b194fb0041c9241a543a73c894eb30d3a4a98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5841.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A18.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
422B

MD5
45c63a0dec71086d754931b3aca289cc

SHA1
78527ce5aeef3f6d6b94d8f826f0ef4c06281e40

SHA256
d00061907a8963b63e5abfff07a51108c05308dd2d0faa03775d1f751d11b2ed

SHA512
2377d0d044a438f577005942cf952b993320231297123a96ef3c514fbe95ec24582daf3b44f5b7622a0ac19164834073f4dd4da606528c95dafa5a732bfef39f

Download Submit