hxxp://d8[.]baidupcs[.]com/issue/netdisk/p2p-pc/kernel/kernel[.]300244[.]gz

Analysis

max time kernel
137s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://d8.baidupcs.com/issue/netdisk/p2p-pc/kernel/kernel.300244.gz

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16A923F1-BB99-11EE-B0BF-4A7F2EE8F0A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000144c083e708e3b58f31f6e47d80d3f8f2f3b112181fd30003e66633ae4d6d227000000000e80000000020000200000009dd287e7ccf8b27ec321e75a97bb6ab2fe7609ca1a40c65bbb6d8cd5a52c2d41200000008e4f30c6323ee0d3746b97c8bc694795b532d1cb051bafd3d105168d6ccf41254000000033aef21beb49e5dfd6d42bf5e1518cb5ae836431509a75386967b6c0f4283682363058ff270070bf25464e41c8ac4524c5055dd048ba57ee56a4226c14f18c7a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a59b2aa64fda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412359536"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000af9dbff2d38913de34cf14dde6d8c765533089da31461c71736c54a423b6e326000000000e800000000200002000000095821d93a0b152c007f648338d13d5d8083006db3e64d32901a57b21164df31890000000c3cf56d0d34d98f195554737d5cde1f77fc9833266c8c80bce40668f78c32e34fee4688f44d63a88f65eab68483f9bfc853c9db2444a42f1a2c6f18aff19fd2a55514d8c202220e5e2357b55bbf73815620bd9a1dcf088384c153ae5841234a1ca7973e18bcab0a5fccb499ef508c4df82e76cb84666831bd098f55e46723796011212ff668782cd5b304d2c6bdf6eff40000000c1642fa28fc63a80c9f740847af46a462dfbfeb0a3fa258485605da9d63b20cb566cbef51fd5b04d5263610e88f7aae9ec041c8a120f4f8b70953ce3cfc416f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2296 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2296 iexplore.exe
2296 iexplore.exe
2692 IEXPLORE.EXE
2692 IEXPLORE.EXE
2692 IEXPLORE.EXE
2692 IEXPLORE.EXE

pid	process
2296	iexplore.exe

pid	process
2296	iexplore.exe
2296	iexplore.exe
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2296 wrote to memory of 2692	2296	iexplore.exe	IEXPLORE.EXE
PID 2296 wrote to memory of 2692	2296	iexplore.exe	IEXPLORE.EXE
PID 2296 wrote to memory of 2692	2296	iexplore.exe	IEXPLORE.EXE
PID 2296 wrote to memory of 2692	2296	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://d8.baidupcs.com/issue/netdisk/p2p-pc/kernel/kernel.300244.gz
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9d4a1d874e5faa0ff0dba0094415329a

SHA1
6dad5960a8471cc34fabcf560e9aec9ae21362e5

SHA256
c350c9d2b6bb4c641b96646ad8dfa863fe5a29ebd05f9dfea88017d3dbc5ef26

SHA512
df1c188649c54cdb8aa44c4d1b81454d622336b1860dc196ea41201e5cdd2f136a894613fb9140c4a4eb87b3b743ce0b58320657acca4fd7fcc6c94141b23fa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
591051c6fc5023946b987c729690bb24

SHA1
250a20f9b428aebb096214fe53febb751a7d1b84

SHA256
94945c71a320bee49fc757783d770d076743353cc266c65499d3a11e7e48f015

SHA512
8da7eeef9008da19c3a0272541fa04ef0404316e61c75214f6c6e9944ab269801ad4c1519ef7b9507060148fffe2daffd8fd1bbc7c1a7cbad44edc43c1775faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
64392940f3fdb4feb53a0b25d673deb8

SHA1
11b293212a19d8606d89ae4eb8985e38148b6db2

SHA256
5447661f892f80a53f8ef7b91f55c887adb1f02c7f122e5666c141935cfcaf59

SHA512
89f16b1979c4104fb9cf483adb15d8e9cd0f51d50bd9d9f749ba96b4ecc16c787cec50b9caf6330f3a5053f7c8036e95431b8ab48a4e7a0fca219d283350dc73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a2d89bfb9012a30e780024a082133a92

SHA1
66c8652168782d212ca7f391915a0476b6b3ee80

SHA256
b287c9bcdad128ad7370b445aa29dc2b9d242191fb61844e0d7b3cfd1a3d5833

SHA512
c61b74537091d9bcab2753171de14e0577ef4cbb23b3ca7e3db1eda2482ab64c9d5a9382d67c05aacde5e772d1e3a65086b9b45b8b907ca7da09fa3f3bfa8726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
86914b28686c47ca8a32e38870780413

SHA1
380290bdcab047ab6f97898f62114ce37d19a682

SHA256
c8ffa56e6439e676737a5cafb546d175b0391751493a87ef9ca995663e50918c

SHA512
969d3309606777aae3b30fdcea37ca7da055fc529cbee68d364b6b30bf545ea4dc39222b4668be0e8e510b7ab744ea342d17afc0370fa2d80815680d0762b54a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de1bc8d776e356cc24c03ed76d5324de

SHA1
73d704b4bbd208669a9f2301843fa418abf9abdf

SHA256
5b745c08cdd31156c741e7fdc5230fade6e64885d729dead82c54e60d22a2115

SHA512
1c25f51a3ce74a752798550d3693effb6cbde6467157aa68db25efc874c8b24530874ab148f39a64cf6130f0635d7c8bc2d2dcc504e6b1bb1b11b2dd7b540be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8934b1e1044d664cd1df0e8c32975619

SHA1
3a411051229bfba6538c314ddf93d8ec0af61398

SHA256
2d481a4c8266a67a648d768bd57ac96435361b644c4763a0c1a419006c8ee678

SHA512
9ae8153ae455156bf12316840aa143f966f113ed9168d46b2d1331f7557204060450710894c765db1c71589cd63778e6a7f05fbf982c1de0ae43f4edc00e31ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b479053507047ef73adfa4d3bea0f87b

SHA1
3ce0bd6cb94ce29f252690b93f7336dcf4e34ee1

SHA256
89fa7b4c7d97e984ec84a3f5adc3cc903c6f7a6d91e31330d4a9e0665d50514a

SHA512
ac0f159bbe0d5ff054f7db03e2b6e7b27bb56aed757d3afe33cb1d9119591ee26678a6324913e4a056c9c6c2ce91646f295cdabbf3f63cb4db8390af7c86ba42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e47dd978928ec5a16af301aa7ea0121c

SHA1
b993459761df6194b567c7c2f77441755ba8353e

SHA256
98430ccbd8b357a50264226ca02fb6fab6e8b30c280996d1c386ae652eb88262

SHA512
b360c360972e306265201a15add0c458aa585e30cb6496ed44cc5714fd6cdc9d546d3c18d76fd96b8b8e31a95ee34b50cb823d8fab9ccc16a4857c0d095c6e33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d42e6996bf7b07ba8f5c22b2731dc99f

SHA1
6ac8db2c2f1cb64ce641b92cdee0b2ecfca82e8f

SHA256
5bb4adf6a7a475b4f182af0f00f33c943f44347ebaf3d07b43048da6b513c2d9

SHA512
b94e21b39fd086f21c14ea89e2f4d072e0e4c98dd230e9b70a859867c0f49403bf6a5f558b5fe1fe75a1bdaa4e6b1b995402fe2719aefc9971153fc3385c12ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
96b3c61e533d3f8d22299f0c2438398b

SHA1
4156f7cfbdbad2b229b021821fc1cab6af51324c

SHA256
27f599807b9f0e4971493de901b85263436f92163844de2a11f18c61fa34309a

SHA512
450289ea1402faf60a2635340f866b77b666ef30aba9afc57703403006fade0dc13e283475354dab8dca12e475266924ca54428a8f349b2e964ed45d93f683a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e7cf42793ad4aa234aa521239d393c13

SHA1
3d0ea0a9c572d388fd78e9d15c8644fd43dbcccc

SHA256
c70ef05281925a071570e0d521d87543cfacacd4fe51b2c66f3b184d1d650f1c

SHA512
149947555f1cf01a563e27ffeb945f94294f448a621797989efb24b9c61bffa33b5cf6ad30ea932c8782c2e69f30577c1112f0766a163f9aad20e1e581d8c61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
51e9557140821dcd092a30ec670fff1e

SHA1
b77b32213bbef2f25e0af2065d40021100ddac98

SHA256
6f135b2182d69d2b805bfa609a5b25ac6561fe780ae7c3acc1455e0e3f9f8e3d

SHA512
22f9cdf3cb4d5b8eed4f5b39c16b0e1d38863f13522c6b645226783564ae4f0072f6ead825917db3051c1cf881bd5264053d0ceb5280c933b4b02a606af2c1be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6300a7bd16566c2f9fe190c6fefff9bc

SHA1
c50b5a1063f077bb550375cf19f3d01e70cf10cd

SHA256
f28639070a0724dcfbcb139d48da9bb3ba6638c76676d38dceaf65e39acfc0c9

SHA512
d808b2a0b0e2dc7417b05cfa6e0d793a37fd80575f2ae840238c33e6e189ef03587d8d0830cc9d4c41f6a6bbf6d926bc57663f6dd875ad592ced4ae981e06b61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c0555a67450de69ecf86b7188ac9ee89

SHA1
11db8bf3cbacf931ff05ade3c74c3e77be326562

SHA256
8f5829c25dc982c373a84ec581968952058cd300b55dd181f2542291339cfb64

SHA512
815cdb3a828c58e50c4550286dccca21e429272cca1d96ffede22d3cf6ac5c0aefba6d2dc74519f4373904cce873aec17e8d65959e0f3d2535bb60305fbf0a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9791cf4fab44a649eec8cd2aa5faf835

SHA1
6362089c6bbe0a051e389755c3af03f9cc081844

SHA256
a0a08a1ab4e2584ea7543bbcb0cb8b32c0a9f6c8e4db3946bc75577c47fdd7d7

SHA512
01cad023876d8f49cc43bad188ee9af60625d70b553dc5ea6bc2f06603e26fd2a352337f6a6abf93aefb25f63e0d31e0b38baf1723bedf73c2bf44b145dc62f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4f7592be2a8d2ae1d6bea9cfc3f33c6a

SHA1
b82c159f3ebc285470ea2025068490c64669a051

SHA256
f1dbacf11b726b4fa4b0d12616a6ca91ba0688987d89aca880ba9306baff857b

SHA512
5be07b8bcbdd823d75f3a33a402afca78be867bed9c437efabb264de1f9178b02e44e6838b5e2d2f13cc72f2e10fb3bc84b2b3c7197eb6f7d56bfd246da487fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f4cc787ed619e53a3c4f4d1d1a2a1151

SHA1
9e753509104d56ca60cafeed21b1de6a344e770d

SHA256
9912a42c4fcbba926c3099eb4cc50c0532b923a6e3009eafbdeaf7cd69c89e90

SHA512
9ae34a74c843fdf2e071e25f123189bc519a8ddfedc409aef5e5b03b9b083e310dba75c9f41d7d0930526bbade6a091e7a19eafe1ad655607e695c4cb0f66e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3333.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33C2.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit