fd40489a7af2193c7b0790dd85e2d71c640ad699f259d163b74788d92383db8f

Analysis

max time kernel
124s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7144a6bd257b2a36e3d69ee48376bdac.exe
Size

1.4MB
MD5

7144a6bd257b2a36e3d69ee48376bdac
SHA1

0f186be86e7f6b0693239ce1247f98c9fb72f23d
SHA256

fd40489a7af2193c7b0790dd85e2d71c640ad699f259d163b74788d92383db8f
SHA512

8ed6bc0f9a907d82c28fd61ebc31000835710bf977c02af8079181a37184f8a5fc9ed58e78ec437c32ef926457336d4a23c0e508027e945fcddd4efd1ed89ffd
SSDEEP

24576:Twss/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiV7DFf:I/4Qf4pxPctqG8IllnxvdsxZ4U7DFf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_102246\sc\GoogleËÑË÷.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\ImgCache\www.2144.net_favicon.ico	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\B_4620114606464612224610464646.txt	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\4620114606464612224610464646.txt	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\4620114606464612224610464646_ini.txt	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\CoralExplorer_200403.exe	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\pipi_dae_382.exe	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	7144a6bd257b2a36e3d69ee48376bdac.exe
File opened for modification	C:\Program Files (x86)\jishu_102246\jishu_102246.ini	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\seemaos_setup_BC21.exe	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\KuaiwanSetup_2144.exe	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\dailytips.ini	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\FlashIcon.ico	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\jishu_102246\newnew.exe	7144a6bd257b2a36e3d69ee48376bdac.exe
File created	C:\Program Files (x86)\soft102246\a	7144a6bd257b2a36e3d69ee48376bdac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF514191-BA64-11EE-AB70-EED0D7A1BF98} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF4C7ED1-BA64-11EE-AB70-EED0D7A1BF98} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000b71592f8fbd28302f1aa15811f0a94b45e203e71db55a85565f2358b8014ad10000000000e8000000002000020000000b942ed8ea4665ba107aa101f5d486c6534d5f769d83f0dcb47b554be1840938e20000000e6cbd77b26b7abaa9c247edfeefa7464a181d1b4c289ad322f977daad9574575400000001b9b97e618a494ecb14348ab16bcb7486da36674ffc9b5de08735b3ea309f4535fdca2f87f031c631d62445cf2fd2878349d3edbab7fecec7cd50cb5f464c533	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000505839064491e2fae0dead8e377937437e4f02ff5d9d0ba3494efab237688a70000000000e80000000020000200000000d93e51999745ccfaf3005a70ea9486638f1ad6418b296f6f308ecda569dfb9f90000000462622b255ce89c00ece12f1477ed57c19df3ef188902ff4791ed18d563f65760ac0ce9571791a8f3903f645ba7fa9728cb6688e5a5365d705387d75245dd43ed7eb45995a7c6775b2536ea43adf6330cec577fedc282afc3e198d1f78fcbfdf7bb332ef77f168f756bec247c82a9e51140fc5b08a9cc0f6ba7ff65f005192aefb2eee4f0458ab385a012f043e265fc940000000839571353da379e2e129d39e1be9c2f7797f471cc65500020d8dbc4b7115553b07185aa6ad712e72f45ecf8b5bf08a1041150f491d2f8a0d5f53492d8ad044ae	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0588986714eda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412227077"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe
1716	7144a6bd257b2a36e3d69ee48376bdac.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2388	IEXPLORE.EXE
2808	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 1716 wrote to memory of 2160	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	28
PID 2160 wrote to memory of 2388	2160	IEXPLORE.EXE	29
PID 2160 wrote to memory of 2388	2160	IEXPLORE.EXE	29
PID 2160 wrote to memory of 2388	2160	IEXPLORE.EXE	29
PID 2160 wrote to memory of 2388	2160	IEXPLORE.EXE	29
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1716 wrote to memory of 1748	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	30
PID 1748 wrote to memory of 2808	1748	IEXPLORE.EXE	31
PID 1748 wrote to memory of 2808	1748	IEXPLORE.EXE	31
PID 1748 wrote to memory of 2808	1748	IEXPLORE.EXE	31
PID 1748 wrote to memory of 2808	1748	IEXPLORE.EXE	31
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 1716 wrote to memory of 2620	1716	7144a6bd257b2a36e3d69ee48376bdac.exe	32
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2388 wrote to memory of 2856	2388	IEXPLORE.EXE	33
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2620 wrote to memory of 2480	2620	Wscript.exe	35
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36
PID 2808 wrote to memory of 2780	2808	IEXPLORE.EXE	36

