1fd72cea01073af91e1f8677c48fa14257230cc505409e0e56f204a79f4ebae4

Analysis

max time kernel
124s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a115c40fcc89b08a1634c6f6433bd3c0.exe
Size

1.4MB
MD5

a115c40fcc89b08a1634c6f6433bd3c0
SHA1

6d4082f93198de467584cb48f6a8f708a1ff13db
SHA256

1fd72cea01073af91e1f8677c48fa14257230cc505409e0e56f204a79f4ebae4
SHA512

72c96484687eca67a5ae9bbb6db4f6e82b7a44a3a6cd240d9d9df69da81d6b0e53c158f47fd22676bd1dd40807ea08b5eeb80fd644df68bd0df791dd81bb3f40
SSDEEP

24576:Ro7r/4p6qO4pDlPJsZtZQk5p8hulbEwfXGpBzjRvdsxlTShiVCF:yf/4Qf4pxPctqG8IlNGnxvdsxZ4U2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft121403\a	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\soft121403\0320110305030321140312030303.txt	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\soft121403\pipi_dae_382.exe	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\jishu_121403\FlashIcon.ico	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\jishu_121403\newnew.exe	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\jishu_121403\newnew.ini	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\soft121403\d_1203.exe	a115c40fcc89b08a1634c6f6433bd3c0.exe
File opened for modification	C:\Program Files (x86)\jishu_121403\jishu_121403.ini	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\jishu_121403\dailytips.ini	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\soft121403\wl0322276.exe	a115c40fcc89b08a1634c6f6433bd3c0.exe
File created	C:\Program Files (x86)\soft121403\MiniJJ_12319.exe	a115c40fcc89b08a1634c6f6433bd3c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0875868e466da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A967B61-D2D7-11EE-B2C4-6A55B5C6A64E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A6BA2A1-D2D7-11EE-B2C4-6A55B5C6A64E} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000830eacdc7884e11b4c2fba0d9ff6e1a5b5daa81c835524da71a5b27acad99a7f000000000e8000000002000020000000e171b3a0dffb5b076f1d4197d9000b065afd3b43eccf1ad8896b866e6d0a5ebf90000000a22cb6926d052259cb924bf57670da5cdace7809b71efc17e2a19c56b4e591c7ef7918dd2bdc222b629018a7af8f7d0fe67c483435f2e07019b39015e0a019252bb03b4986a965ecec4cad0cfd747730f900ceceaeb71ecede8d7e356ce785c09c2d1da328bb50d7b0519bfb8519a03aa71831b649db1f724de2785456ed9499f3984b235968d30d40cd3bcb282a07244000000085b32e290314fb0e0afa9183e7c4de8436cc2a9e145548709bae285edfe4c50bd81c9a2b530699a7df9fb23360e1844ffa617ab3ad76da61a44dd7d6c8119154	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414915209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000091a36286b997b4cd021beafacecc584d12c7defa2cbabe44a33d4521d43e3871000000000e800000000200002000000011b8c0513b83d4cb13ac9abf2a96a85f676f9a6ebb43d73e025afafbabee831720000000fc169d76d7548108ac25714d3fad0e4801f40d06829eaa73bc23c9b246f9f41f4000000059bbecdf546c188d159ac9bfa58764fbdd569ded975ca982fd08b4e26effaa887bfad9030be909949b252392b50744314f69755f816f27b0b28d4010f04ce13e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe
2368	a115c40fcc89b08a1634c6f6433bd3c0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2604	IEXPLORE.EXE
2776	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2368 wrote to memory of 2028	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	28
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	29
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	29
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	29
PID 2028 wrote to memory of 2604	2028	IEXPLORE.EXE	29
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2652	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	30
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2368 wrote to memory of 2620	2368	a115c40fcc89b08a1634c6f6433bd3c0.exe	31
PID 2652 wrote to memory of 2776	2652	IEXPLORE.EXE	32
PID 2652 wrote to memory of 2776	2652	IEXPLORE.EXE	32
PID 2652 wrote to memory of 2776	2652	IEXPLORE.EXE	32
PID 2652 wrote to memory of 2776	2652	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2604 wrote to memory of 2736	2604	IEXPLORE.EXE	33
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34
PID 2776 wrote to memory of 2924	2776	IEXPLORE.EXE	34

C:\Users\Admin\AppData\Local\Temp\a115c40fcc89b08a1634c6f6433bd3c0.exe
"C:\Users\Admin\AppData\Local\Temp\a115c40fcc89b08a1634c6f6433bd3c0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/i0dpw
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/i0dpw
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275458 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2924
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft121403\b_1203.vbs"
  2⤵
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\jishu_121403\jishu_121403.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
C:\Program Files (x86)\soft121403\b_1203.vbs

Filesize
226B

MD5
88e390a1ae346a890b0ad5f99b680230

SHA1
a092ac6c24d3d0db4d8a573c46f20cf72c266b55

SHA256
e8e6f4b99b4d86aef27a2b6c276bb6d9a12411b278d9b80c177a1f7e19ec79dc

SHA512
8d53fb2bd82f6dbe188f6b368cb4c7b61ea5b429769fdc3075f0c7c320ae1362caab3432facfe83ad323ebebf3beab1739adfef46c01d2356eb6866f9ded88b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec520faa988747a5da0bb78401e965aa

SHA1
dc567435ca619b0dba41b998611022b2752542c9

SHA256
2513ae8ab841cce65f279da832c3f7186c5309ae37146f6646b70080fbdf3c80

SHA512
431608b91e018f5deac69a990afa5a5a7bf9c86353043edaa61c5046715829977159a141975f13e2713a1f17f3273cc44478224478034b16d97454de75c9f1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53ede3ee4955f5aaab58fddf3a6401e9

SHA1
9cf1e034fa5d409e238b9846d15c5666ae29af38

SHA256
9f6cf8d9e459ad97e40955f767c6bc4386c85be30f713490f764cb22c07dad76

SHA512
0ed92e1fb83d10d2ae33b420ded5ae50bbf3b7a1aeffc67faf6b054418fe549c9ea5247a0f632c7a4f6bce4198e6186de583e8f83932ba9e38413d9b0036f9a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eb208a7e2b9cb3ebc4075858812a5b7

SHA1
26adccfc47c74bb373521ba6d05d65b704e654c3

SHA256
77567140499a87468337b553412dc01df82ca0a8128c9205e1a1f1816a0e2052

SHA512
dcb9c9944974d7635e48281ccffc787144f10e711f76b80dea6f4869282562f8c7f9c30616d086145102b5454e439a6198f9d89a1168b322051a69f9956ac0e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92c560e27cc9a585239b84516c40d050

SHA1
854fc6d8f7a3481c1439787b623bbc2786fdb16d

SHA256
3fd7265e17b375d94d5c93cbb83c05c2066449ae311dbe7c6867fff15e3b9e46

SHA512
aee4e9ca5c9c5c19f2b5e9f2d05134cd72ac00480b1346b962e55bc5ac1edad868a6f981c27d1e3da22c68ff4d00bab5dd08aefbf29f135b87d466b4a7bf8ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ade7def7da046e64da6dc3695066e4a

SHA1
e4f38fda87421e0f3829a71c018262a7947f8aea

SHA256
dfccaa6f3f13e0c97faed4500bafa4027bfde34bacf6453da09f11fb993df92d

SHA512
e1abe700fdad60a0811cf55b7387087baa64012f0bba9adb292155560152cbfa5f050502281f5397b9368269f54dc73f499c3c8228e7a395cfdf223188408d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
850bd6cee9117f37f03090f84df9165c

SHA1
a72b71c767354fd268c4b03d55aec3d142164db2

SHA256
8053076c1aa89c3e264c6752a314e47a91cff1de6273fca174e6fa19eb8db516

SHA512
1b8cb468b3861713991764bbd24a36a01cfdd647d2ad3cd38ff85866b7b23f887012401317c499d021332e6636cb7822ee82c2d421ab1fb8027935150584ecbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed806b71d5b355dd577e093e63f3136b

SHA1
abc501a683d36ee4f2e880f00bd20741ec3050d9

SHA256
9cf9a1c2a09fe6911c528b7b9c5d4975c0959288b3fb2f6441723ef2505a0b7f

SHA512
239e089a73fd23e5ac1880a0b085f9e18801c3c6f36aa923d1fda2f88747d1eb9cad00d948c5f7acf443f393352d94d89f98fc7def86566011da7d6d3bcc39ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb28c898eb23d837482592424bc9183b

SHA1
c0b5a10767f4647124a886cd7fb2904cddba4926

SHA256
cdb290378fe1a647516618367f5f9cbba16d790ad165f3809adda3495051eeda

SHA512
735e1028f952edd73779df1f615605fa938120e25ec1d01c0987482bd9edd2c12838cb05840343ec8eee5e7a55a3350c2520ae2404972870330b74462d94f142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ec4cddde489fad23c275f98bab2c707

SHA1
15184c86ce7d4866b54e045db4530ea8a6a386fa

SHA256
428ee591efd53332c2aab93363ca186a9f93716d1862a2c39ebef43a67c42d17

SHA512
7abeca4dda0d5aa3263a0ec9da4a00ecb77e41c0e2c9d7db771182221e9d85954db42e4074165e91c9bee5aa41dcbe2ccb55af13d6178450ec822ace3a5bb9b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e37b1f15ccb58548014aa2674fd2c34b

SHA1
2148ac8b76b606e6deaf5416442bf8e5e0d48960

SHA256
19f25626b037574261cdec8460417ca34a0d563d642818b6a4791ec68da3e162

SHA512
38d6baf16b42d952d35e182dcad539da1f8e649a2fa1801c35836d6d95ce3d32770380c0ca30cce96384d7008bd896ebf32626ba792f37b970e3bf22e7d2c125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5beee26a33138eddc77a3d0da29c96d6

SHA1
6685ef33042c3af151fd0ab53b0b8ac0b084f51f

SHA256
0438858c012c66f5dae19b3c6aa81a3a935b6c8468fb9c642a78d51872535be9

SHA512
2472d01d895106601b88fa909f3dae70221140f2a7bbd481010fac742b7efc953dd2c9e17d3126eaa4f04b01854713b1a24c87d3ea5ddc74c4d57ba92ba77231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
161425fad1458b786c2c2de8cae59bcb

SHA1
d9406d60294d88577eaef26873b62598c8dd52da

SHA256
45dfc6105d824940398a6b9ae18f3d03d436d4e94f2f571a8c057d96c824556f

SHA512
270c48aa85f43cf8abe3572834c54540ea8c5ea470d27a741653cd06997ef940019fa277374f8113d957666a2cba02630f287198b504bd35bf0f8f90a53d31e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e4959c5770a003f352ac8493c4f6a06

SHA1
3d2c97910f8c0683faf054ca613097c141f3a5cd

SHA256
14eff3457ce3ad6a49de5ed3c58a721cd656987a246e8078c98c19f716292b36

SHA512
59e60e997394a94ff4ce027190dd365851901d573d4f02283fc85c7e112d426ee208e21ffa2018e6d1575cb12bdc5e18c2a71427cbcb5e2087972c1d95474e57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ecd6fb7769923a0c0c5f20120178e01

SHA1
edcbe2124e3937eed6a7ebb6c9a5f9ed1e6ed311

SHA256
6aff7f7bc6c31f7826f85c51aa4fc0e92a8f612fe81e945a82cb3097749d16a9

SHA512
dd807c591fcaecd64017621b2d90785aa91223fea565ea4b30e83210f02bdaa0326e42b3d016f14eea542dc9616bd704bfaed289cb47aa714bc1ee3ec3b95d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb74467c7f37a790623b67cc15b41a99

SHA1
8bc582497e4a05e850c9e6a8d0712a91243cc087

SHA256
b7475433c45b272f749aad0eed2d9eaa7ec96e84632531cb551e8051f013fa92

SHA512
d1ddb6157a7f735d131507471783f90591daba62a9eaae12a735c16895f5011179cc64f40d9ccb13e3ef16bd849a468a5fbbbcc8758f61974993d41c8dbe59f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c14bacb2c1c8cdd6ecfadaea59d7c96

SHA1
77f8b5ecc8e263bdd51cabc31e5c5040d88f66f8

SHA256
b44529b51432f3fe07288ad16348b739a45aa0bfd8ebdbf85e1dda06bdc506b5

SHA512
1a41bb3e19cb02c69665834786524b14af752d926d0b7364907a23149daec990e4b1bdc92b09dfce313245fa30e2ce56ceee41962e4ec71d28c41d2ef95578ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3334f9000d702ab35992d9fe730f1c28

SHA1
99cd89d4c28e5e170eeea8744f1c7ae6f5f203c0

SHA256
5b4896f29b7f570152f379025df1f1db6938bf522670068979c545d8f6689511

SHA512
1c1a5aeaba3e61b4e10b1e95b17796cf3f4fdcdc21a539bedfa3a49c36ab955e0a5450c8be3c4364562f9c051ca181cc28a469b82ac9832e1f2aeaaa004c04c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1a8c79dd355bcf5222d7acf799ab0c8

SHA1
6fa99555d75025bc4d7b754210b2a54509092060

SHA256
08b723a66824f24cdd9f545def69ace5ba0704d7dfaa14cf8a593dd13cca654a

SHA512
26c25cba2ad38eedde29bb5bd076943cd53ae2c6dd5dd99859dd9a2e07b8d65256e027d7cb8c9c3338d51580d0748a10780cf938a67ab4be5ef11e3db61b69be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A6BA2A1-D2D7-11EE-B2C4-6A55B5C6A64E}.dat

Filesize
5KB

MD5
e335feca41d7d6bb29aa2d36a28475a6

SHA1
06368c5f71aed24367f8c351f29a1102f69e1b1b

SHA256
46d2091451e92024142cfc2372709e74b728e4a7134155f4d425b9ab94126840

SHA512
e10bd8f3733de0d6ff22e54414350fc6eaee41fc812a5eba503e8cbaf363d1eeaeb2477fa0460b7814d4799df4375dcf61e7f007478cfccbdd190c147fce0db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA22.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAB3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2BD2.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2BD2.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit