350d511b50f8048b71fc2944f75d2d3ad548e7240ed95bfa580a28fc86a1f566

Analysis

max time kernel
126s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7a1a40ebf1002beb45ccc3564cafcc.exe
Size

1.4MB
MD5

9b7a1a40ebf1002beb45ccc3564cafcc
SHA1

262421f83dede45a599f00ab86ec4cbc946c71e8
SHA256

350d511b50f8048b71fc2944f75d2d3ad548e7240ed95bfa580a28fc86a1f566
SHA512

3356e895bfcc805c05a787e62317d592f92cac2d84520ac89768d40c4c603655d7abf14d64c59de2103a6b111dc6b39ca65b185e6aeaeb829bbc41250a5be533
SSDEEP

24576:5Er/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNUp:2/4Qf4pxPctqG8IllnxvdsxZ4UE

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_184502\newnew.exe	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\newnew.ini	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\ImgCache\www.2144.net_favicon.ico	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\B_0220110205020212450218020202.txt	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\FlashIcon.ico	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\GoogleËÑË÷.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\0220110205020212450218020202.txt	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\wl06079.exe	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\jishu_184502\dailytips.ini	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File opened for modification	C:\Program Files (x86)\jishu_184502\jishu_184502.ini	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\a	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\MiniJJ_12318.exe	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\pipi_dae_381.exe	9b7a1a40ebf1002beb45ccc3564cafcc.exe
File created	C:\Program Files (x86)\soft184502\d_1802.exe	9b7a1a40ebf1002beb45ccc3564cafcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414069612"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000004b2bbe45a9b6a08774023ea5c9c840720602e6d754f35620e3854b4fd9fd1025000000000e80000000020000200000006092d922eab28d4fab3f5119a2a72ae15cf79cfed6080c558a52dcacf5e314fb900000007aed5e888d9367a8d325a9fa701a896c52f9829c1a4e1dd6cb906eb5b70043bebd4e355b52788c923d0d97f3984df7e38e238597aed9830ab28a6e278fa7d0f7fd8d0f3a24c5962592ea5704103ece3769e03afe8432aaf2dadcce91327bdeb0a56550d52c7400e74f9a0692ba75f06c3b783e6cb15c146b91b0e5ac6c1e8738f3c792cc4b62aa6e763dc959856549b640000000c4d53fbcfcc57d672990ff6629ecd2244f7efc2cec14a5f3ca3e98d3bc5b06fbc25c1c44f62462f8d2d189fca368f43ff66c9f8e97c2e831b8dc8081ec968aad	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0bb8e99335fda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB36B8B1-CB26-11EE-BD45-D2016227024C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000000532d2b6ee06137f5b928619814ac7ff9100c5f6ae7b95f226010ebb66056ad3000000000e8000000002000020000000269c65af79dba8882b202fd5159e891a6263da444dfa80a71aa1d70f8ea00ced20000000d04e31eabf777e4b22d84011349aefb8f15fe8b79fe9502edd44ec9554787e6c40000000a8b7040de02207e384d02c88a1a935192a1b3c8df7d4fa9fa274fe84594ff148f9c21d715edecef5a3e7af50f025eff4fb550c6da1bdfbb8239fc629d15f52af	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB6B16F1-CB26-11EE-BD45-D2016227024C} = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe
2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2720	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2208 wrote to memory of 2308	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	28
PID 2308 wrote to memory of 2720	2308	IEXPLORE.EXE	29
PID 2308 wrote to memory of 2720	2308	IEXPLORE.EXE	29
PID 2308 wrote to memory of 2720	2308	IEXPLORE.EXE	29
PID 2308 wrote to memory of 2720	2308	IEXPLORE.EXE	29
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2592	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	30
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2208 wrote to memory of 2736	2208	9b7a1a40ebf1002beb45ccc3564cafcc.exe	31
PID 2592 wrote to memory of 2624	2592	IEXPLORE.EXE	32
PID 2592 wrote to memory of 2624	2592	IEXPLORE.EXE	32
PID 2592 wrote to memory of 2624	2592	IEXPLORE.EXE	32
PID 2592 wrote to memory of 2624	2592	IEXPLORE.EXE	32
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2720 wrote to memory of 2572	2720	IEXPLORE.EXE	33
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2736 wrote to memory of 880	2736	Wscript.exe	34
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36
PID 2624 wrote to memory of 2964	2624	IEXPLORE.EXE	36

