817fce3b8327909353f4d87a9a26f006ab1127a1b5d0f097efb592d60dd18cef

Analysis

max time kernel
170s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 10:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5058a7dfa092d5bcfd69d23177f864bd.exe
Size

189KB
MD5

5058a7dfa092d5bcfd69d23177f864bd
SHA1

3fc5dbbcbe1d6b40f8f3ae09692b6433aec9f4e7
SHA256

817fce3b8327909353f4d87a9a26f006ab1127a1b5d0f097efb592d60dd18cef
SHA512

319e0512c6071dfa557d67603dcc2269cbfb38395a6cee899e932f3c79a994ce86c011b497bf759a4c06f96abcf878961bbf7b26c16a639244ae76922e20ff21
SSDEEP

3072:bHTToV3KASmEPzTToL548HnFmsP+TTocQTToe:ih5HHFl

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	5058a7dfa092d5bcfd69d23177f864bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iesearch.vbe	5058a7dfa092d5bcfd69d23177f864bd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iecollection.vbe	5058a7dfa092d5bcfd69d23177f864bd.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	smss.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4332-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/4332-3-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Maxthon2\SharedAccount\Config\MxSpeedDial\SpeedDial.ini	WScript.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\host\smss.exe	5058a7dfa092d5bcfd69d23177f864bd.exe
File created	C:\Windows\search.reg	WScript.exe
File created	C:\Windows\ShowIeLinkIe6.reg	WScript.exe
File created	C:\Windows\ShowIeLinkIe7.reg	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Toolbar\Explorer	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}.ico"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000030000002003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\DisplayName = "°Ù¶ÈÒ»ÏÂ£¬Äã¾ÍÖªµÀ"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}\SortIndex = "5"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	5058a7dfa092d5bcfd69d23177f864bd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049} = 8554cff2024e684f819cb92de927704922001c000800000006000000010000000000000000000000000000004c0000000114020000000000c000000000000046810000001000000010a155c0ffe9ca0118bf0ffd11edca0118bf0ffd11edca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008e3ab9151000444f43554d457e310000440003000400efbe8c3ada21a23c2c701400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a53c0586100041444d494e497e310000320003000400efbe8c3acb23a53c058614000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a23c809611004641564f52497e3100003e0003000400efbea23c0070a23c8096140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a63ce45d1000fe94a56300001c0003000400efbea23c0070a63ce45d14000000fe94a56300001400000060000000030000a058000000000000007063323031303035303232317663620008fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824608fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824600000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}\OSDFileURL = "http://www.mylovewbs.com/api/sogou/open.xml"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}\FaviconURL = "http://www.sogou.com/favicon.ico"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006200000001000000a0060000a00f000005000000220400002600000002000000a10600006001000004000000a1000000c600000003000000a1020000d4040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}\URL = "http://www.mylovewebs.com/api/sogou/so.htm?word={searchTerms}"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\DisplayName = "ÌÔ±¦ÉÁµçËÑË÷"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconURL = "http://www.taobao.com/favicon.ico"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}\DisplayName = "Google"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}\FaviconURL = "http://www.google.cn/favicon.ico"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 65cf80b551e1c349b73f70b13fca8e86	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	5058a7dfa092d5bcfd69d23177f864bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\IESettingSync	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c00000000000004681000000100000009ed10ec233ecca01e61abf65c5edca019ed10ec233ecca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c00310000000000a53c284a1000444f43554d457e310000440003000400efbea53c1249a73cf1481400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a63c8e0c100041444d494e497e310000320003000400efbea53c284aa73cf14814000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a63c760f11004641564f52497e3100003e0003000400efbea53c284aa73c3344140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a53c294a1000fe94a56300001c0003000400efbea53c294aa73c334414000000fe94a56300001400000060000000030000a0580000000000000068792d3636796c7032363264663675000ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e00026180888870ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e000261808888700000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{E140FB5B-2A9D-4FA4-A20F-089B92412200}.ico"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\URL = "http://www.mylovewebs.com/api/baidu/so.htm?word={searchTerms}"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\SortIndex = "2"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}.ico"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	smss.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\FaviconURL = "http://www.baidu.com/favicon.ico"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}\URL = "http://www.mylovewebs.com/api/google/so.htm?word={searchTerms}"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}\OSDFileURL = "http://www.mylovewbs.com/api/google/open.xml"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}\SortIndex = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\IESettingSync	5058a7dfa092d5bcfd69d23177f864bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	5058a7dfa092d5bcfd69d23177f864bd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000340000001b000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c0000000000000468100000010000000feb8496527bbc90112c0b16e27bbc9015aac066827bbc9010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008c3acb231000444f43554d457e310000440003000400efbe8c3ada218c3acb231400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a003100000000008c3acc23100041444d494e497e310000320003000400efbe8c3acb238c3acc2314000000410064006d0069006e006900730074007200610074006f0072000000180056003100000000008c3ace2311004641564f52497e3100003e0003000400efbe8c3acb238c3ace23140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d313236393300180030003500000000008c3acf231000fe94a56300001c0003000400efbe8c3acc238c3acf2314000000fe94a56300001400000060000000030000a0580000000000000067686f73747870332d3436373638300008fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa208fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa200000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000030000000140000002a000000010000008006000080010000030000008102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\SortIndex = "6"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}.ico"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}\DisplayName = "ËÑ¹·"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\URL = "http://www.mylovewebs.com/api/taobao/so.htm?word={searchTerms}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\SearchScopes	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\OSDFileURL = "http://www.mylovewbs.com/api/baidu/open.xml"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\OSDFileURL = "http://www.mylovewbs.com/api/taobao/open.xml"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Toolbar	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó"	regedit.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	5058a7dfa092d5bcfd69d23177f864bd.exe

Runs .reg file with regedit 3 IoCs

pid	Process
1420	regedit.exe
3108	regedit.exe
880	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4332	5058a7dfa092d5bcfd69d23177f864bd.exe
4332	5058a7dfa092d5bcfd69d23177f864bd.exe
4332	5058a7dfa092d5bcfd69d23177f864bd.exe
5016	smss.exe
5016	smss.exe
5016	smss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 5016	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	98
PID 4332 wrote to memory of 5016	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	98
PID 4332 wrote to memory of 5016	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	98
PID 4332 wrote to memory of 4472	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	100
PID 4332 wrote to memory of 4472	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	100
PID 4332 wrote to memory of 4472	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	100
PID 4472 wrote to memory of 880	4472	WScript.exe	101
PID 4472 wrote to memory of 880	4472	WScript.exe	101
PID 4472 wrote to memory of 880	4472	WScript.exe	101
PID 4332 wrote to memory of 4820	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	102
PID 4332 wrote to memory of 4820	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	102
PID 4332 wrote to memory of 4820	4332	5058a7dfa092d5bcfd69d23177f864bd.exe	102
PID 4820 wrote to memory of 1420	4820	WScript.exe	105
PID 4820 wrote to memory of 1420	4820	WScript.exe	105
PID 4820 wrote to memory of 1420	4820	WScript.exe	105
PID 4820 wrote to memory of 3108	4820	WScript.exe	106
PID 4820 wrote to memory of 3108	4820	WScript.exe	106
PID 4820 wrote to memory of 3108	4820	WScript.exe	106

C:\Users\Admin\AppData\Local\Temp\5058a7dfa092d5bcfd69d23177f864bd.exe
"C:\Users\Admin\AppData\Local\Temp\5058a7dfa092d5bcfd69d23177f864bd.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\host\smss.exe
  C:\Windows\host\smss.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iesearch.vbe" 0
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\search.reg
    3⤵
    - Modifies Internet Explorer settings
    - Runs .reg file with regedit
    PID:880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iecollection.vbe" 0
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\ShowIeLinkIe6.reg
    3⤵
    - Modifies Internet Explorer settings
    - Runs .reg file with regedit
    PID:1420
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\ShowIeLinkIe7.reg
    3⤵
    - Modifies Internet Explorer settings
    - Runs .reg file with regedit
    PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
80d39ab1331d7d791003ee0853667e55

SHA1
8d0c4d67d65248497254bd7d3d7ec149d60fba71

SHA256
337e8ea948abc0cbeb3de9cde3c9ed74cde8771f755ccc1623f33c2abd0d83bf

SHA512
ba68493a25951f1b969c8f9b82a88a65fe94d02a56e56ba06607e9fc6788dd1abce77c4ae2778c0dd38962c96428d0f823b3ebc4552581acff57f65b3f1442ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
1KB

MD5
8aab303ca3faee96334265ccca02962a

SHA1
b1231052b6a663c19e1f448a092b1d450be0a820

SHA256
2e246d9c6d38d9fa34b3de9243322010348e76b5d7528e10499360236eae3942

SHA512
f5e97a5cdab61f16854cbcebb426ebfcc65723c29999915deadea15aad2507e6c2d6e598dbc060cb3d8775daa44e3b673e96551e1aff41b81623d85b68e9e6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
cbf584f3796bffe2bbdbbd8a71e59a73

SHA1
bffa75120c813653d5c6923d9061e259d14d7ea7

SHA256
1c2264cf891a810c4d18f4334f066fbd5ab1ae5ac2965a4904ff2085431ae2af

SHA512
f9d7b26f22bc54d908af279100ee0e0ede998598b612d89848ee29673855b9ad632bda6799a80ea589e0500cbed6d267ed602f0792334c6655db32dc73b3a854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
cccfd4ec22deb99f32f4250a6e73f5f9

SHA1
0425849b16de51239a3597e3b1f657998aa73b28

SHA256
2c7130ed4ba9f3e9b7c3d34530cb5766f57d40f2ce38447d24eb5b6d53559eda

SHA512
6b32c409f792434e500490ebfe8640f127dd65403c3740e9c550fa92f15260b0c18febcb3ab879a0a3a34bab437a909c8d2215766a79a6c259b59671fdba3628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
540B

MD5
9d1143f394e3d0c97be398bf6732431e

SHA1
e9231fc1623b2884b349b8e737e4adf0f4bb1305

SHA256
2c8538dd966aa908185ae303231e944921267fff35160d22d7bb1198962a157e

SHA512
7ca62e28ba4d0e9b3e060ed2858c0aca797d700078f688f9577c0093c5e556a08f929cd10a603d1e5f7b612e8d691e8cea8d403fc4a47d030c4d51088fd49cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
bf2c0f07c60738fad1d41124cad9ea7e

SHA1
526daa88324aa8d0b9acf2206c2bdb4e4a06fccb

SHA256
dc1cc8b0baf778730bc9d1174836cb71f9befa3c7e82299d5b4d9a5429ce4611

SHA512
912faaa87a804f7e8fb0f12e6f718943c381fb65893eb29d113a9186ed51c2118c63824ba1dea4f253b096db63b56c72bafb309def3045c3b3fd046d0ac12d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GUTCV3OF\common[1].js

Filesize
1KB

MD5
b690880795e45b164174d2feb9323d5a

SHA1
db96cd277de1643709d3c087736a40bd4b24f97e

SHA256
b61f2cf2b08e089040aa61c22b22e68607ce9c3e12d7f46369be86677c539afe

SHA512
c0338aeb2bf388986e235e08a4428d9cead843320cdea750f9a4ab71b83d65a0b21d67476641c8927c0ff2fd7c440b0c5ca4f6478fcd55a2fb4b09ff324f9657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GUTCV3OF\tj[1].js

Filesize
520B

MD5
c4b88d54af032addcec1bbe9ebee54c1

SHA1
49d93fb8768fa8c16e001d1e6593f2ffea2a6c1a

SHA256
483ef39f6bab18919c0d40fcd16fcd6d82c0b3492b40d5426a39edcd95cd951c

SHA512
817096a8cbb97ddec9b6e373c5fbb07124d223efcad0f7eb74756906343f3d359541047d36bbd7938bd100ff5b6f0c30c9a2e45d0e1b6cb11e4e3c2eef7ada79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OO2Q27PV\push[1].js

Filesize
281B

MD5
1bb5a3267c9865ad4abe8d937734b62b

SHA1
b5478dd2edb3e64242eced1db2dbd945ef81f592

SHA256
674bc0c70f98d627b8a7e1d278a1f21ffe33815565f7d5371bf0275da57571b2

SHA512
33318ed944a49a8fa334983408d68853b1fbe4f80b19adef6235f23d7708b616cd4f8dd28c8b8ebfbb5776aab8088229f3060cd789af34fe1db5038a98bd0d39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iecollection.vbe

Filesize
27KB

MD5
3ae90f518da50357ec9d532b028b2645

SHA1
36fb5d06b835c1cd5f553f60015d12c92953b87b

SHA256
b9a4385b6e5da607d9ce7fb14f9b238dceb75181a2d2fc6309b1444db647380b

SHA512
3ef58f26b75d1bfb7bbded23518359c6bd1ea62b05e40d4fff6282fb9415fcb94f717e0a4f9af505fc2c7f466d783ae5be33bfe99be70c85c2282605ebb3414e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iesearch.vbe

Filesize
3KB

MD5
9dc634e695b638e999db0a37ef69e82c

SHA1
63f050122a86811cb20680e15f06533c0fe1012e

SHA256
6bb5457580d753e27e7b6362d937475159d22e2ceedf37510e8c8a2141955ead

SHA512
10d74ee78c2fa69d8ea464223cac9e20bb8bd57e6b19d6d99f556749cd27f62b0086a501c86f3c77209fde0f79902ae52b0db10a048f1bb45cddc1feec62ea25

Download Submit
C:\Users\Public\Desktop\ÍøÂç´´ÒµÃØ¼®.url

Filesize
1KB

MD5
1543831c7abd65c408fdf52958148189

SHA1
65e4039c1b9baefe3e06563fac5eebd9cadb6ea7

SHA256
ef3430387d59b2ebfbef2e1ba5a4d46c2eb0d24ecfe935c4119d33c7d2ece8a8

SHA512
c37ea8772f91c5873d20b12bd14df2a15d5fd36ff3df3c2d04e80a69d36c98bb3a081935bd3e799d5554bb5508a4d8c2f4b8cbb13c31d3d86a7dff6724e13e06

Download Submit
C:\Windows\ShowIeLinkIe6.reg

Filesize
7KB

MD5
4f69fa82c34c91514da21a5933644af8

SHA1
e131f57f41ce95b46195d460852718b83517579a

SHA256
7cd8b741bfaee5cd14779b69d71b362aac4c928097c6b4af8ce0ce16bde52a46

SHA512
276588f960d28023febd87873c7852f401ab6ebfb3d90bf8b21b1998949d8ab00badb42d1a05934587aa6b4ad0ab06a3d649dcdb70f384ca70339049243463c4

Download Submit
C:\Windows\ShowIeLinkIe7.reg

Filesize
9KB

MD5
dbd46bf2e72f6dfbb21295f4e3066d47

SHA1
cdd6ca2f6455c1e528c40a520bcdb8669df8f548

SHA256
71927f4f034db038385346e34209ad069139f54d73bae34bfaf4f29b7010fc6b

SHA512
ad013387a0c7608375b7a3c5fdb27f0d9e79b051d84b1ee9221346499f386d30473b5e2727f6a4e8a8122cf8ac2d473a5ce5e368e62da09441ed48e5c088bd11

Download Submit
C:\Windows\host\smss.exe

Filesize
64KB

MD5
a8c5fbe94bb1bed1aa94ba774e52fc1d

SHA1
ed84f48e8d0bcc5392029ac855bc90c195e3f653

SHA256
4aa4895ae60481c04133707b5419a771158bcc8715448eca5cc9e925067a7797

SHA512
1ade3d66a5d23d5955004063cedc76e55cde9eb1761992b1d2b097096356ee13820686ee89f4cdd045b07bb7391c697102d4e47e6a13ed7fa94efaca79475551

Download Submit
C:\Windows\search.reg

Filesize
2KB

MD5
9f7a5352afaf0645b065f911216054a0

SHA1
47912402dd059d3e66f7881919e1d1135304c044

SHA256
0c8759fb30915b0d639556813fa6495a01e563417104e855e028f4e2b84bb7be

SHA512
4cb6d762b5c43df711bdb2fa650dc47ca36ccb6be7a63685be30d68e60365cafbbd1e3171f933e49135585520ee8f62033f917c93ebbfad9c77b2d7e9f91c173

Download Submit
memory/4332-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4332-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download