Analysis Overview
SHA256
80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a
Threat Level: Likely malicious
The file 80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Executes dropped EXE
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Modifies file permissions
UPX packed file
Enumerates connected drives
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Kills process with taskkill
Modifies File Icons
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 15:36
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 15:36
Reported
2024-03-02 15:39
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\web\sms.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| File opened for modification | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Enumerates physical storage devices
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "2" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Windows\SysWOW64\regini.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\ | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Windows\SysWOW64\regini.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} | C:\Windows\SysWOW64\regini.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = da4b9550aecdcb01 | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{A481937F-4D99-4B11-86E6-5B0F1007C557}.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe
"C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\SysWOW64\regini.exe
regini regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\SysWOW64\regini.exe
regini regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\SysWOW64\regini.exe
regini regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\web\sms.exe
C:\Windows\web\sms.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 2&del /q "C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
Network
Files
memory/1284-0-0x0000000000E00000-0x0000000000F59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 06697bf2f4f5395a9af659f50df00e3b |
| SHA1 | 01925ffbeed3e54e134e1fafaef8ff640dda9107 |
| SHA256 | 8868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1 |
| SHA512 | 9c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | b141c6974c48fadca812a060e03f8200 |
| SHA1 | bfc010eeda61bd2bd6d3b7963570cbc7d7539037 |
| SHA256 | 68a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e |
| SHA512 | 353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 2c545704057f619fa7fb3f994862f181 |
| SHA1 | b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd |
| SHA256 | 0a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0 |
| SHA512 | 5875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84 |
\Windows\Web\sms.exe
| MD5 | 628ca25523c98eb00cee7503787f78ee |
| SHA1 | 7b1c2393002e35ea36f4e20c5d6dd87d14542408 |
| SHA256 | 6f01b51d56b152362ad864e5c4e3f8979aa60c565021e0eff2b34fba422d4870 |
| SHA512 | 07eca622f5d10b2d5892417dc872ecce2d1b0b8e6a1c6916186770c685038e8cdf4ebc01c50fd6ad47e981f8b7a7c9bdc05e1e71fbba54cab1d5b34cb8edc639 |
memory/1284-18-0x0000000000E00000-0x0000000000F59000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 15:36
Reported
2024-03-02 15:39
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\web\sms.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| File opened for modification | C:\Windows\Web\sms.exe | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Windows\SysWOW64\regini.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\URL = "http://www.456020.com/s.htm?wd={searchTerms}&ie=utf-8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://bj1.api.bing.com/qsml.aspx?query={searchTerms}&src={referrer:source}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={Language}" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = da4b9550aecdcb01 | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{A481937F-4D99-4B11-86E6-5B0F1007C557}.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{A481937F-4D99-4B11-86E6-5B0F1007C557}" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ = "Bing" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "0" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} | C:\Windows\SysWOW64\regini.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\DisplayName = "百度搜索" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\FaviconURL = "http://www.baidu.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "@ieframe.dll,-12512" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\Codepage = "65001" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} | C:\Windows\SysWOW64\regini.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "2" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SortIndex = "1" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Program Files\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\ | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie=utf-8&from=ie8" | C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe
"C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\SysWOW64\regini.exe
regini regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\SysWOW64\regini.exe
regini regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c regini regset.ini
C:\Windows\SysWOW64\regini.exe
regini regset.ini
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
C:\Windows\web\sms.exe
C:\Windows\web\sms.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 2&del /q "C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C taskkill /f /im msedge.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im msedge.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/2568-0-0x0000000000B40000-0x0000000000C99000-memory.dmp
memory/2568-1-0x0000000000B40000-0x0000000000C99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 06697bf2f4f5395a9af659f50df00e3b |
| SHA1 | 01925ffbeed3e54e134e1fafaef8ff640dda9107 |
| SHA256 | 8868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1 |
| SHA512 | 9c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | b141c6974c48fadca812a060e03f8200 |
| SHA1 | bfc010eeda61bd2bd6d3b7963570cbc7d7539037 |
| SHA256 | 68a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e |
| SHA512 | 353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138 |
C:\Users\Admin\AppData\Local\Temp\regset.ini
| MD5 | 2c545704057f619fa7fb3f994862f181 |
| SHA1 | b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd |
| SHA256 | 0a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0 |
| SHA512 | 5875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84 |
C:\Windows\web\sms.exe
| MD5 | 628ca25523c98eb00cee7503787f78ee |
| SHA1 | 7b1c2393002e35ea36f4e20c5d6dd87d14542408 |
| SHA256 | 6f01b51d56b152362ad864e5c4e3f8979aa60c565021e0eff2b34fba422d4870 |
| SHA512 | 07eca622f5d10b2d5892417dc872ecce2d1b0b8e6a1c6916186770c685038e8cdf4ebc01c50fd6ad47e981f8b7a7c9bdc05e1e71fbba54cab1d5b34cb8edc639 |
memory/2568-31-0x0000000000B40000-0x0000000000C99000-memory.dmp