7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
Size

137KB
MD5

65d64ee3cf2ade19767c7b4a43002b28
SHA1

788a134efcef34397677caee41d5980733699195
SHA256

7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2
SHA512

0aac95a3b29771b721f173e4009d03eb4fec20946f2ad80ea7a9b5dd7bfe3874545ee5b82d1bd4ea1371978a74e1da797e60d18c388dd9b0620890f4040cc9d9
SSDEEP

3072:b1i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU81:5i/NjO5x0Xg+UGSYnuy3Oai/Nd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	sys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "file:\\\\C:\\sys.exe"	sys.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sys.exe

Executes dropped EXE 1 IoCs

pid	Process
4456	sys.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	sys.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	sys.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	sys.exe
File opened for modification	C:\WINDOWS\sys.exe	attrib.exe
File created	C:\WINDOWS\sys.exe	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
File opened for modification	C:\WINDOWS\sys.exe	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2844	taskkill.exe
3900	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00177df30974da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	sys.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3944442191"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3944442191"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09a92f30974da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31093769"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416963849"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15F58498-DFFD-11EE-B9F7-628714877227} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd95170200000000020000000000106600000001000020000000b87b4b489c2e575c7bc99f7a06b83bdfd79afef8351db3d7fd29cd5dea5808bd000000000e80000000020000200000001579cb6ab93fc69d95248e50b19d8bcff8d4965fc108989c15d73f1843b9b3902000000026ab7217c6f1649be59302888328aa4b55648b0000dbbd09ff546be6f87aab6e40000000a4343d73e340a84cc286e26fdb0b6ede2f3b909b75ae5ddb929de4cdc2d9bbfbbe65cc8ab1d6c99576497e82608ec29b730c01fae45fe202f20d48877f038ffe	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31093769"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4007410807"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31093769"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd95170200000000020000000000106600000001000020000000f5483a6cf5c13e87ea2742d30474e052ebcb85a6aaf4a3ae7e27d3e22e916f8f000000000e8000000002000020000000e708d3d5b687e3c1823c1ee2d044db798845191b3c6d52714a21abbc28dd39652000000006440c2134554ed14b56466930e82af1c5276b1e24d680ad83b7451aa10bdc8340000000c8bcc14250b4280c0f11d266fe8003f52d283940c7353153cf0c14c15986add2618385b7c90630f496c22bffb5116e980732ba3a6e3d1e6197edbf6396e04071	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	sys.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4456	sys.exe
4456	sys.exe
4456	sys.exe
4456	sys.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4484	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
4456	sys.exe
4484	iexplore.exe
4484	iexplore.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3900	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	95
PID 3228 wrote to memory of 3900	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	95
PID 3228 wrote to memory of 3900	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	95
PID 3228 wrote to memory of 4456	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	99
PID 3228 wrote to memory of 4456	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	99
PID 3228 wrote to memory of 4456	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	99
PID 3228 wrote to memory of 2512	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	100
PID 3228 wrote to memory of 2512	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	100
PID 3228 wrote to memory of 2512	3228	7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe	100
PID 4456 wrote to memory of 2844	4456	sys.exe	102
PID 4456 wrote to memory of 2844	4456	sys.exe	102
PID 4456 wrote to memory of 2844	4456	sys.exe	102
PID 4456 wrote to memory of 4484	4456	sys.exe	104
PID 4456 wrote to memory of 4484	4456	sys.exe	104
PID 4484 wrote to memory of 1956	4484	iexplore.exe	105
PID 4484 wrote to memory of 1956	4484	iexplore.exe	105
PID 4484 wrote to memory of 1956	4484	iexplore.exe	105
PID 4456 wrote to memory of 540	4456	sys.exe	106
PID 4456 wrote to memory of 540	4456	sys.exe	106
PID 4456 wrote to memory of 540	4456	sys.exe	106
PID 540 wrote to memory of 3724	540	cmd.exe	108
PID 540 wrote to memory of 3724	540	cmd.exe	108
PID 540 wrote to memory of 3724	540	cmd.exe	108
PID 4456 wrote to memory of 4860	4456	sys.exe	109
PID 4456 wrote to memory of 4860	4456	sys.exe	109
PID 4456 wrote to memory of 4860	4456	sys.exe	109
PID 4860 wrote to memory of 664	4860	cmd.exe	111
PID 4860 wrote to memory of 664	4860	cmd.exe	111
PID 4860 wrote to memory of 664	4860	cmd.exe	111
PID 4456 wrote to memory of 1324	4456	sys.exe	112
PID 4456 wrote to memory of 1324	4456	sys.exe	112
PID 4456 wrote to memory of 1324	4456	sys.exe	112
PID 1324 wrote to memory of 4008	1324	cmd.exe	114
PID 1324 wrote to memory of 4008	1324	cmd.exe	114
PID 1324 wrote to memory of 4008	1324	cmd.exe	114
PID 4456 wrote to memory of 4336	4456	sys.exe	115
PID 4456 wrote to memory of 4336	4456	sys.exe	115
PID 4456 wrote to memory of 4336	4456	sys.exe	115
PID 4336 wrote to memory of 3300	4336	cmd.exe	117
PID 4336 wrote to memory of 3300	4336	cmd.exe	117
PID 4336 wrote to memory of 3300	4336	cmd.exe	117
PID 4456 wrote to memory of 2204	4456	sys.exe	118
PID 4456 wrote to memory of 2204	4456	sys.exe	118
PID 4456 wrote to memory of 2204	4456	sys.exe	118
PID 2204 wrote to memory of 1368	2204	cmd.exe	120
PID 2204 wrote to memory of 1368	2204	cmd.exe	120
PID 2204 wrote to memory of 1368	2204	cmd.exe	120
PID 4456 wrote to memory of 4332	4456	sys.exe	121
PID 4456 wrote to memory of 4332	4456	sys.exe	121
PID 4456 wrote to memory of 4332	4456	sys.exe	121
PID 4332 wrote to memory of 3440	4332	cmd.exe	123
PID 4332 wrote to memory of 3440	4332	cmd.exe	123
PID 4332 wrote to memory of 3440	4332	cmd.exe	123
PID 4456 wrote to memory of 4024	4456	sys.exe	124
PID 4456 wrote to memory of 4024	4456	sys.exe	124
PID 4456 wrote to memory of 4024	4456	sys.exe	124
PID 4024 wrote to memory of 2984	4024	cmd.exe	126
PID 4024 wrote to memory of 2984	4024	cmd.exe	126
PID 4024 wrote to memory of 2984	4024	cmd.exe	126

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3724	attrib.exe
664	attrib.exe
4008	attrib.exe
3300	attrib.exe
1368	attrib.exe
3440	attrib.exe
2984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
"C:\Users\Admin\AppData\Local\Temp\7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im KSafeTray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\WINDOWS\sys.exe
  "C:\WINDOWS\sys.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /im KSafeTray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4484 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      4⤵
      Views/modifies file attributes
      PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      4⤵
      Views/modifies file attributes
      PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\WINDOWS\sys.exe"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "c:\sys.exe"
      4⤵
      Views/modifies file attributes
      PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 7bd5aa00c27eba37e63df475c367e5c066f81cbdaf77b78e8925d848471d17b2.exe
  2⤵
  PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\sys.exe

Filesize
137KB

MD5
168a2d595201fc53fbfc882fe4beb624

SHA1
8c4e82ca3cced6d8d04f06ba305dbefa603c0a1a

SHA256
220f6e98c219f4d24b0e628e147a3d90563e7ec7344395d5e464d6f65d5e326c

SHA512
9ac98ffa45129d062aefddb5229b2492316ced9199c23f05d891e2ce88261f5f430a3ee835b78c78df46821268c418391253e008432c804988bd6e9dc7606ba0

Download Submit
\??\c:\sys.exe

Filesize
137KB

MD5
b01347f66ab9b41bf16518226a12e903

SHA1
b0e5627163cd04fbb20f4f641521aec4785ff12e

SHA256
30c65b0b946e9aac50ac78ffb1faa46ccd5212b7337e5602363e5a1ae3fdf5f9

SHA512
d888b2a6df76dc86430acb6c8ad519bf325fb4354d9a4a92ba0da4fcb4baf78ec2e637c97f69feb70029a6742aa966afd9a80fbfc47fc9dae583314f1ddaf2ad

Download Submit