C:\Users\Admin\AppData\Local\Temp\7144a6bd257b2a36e3d69ee48376bdac.exe
"C:\Users\Admin\AppData\Local\Temp\7144a6bd257b2a36e3d69ee48376bdac.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.yftk.cc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yftk.cc
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://sadfsdafsadf.zaiqu.net:81/wangdaqing/none.htm?w02
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://sadfsdafsadf.zaiqu.net:81/wangdaqing/none.htm?w02
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2780
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft102246\b_1046.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft102246\300.bat" "
    3⤵
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft102246\300.bat

Filesize
3KB

MD5
5ba982c3b0178327c961128c51223717

SHA1
61034d3d88fd5888b7cbd6aa25ab850181a69cc9

SHA256
0813f9da8cc671c8f29cf75bb865959e888bc67b6bfa29295816cd9c7efab0e5

SHA512
022fe864f8ffcda68b60660dfb1b7d6cb962243d66133416c044754a77f84a6f92555f8db912c8bb5a15ad205920765f9e6360e7a8882f51e95c89e2bfd236c8

Download Submit
C:\Program Files (x86)\soft102246\b_1046.vbs

Filesize
348B

MD5
9ed58e224f44bde43ba1bc45757c3772

SHA1
4c7ce0eeaf516ffe5e259af9d99fe1fce14eca49

SHA256
de888c2a524118a776cce3507b39a84188fede5feb2e23b1c2844c3cf5abb943

SHA512
96f68d7a4114fd015063a7b72ab704f152ccdd8680b9cbc8a4eaeb3c7ba9848c0df1c86da11a871fbe8dee183a1c4e19b751aa7e4bf390a09bfe6db60a242187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45a4edc3c364620990f56152b3c441ca

SHA1
493220ac976ffef78483ccdd77be19e486ca2d85

SHA256
bc644a98cec413d4b7dd2471bd514c62f88dd44d570f5802e6b6c3f523f5dfe0

SHA512
8c72cacd2b000cc31d9e400a9b786c653dc7cd3c4ed0f3229e9d70df3a2df623b8aff5fb1781ae689defdd858b4ff8b824b1a2f6feeb8660d3c8011fec99e12d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1968ec0597b9393e67a36e48d8cf8ae9

SHA1
ffcb92b4d719c5f70ab3aa4e3d179d61643bdb19

SHA256
6a459834638a02645a35ddb97678e2e6ff68056e5d43eea7944e7a35f6ddc656

SHA512
b488dfea52f32bd5e8bbd432063bec247786237fd72192c03d90d8eec0b12059be2f1951264440bb46f1f0fddcdd1c7a3b4ab32b69ce81c7194d183a698cf4ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97c1ada75c95020fd63c1a963e204b88

SHA1
850f4044cefeb2851f138e64c8cc239b220f3334

SHA256
fcad43438b3bf4b6a7016184292f30b84bf59436213d4bd7164f27252dcc59ad

SHA512
32eef91060f499a7085944b5d42b6d015c8b00291b1b704e71926a1a376202cd84bd4d7c32bf9e7002ec533d767ebc49bc68c7f4ba3d833ea05a2ba5b010930e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32f86f934cf4fffb9d452c8026e22946

SHA1
916e8f4a82439d0040d9e3dc96a10869c5fe3ca1

SHA256
e07f4adfb00cf64bc120d501aafdfbbcb5afcf98b857c24ae4268e6f4c1bc61e

SHA512
b08f2683f333ce70efba49ccb766ca8859bfe9b05c88bf44ecb770ec9912c729820bb4a25f3dc4c197265c127070562672e3f17c358c4afdf0e67aeb553b96b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1d37aee95b8bc239b07767e926380ca

SHA1
799e9e752cd786754bbc00553184f4bb016047ce

SHA256
7036f31af6b2b0c98db1c46b1b31be2ecdd0b2c5810459b09549c0cdaf2a0716

SHA512
6de6b148521f79628b39bcfd1de27b49441cb3fe620f9016eccc403ef9f3a4b998ff0cf96cfb0700594fa13266236e54fac47f49fb79d2e2b2a0d195644fa936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93f8c890227cad19f65b8f6bb7d01acb

SHA1
37392e63b1f5b0f37121df2afab196c1b826f2d6

SHA256
e8bd213c7b2d3475869a5e95b2f8fbf76be631da6f648b88b386881fe51b8d7e

SHA512
05546a4f40afb16463388684ddf68a6295ce8dcdfc313059971567c465e41b8d94f55f1a121555ca461267aa12f049ed9da77aad76bbd71e05c87a5e21c4c945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
804cbeb6c7002d7a4fad98159cf34f5f

SHA1
53cae1ea4f8e772d356c4b749a799b5f4f75fc03

SHA256
90b84d2a26b651139ffa97e51bcd863ffb2722cf9d0179255083995920c19d59

SHA512
d9aa0b72b6c09db2ee63fb144c69b5e1dcd3c0079e4f95e1ccc769051b5a07cdb81307fb4edb0d074498ba1e872aab13f34321caea9e2f7ddfbfdc08407d6941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dba729a50e229642d0fa830026177d3

SHA1
d0a79300a3bbe1ce4615eda5143164e23c8cba5f

SHA256
f1e4748f30da43d4f0ba88e7fe95f22a03ac9eeaff137fe41dcf873a818f27c6

SHA512
f474e1a57180f04d4695833df029be4f8bdab492263540672f545db306a36e11fd2868f3de255c1a82ed0a0dd332f56fac1836b5552893d4f733bda13e64bab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0aa450a97d136fe68bccbc937ca4f4c3

SHA1
fd89ba60565e490478787e750aacb170bdaa4d5e

SHA256
360a4432d8d684c904cbc495e27ec89e51c33d9ca9428ae8362a807596e89eec

SHA512
4512bab0c9df3c95ea227dff2b9a4182c108d374e25f81c2e9bdf063f9ee794e659426881de8d4d49ac8257701f802e5ef6bd4b1261db7f14aa57ef7be5945d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb4c0692c2f90206d62f351846b3cade

SHA1
356d57cd7130f7e37aced1ef5210eac299d6cd9a

SHA256
c173c482fffd6561ac9a4668b2c3d22c851ef2d8f761ebc84a19576eaff877c1

SHA512
3ffff7da8f33f100529bbc814c888fad6799c146b91a6c84596c64e8a651b6ea65d1e1e85a7c752c0a61b67a555972c23e7d6349581936d596654580f069add3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfb80987cdf37f21bb38a2ff25d7a6c1

SHA1
4362e0c58d6a98948fe2c1836c6e2accaa32c5bc

SHA256
afd2e1168c35b2bf7ac78cfb47062ad7003f3068997f185b057323eb5417b327

SHA512
7b328f2bdadc28693324cc26926259bc6e78ebd70ee07f3521949e32f96a571f7d2e616df192b887f980a62251f662c0665bcc5ec1862a71d7a8c9c816de04e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04bcc25ab1011c4f5408a54c53dda013

SHA1
61d6bb66e4e7343d29c41358871941ee8725f39c

SHA256
f2464f217adab92b7625f651d2a05eb11a028915d308983d742e379238c7beac

SHA512
dd29337eca3b0d5c809f3fd99a22354414b22a70ac2bba5c7bc9bf110ac5ea7c83d70aaf1b5014939a13b02c84783c8a1e89107310dbeac59a7d48843ba74ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
118924bbb484b90b4ee80de007a12369

SHA1
505856b3ae9ea58cb2a5c7cb8872fd7c52930e0d

SHA256
93e6b9f9b2420275b8ee32314f6c2a58bfb6765ef049bf94a813c83c94364fea

SHA512
4522a044c58b4a2e75349f51f0ddd673685ebd51fe96cb3bda71787bacfe42ea41163005252cd03e90f844d54d6f2513366d1f30b5323d99a04102adb0caea4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9b29d116b47b940f12d131a25ae1a63

SHA1
af48d235200d8b7d7cb78599a813957b7a97322a

SHA256
350ec413e493486e5f440025f45aff395a3dbe8207dc04e2043bf28faf2a9a52

SHA512
3c2099461c4da2cfe219b8e9a28794881e0522443519e826b368eedfc01319377986d375c0f8f28442753b6999fc0f30b26c6f603fa74adebe5326e797f09cc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f939ce44a9c59a02f01ee4968e347e7f

SHA1
c2cd95e741645348b9425361bf336739152bfbbd

SHA256
7186840056663d40d9523f749636c48e2d9431705a6a72819d074e3b0a8fdaa6

SHA512
142009a68099aa3d5ac8468cca4f12865ade60247960fdd8a0f62218e12c8b0293475ccc7e8e7edc5035a90eeee1736ad91bb90abc11d0f2fcd8c63ce65edeae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d41f4cb4d2980d029f2e74f4058c057

SHA1
201667ec00f97aa6e423ec5b25a7f4231a805660

SHA256
515542fde89b7791d5d0659df177082a2a70b75f7e57ffc05654bb216043de95

SHA512
c85fcc41c5f321af81130783a83996afa877c748bcbed3567e9dc8855b77ab2cf8dbef3d67fa0ceaa7cdc705b23648add935438561a025412ea2f618b5710f52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4570b97fa645651cf24ba3f87e983aff

SHA1
e961e0b3ed6e85c49437f8d8c7d7ff91ef4e7304

SHA256
433aaae2cf806f42121d3033bbaf564706fbd110e24876f7fb0ede56b98af02e

SHA512
eef76f9586c6586508b1799ec58ccc231bbfb2a12a6785c02b5e1224fe7a3927c8ff5c8768fb036888530076c17a444680b9648b4a4b3042e7d5d5a82732fcaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f6dd1fdf8eefa31af7d7534b5051c52

SHA1
6e783437ebc6b231e138256a1c87ebe7182116d3

SHA256
6040d11178f5a1d0b80f5b2da2eee69fb9c619be24a3e93a2957d4f3d69024c0

SHA512
b1cbeb5e61e8053f202f7f22f8b754be3e82c11b9576d61cb7ca25c343ac220162c5fa656a1309249988ca7648f2bf4523b2caa702a48fcad6e7da16db14c318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72ef94d5d26a0aaa77f05baa910a3d55

SHA1
f8782a4780328483306ecbe7a9917a93a1a7a38b

SHA256
456a34f697f33a270c180ac7c7208cc8e178783fc8e4d3c6a8c873002bcba145

SHA512
630060f736a9da66a7534a2e2de5080a877f56ed7f50c9d05f2622543ab0068116546e6160f3cfcf4871c600d1944fe9d7055d9d0bc942c679604116852aed04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AF4C7ED1-BA64-11EE-AB70-EED0D7A1BF98}.dat

Filesize
5KB

MD5
6891ec4d68d09822f72f5d047d48b398

SHA1
dfcbb10bd9c33efd4391d7bd31b4174817c2700d

SHA256
8e76a986bfe532e2823a725104861d08dc2931333005454e571e4a2eea9a15a4

SHA512
12b411ba66dde7c1095d93e991861c467a8c49f9c8390c8cf786a8eb533cc2be3c1d7f362ca506e2d9c5d6f3d379a0e8631cf1947741c5762262983c0609e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3814.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar38A3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Program Files (x86)\jishu_102246\jishu_102246.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit