fd5d266804443af0603bde2579991b662604575985be1543c30c9000c0332c6b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5056dbbeb3d8b87beaa23d5f8761b686.exe
Size

192KB
MD5

5056dbbeb3d8b87beaa23d5f8761b686
SHA1

a989943ce6984ef47dcc1c87c2734f36ec754252
SHA256

fd5d266804443af0603bde2579991b662604575985be1543c30c9000c0332c6b
SHA512

0701698a734730c7e5254e817b6ff9f05c92e7717f27d890ab0b99deda81c227418a435669d1721a67538e0d0384086f1a2827fb9c91453eed00d80bd2795384
SSDEEP

3072:8/Foc0Cbqss/3ssA3rHqRlS3YDdAN1SVaNZTFLl5Vbt8V7Wdfwn1nbmuBXrDmQI:Bc/sA3rKfSoDdA/BlFLD78V7Wdfwn1nm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3944	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2580	Program FilesZZG5A1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	5056dbbeb3d8b87beaa23d5f8761b686.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	5056dbbeb3d8b87beaa23d5f8761b686.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6D5BAAB-AFA4-11EE-9ECD-C6E29C351F1E} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081393"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2338835594"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081393"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2337898231"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2338835594"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081393"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081393"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2337898231"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00abb18bb143da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de622100000000020000000000106600000001000020000000db1ad707392bb9b978dbff09eb344865af6233cb9953107e2b102b210dbe0320000000000e8000000002000020000000db0fbd698ca638984b6064e992e39b552351e8000fa3625e308b3fbbb3b4a29e20000000aeef3687cbd99483abc97c01d6621bed6effadd7ee7b2cbe9caf946ff8b2adaf4000000042d92f4fb6190829eca733e36ebc784e77bd6abcf761db7865f2c58de141222c0c00f8f4f7b97fb2044ab42e7f2d969485376c6f759066294fe3ee63a76ad2c6	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f0ac8bb143da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de622100000000020000000000106600000001000020000000d1dc92cee6d4e708588e449ca247ff87c6772f48a064eab5c3c7eb3f99e60821000000000e800000000200002000000069f2de4866341ae7a776714f6b7f245ecd0ed72e9f4203b7cf8e8f45424c3350200000000064dec68f20e88954d8a38f2cabb90976960f426ceeb032cdd50597dadbd54540000000018528332d2f8ad000442b7aee71d6d41b8bb9919ec456fc182216f46ab2d87ac3281ce67336437e7a646471768085324892b8b55b43b54a5160569c86efed80	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411648222"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	5056dbbeb3d8b87beaa23d5f8761b686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	5056dbbeb3d8b87beaa23d5f8761b686.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1460	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2044	5056dbbeb3d8b87beaa23d5f8761b686.exe
2580	Program FilesZZG5A1.exe
1460	IEXPLORE.exe
1460	IEXPLORE.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2580	2044	5056dbbeb3d8b87beaa23d5f8761b686.exe	92
PID 2044 wrote to memory of 2580	2044	5056dbbeb3d8b87beaa23d5f8761b686.exe	92
PID 2044 wrote to memory of 2580	2044	5056dbbeb3d8b87beaa23d5f8761b686.exe	92
PID 2580 wrote to memory of 1460	2580	Program FilesZZG5A1.exe	95
PID 2580 wrote to memory of 1460	2580	Program FilesZZG5A1.exe	95
PID 1460 wrote to memory of 2040	1460	IEXPLORE.exe	96
PID 1460 wrote to memory of 2040	1460	IEXPLORE.exe	96
PID 1460 wrote to memory of 2040	1460	IEXPLORE.exe	96
PID 2580 wrote to memory of 1948	2580	Program FilesZZG5A1.exe	97
PID 2580 wrote to memory of 1948	2580	Program FilesZZG5A1.exe	97
PID 2044 wrote to memory of 3944	2044	5056dbbeb3d8b87beaa23d5f8761b686.exe	99
PID 2044 wrote to memory of 3944	2044	5056dbbeb3d8b87beaa23d5f8761b686.exe	99
PID 2044 wrote to memory of 3944	2044	5056dbbeb3d8b87beaa23d5f8761b686.exe	99

C:\Users\Admin\AppData\Local\Temp\5056dbbeb3d8b87beaa23d5f8761b686.exe
"C:\Users\Admin\AppData\Local\Temp\5056dbbeb3d8b87beaa23d5f8761b686.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- \??\c:\Program FilesZZG5A1.exe
  "c:\Program FilesZZG5A1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2040
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    PID:1948
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesZZG5A1.exe

Filesize
36KB

MD5
9a441a4ba162c2389848db6e4eb0cc50

SHA1
72a4dde027589d86076daf741edbed706ed8bc16

SHA256
65836965541217a8eee21fc0454e9aa7e034e9ef514818dbed8b21f2298bd66e

SHA512
4e5771882300acf9128a3b00c2fa50efa8bd125fd6e024fbdbc2a58716b39975e1cdc084824f8d8c310f6d7ccfbae563e35cceb06f9a7938d644a6dca7f931a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD1A8.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0SGFK56Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
422B

MD5
45c63a0dec71086d754931b3aca289cc

SHA1
78527ce5aeef3f6d6b94d8f826f0ef4c06281e40

SHA256
d00061907a8963b63e5abfff07a51108c05308dd2d0faa03775d1f751d11b2ed

SHA512
2377d0d044a438f577005942cf952b993320231297123a96ef3c514fbe95ec24582daf3b44f5b7622a0ac19164834073f4dd4da606528c95dafa5a732bfef39f

Download Submit