C:\Users\Admin\AppData\Local\Temp\9b7a1a40ebf1002beb45ccc3564cafcc.exe
"C:\Users\Admin\AppData\Local\Temp\9b7a1a40ebf1002beb45ccc3564cafcc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2964
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft184502\b_1802.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft184502\300.bat" "
    3⤵
    PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft184502\300.bat

Filesize
3KB

MD5
e7f41352589d529050d99eea4613a2ac

SHA1
36d554b352075abbde4163e8d31e06b6f3061e18

SHA256
3408a803b235c259ada802b24e1b3ed48f0f32573421e6922139d5c46667f12e

SHA512
f94a3436d925954cd2d5efef6d3031022e480615f210573823598b1fc314377bf987eb4d274ef6f6ca1a31d9b681cb1727437af10896c0ed433cea814bd05faf

Download Submit
C:\Program Files (x86)\soft184502\b_1802.vbs

Filesize
247B

MD5
e0aaf4b30f58ff3b506394a32da7970c

SHA1
ed58899af2710184d64f2f87addb8e163e814fbd

SHA256
3c3b4b4b37a6ab8896b437b9b2e208ad900bf4aa53dc6aeccaecacac44f015ca

SHA512
38cf00d70b0d9282593778be937864261c4e6e704c3817f51963c63526c3ff469fb6610638ab39a979139ad7434c739dd863646ccda597635fb1956dff4531d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
524180fa9cd43683336781c9ae8aa3ef

SHA1
81075e605333af26367ff8eeefad40b073c440bf

SHA256
e12b36c62fd17ea78afb69990f5894af0dba5de18cd05ccd93a63ec03f36411e

SHA512
494800b73ad6dbce89345e6c9fb1b1a3a80e3e625182723e63f71e15cc03b22f05040926735407794036e0da0e56568fcd95d8d9272ca085cf057ea49415477a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a48b09611481f2351aef7bb0bfd1fe5a

SHA1
3000eac1c2c55bf889ed73179c4863b1c6ccc8de

SHA256
5d19b6cc11f776e58ed0de38fcb3a8223ef46165597a82737b6f487d4c5f849e

SHA512
44f6a3db38d7e2f817f418e6ebefc58784ffb074ec8558411c59040603e548498aab857f8b6ae77032bbe1a346f63fe4b30721caf417b380c16aa68b1e0993d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2350bb609f9b9768028e675c888a0a47

SHA1
ab104a28cf62766ad71c5062d36f4c745794db83

SHA256
ccb95a1e433e0c093512988a54789f72b8686b25ee807203ca7a73f78584b53c

SHA512
cbee1da9c294b5ea46bb07305ae4043f2d45aaf3bc0db2eb9f7c4db2d2a56d759bf9a9b172a5685b12d07e905da2de9fc9271578d8acc6a0acf52a59a98dd0a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef52463130d68735e0650e496f0dfba7

SHA1
1b3c99a2390acf635ab70b5e68484f7d7df36d9a

SHA256
abc3f3d8db6e05be07bdd87ae50ab8cf9352d7ed83686d3303fa43def18af35a

SHA512
3b16af1b89de5504fd30184f11ab60415fa926a7003024dbeee0bd95b125b48c95e088b99ac57bd8a59fba5278d9a7a8f5ec3b9cd3745bc83bbc065cdf5653d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e1af9d607e51e2a2428cc8513e9d2cd

SHA1
31e50bd5a91cbeae3b90c309534369038db558ae

SHA256
5a94c65d53e4e4c5b740bdd1e955d53a2b9e8acf9da6a0fbecc7c5065e30b2d5

SHA512
f1e52b02855132e1aa34349122d860a3248a4e2d2c7ec1e3b3a27ebd5376269ba93b554215a1c5da76ac55b200030d167e073feb00714ed6b39fbe7a1f1390cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
361db88b485ae6ad36069c87ce331a3b

SHA1
671e4c88614e8fab03342fad0a0594683af8d713

SHA256
d52bdbc2aa0b3e3cf3ba81a1bbd9a7a8cd80c54e5e0c57c09c7f0481c2c273d3

SHA512
9784a26057bc6bda0f381bcd0f9f6c65f2bd57ed806a2055968082de4ea31592ded7ca2ee5f818913211b5f96119d424ea493d254e4b56b5288961bbcec73ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f58502511abb54909243e142aeb2edc

SHA1
4af12386fd0fcc7befba34ebdfe2ef546fccd117

SHA256
09cbe6bb50dde3063c04f9acdf151979d06d72c581702503a3388617b780232d

SHA512
dff3fee6dc3788e46c4741967e6040992cdb8d6af4d11a2e68e3248508b063cb91a4a9da6aa881b120560890a691701acdea182cfefb02897541f49ab80347b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afe9b357f83af558ee7e7872d09ea308

SHA1
22c1a0421479d6612b7ac7f331176676d6d3de5d

SHA256
3eefeaee6e14fc75230256dce5cdda66ac92291e6b937ca57f1382bd60018be2

SHA512
f14b26a1bc4535df9f149fe04b8f56cf42f793752bfe77676509c0f3545bb1482770998c614d36b321273daf8457cae5ba181257ba69da1e72e101295ead244a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7e54736642c11525355adccc95717b2

SHA1
721d34f939b0cfd49cb90f6cc90ca59b533963c2

SHA256
e64b72bb394064bfe4da1a231a3e2800a41da04a21bc41baccf8c5a1d7e1b150

SHA512
da640a19c783be21976fb38e5668482944be461e9354be0cc91d362401d4c703619a75e691f73438c276b610d3b79ee2e1c6e6dfa903a8b0eb90ac6e7a18af3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
325f6c1fc5772f9fafd78debc654b9bd

SHA1
e7ce69713ead069c943e2b684e9b5304f4b212cc

SHA256
08d7799a33339635d615d5b2816c1b3730a3420239aca1cdb14b88941824117f

SHA512
37e2a43767ce783bc289b4ad79f6487eb68dc3cf5d6b7e190609bb849f792f7beb16916d4736b4befc49253b0bffc562ef181f778fd9b321ac82ceafb3612b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d5589206101c01d16287394d6f235d3

SHA1
0ef72177433474042364ed4c5fab861018506764

SHA256
f01a95ece39c6b6198a7d2ca422c2c857ba8674450af8c0eed44b9ad6f2d2d73

SHA512
354723814a65828bac3cfb6835d791094245bc6b93931e8275c3737fce938c00ebd0f21dd15aa202e01a2a4d182c463b78f2164b559c78211b2c32709b5f357c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b63c7a5badf6091276a12b7ae0b99731

SHA1
8ed33dfd2f43ff48c1e89cd4d9b55984d5cf7a9b

SHA256
324029900df644e98f2647c02258347fa46399abeb2d0f7ca9a7ce5faf66f12b

SHA512
0f0c3c275daab31da1d2b9a71010103b7ed59121a35457f6e52c6eb53453e3eef28fc6ac87652ca6ed20bfe1b123ee2f0d2e5fc47903f86c8d6b2cec769a5c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e180b2b2a1fa839e0bdf974dfcbdff30

SHA1
73561d2ba03d94317cda47c5f9913006a012f048

SHA256
5fb3239689f27112840037afd50bf6c17a608d5bc296ad969b6aeb626451698e

SHA512
70ec624b9526580479bbb4de51016bc883f5746b00d8a9e03cf5864a15f1f1bcade94d8e6aeb32c03c58e6ce7b306c6d2efa235ce0435a12518b1f543480e86d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0859ab61d0d6053d9dee5245ba24b99f

SHA1
e190e89fecf875c2f8ff2896ddbb0647f184a706

SHA256
b2ad2f5be48010aec3e73a1c230db110db27648a61cde6e87df37fae3623605a

SHA512
cb78cab53432e57c5d73040ea45672a9bc96a1265e0a2e7737c2d5d7758a17d10fc21ea98ed31714ed7f54e339b753f029499f89dfc48ef9c7fa4882f6ca273e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
522eb351754baa7d1e6ca64c67698435

SHA1
67b8072d89a13c417ef9393f77dcadbf91f2f9b0

SHA256
80ea80e1413b29fb5ca8cb75e1cc796a6e4f3bb344e83832c8c4f0daf271cd32

SHA512
ff9b9144c44d515632237a8a829c0d4b416ff0fda77dae94d4da5533cf12e2bc408a8f3bb26f1e05cf9d26c373df4ef446bdab536a9f99ab8a541e01d2e2d777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54f73ec1cc69e671af0334cfc14c3ca6

SHA1
0df842f029bcc7d7d66e14f2c3f4d6fb368ad069

SHA256
f185150ca909e6a8921c2735a04a303a8580f39f4ddcf953019717b603c535ed

SHA512
40fb12fe0f62a77abf7595b5dbafe80df2c5b88c34c1ac15f61fdd424037647e36dbe9018827bdbd32a8d0e5902f91723a8206a7d45a64508d183f715223dd97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b95004277aa9ba1733025b933a9b627d

SHA1
9d39fcb45170df2cc4a74388ad3293ba9a1ed797

SHA256
62a739fa51726ae5a733f3147290cbb0633cd5dbfb33469e864d940a03e1fd73

SHA512
bb476ea4101a04f7b8eecf4bca82774ad38f04b820bdf3f47a7ca701d63965fe3da01919b1f4ffcd89a843d703b65f6117b5d599e32ccd2cd223594bf122dbc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c493cd90a4fa0c7d641a8710517f8932

SHA1
f87a754bd65fbe4bbbcfc3d2b2577b907451320d

SHA256
17a8a1471429d5367c304bbb019ff3ac82c772e505975475a0953b2d1d66eb49

SHA512
d7cdfae2ba62dce4d4f5d8cab30d3265951946df536329fc02e538dd4fb43d7f60073ce7871161310065df88b3504172e8910819073f8533508cb457db0bad58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55dcf450b020cb7f3349060ec00e6c9d

SHA1
5285ab89574222c380e5b02506a807f4693614f9

SHA256
02905d04d55a11d636f2e6b57a888fbd487031e10c326a6dd10e66b2ebb2b0bb

SHA512
967424fbc44f30428f2814bc008df88788b2404f8654163d2a285b7019cca2ad45e566b8e874ff6e83acb79876fc5c3bad6e18dcd0a407f14e3731b4d3d2684b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ba44d59674edb7e95faa10276cf9cd8

SHA1
bd14e5a61a0165b1362e29b5a86623426078045f

SHA256
9beddcc68516f9e4fb076518525e1852cc9a5fc7b6dc3632c58333a654af55e3

SHA512
94b344b09840041a281454efb13012a1df4b69bb2721bacf696a126e1ab4e8e21d08b898cf28fbd55e5add3e19408c6a1d5139a4518d1c64024f513cbffb4d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AB36B8B1-CB26-11EE-BD45-D2016227024C}.dat

Filesize
5KB

MD5
57a59b45a84fe981502bdcfea52f4a23

SHA1
bdc5aff92afc906200b6f5b4c316befc83654873

SHA256
db80fddada9fb2870c7c223f227a70b7c3967c0999e0c7e7b76ad3ba88f94d11

SHA512
5380326d24197ad1ac2addd7b5ca20a4fbf6cfd5c7bc4ee7df7cc06e93eb9926ffa3fc1b82b8e7c743f35be17f572512546dabc2446627969bc08b5e0592fa32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab233B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23BC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
f475143a5b5ccfdb17ec31d429ef3e45

SHA1
8c50e7086eee9fb1786dfd4e24159eda08bd7856

SHA256
a7173a4ad613c2083e6032ae8faec2649d7d179d634d460ce0cb778a39453fa7

SHA512
affd2a49bd93ecd09f0a4fa1bbc3e240abe149cccfcdcb1b6c2eeb87b23a27ad3b615d2298ae3de85fc85e846b9741533c8ed02edb5a09ac7b31f2f8765b3898

Download Submit
\Program Files (x86)\jishu_184502\jishu_184502.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nso624D.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nso624D.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit