045d20186d88cde21b54821d0aa3d9a6bef7ed633cdb946150dc2007ec562839

Analysis

max time kernel
137s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c279f06866979cd85e07c7edf5bb29d2.exe
Size

1.4MB
MD5

c279f06866979cd85e07c7edf5bb29d2
SHA1

6b8dee6d18fa9ad980dc5d7f07f2e3a6648479f9
SHA256

045d20186d88cde21b54821d0aa3d9a6bef7ed633cdb946150dc2007ec562839
SHA512

095577233e0d90bacdb0421085ab2b791c00f529633380885f0331698ab501c38674669bf6c9f51d0060d540f48589b4a6a04555ec66e9a594c265076e568299
SSDEEP

24576:nd2r/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNa:A/4Qf4pxPctqG8IllnxvdsxZ4UU

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_162309\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\pipi_dae_381.exe	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\newnew.exe	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\newnew.ini	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\a	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\d_1609.exe	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\dailytips.ini	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	c279f06866979cd85e07c7edf5bb29d2.exe
File opened for modification	C:\Program Files (x86)\jishu_162309\jishu_162309.ini	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\B_0920110905090909230916090909.txt	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\0920110905090909230916090909.txt	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\MiniJJ_12318.exe	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\FlashIcon.ico	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\sc\GoogleËÑË÷.url	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\soft162309\wl06079.exe	c279f06866979cd85e07c7edf5bb29d2.exe
File created	C:\Program Files (x86)\jishu_162309\ImgCache\www.2144.net_favicon.ico	c279f06866979cd85e07c7edf5bb29d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{24C15691-E02B-11EE-9511-66DD11CD6629} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{24EE90B1-E02B-11EE-9511-66DD11CD6629} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03596143874da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000ee5290cbc82922883eeb32b357b49a0f061462a17fb9d7a25915268943c2331e000000000e800000000200002000000021c66fc6d3d3e38340d394a59f608e95c99ee8b2dd46a2530c92462a70fab690200000003cc023b2ce15c7a700eaea9698bc6ca8129778e644f9d078db68e275b656945b40000000bcfcdd9730585ef57acb72fd674348be8fc5814a623938125f3b0c85cc4faf448ba35ad75ec63305c5b49568dea58fcceed608bc9c90c395225946a861e601b4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000ba0e618ec0241a1fd18fd65ad1a432af6a41e139b2eb78d8539c976f3a9488a5000000000e800000000200002000000066fbef1c952b519f9eeab4642ffc7d71eb39a998906346dc969730aa2cdd912a900000000abc335b7fe2794f215762e1e12b052ed0b14fa0eb2d5c689b03b21e5f285e892e8f840a8a3fd498b6113f13e385c8a00f2b57d22bbc280f223098e928b00bc60fd3dad779f10dacbec23a685534ba2e6ccc855264750892621f758f704dcc2f233342f1a1b134e2bf5fe5291b0a8517633370d55ccc3ac8beacb94aa1e5ac8e48e266dd91550f788c55e3d163ee36b540000000075605a570676920cbbb58674ee1286dba98f473da080862f5641d006e82fd4ab6a4cc9f86d8e52c625667a35d39c01c1b934cd5aa2ff8879d06eccbdfae828f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416380509"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe
1152	c279f06866979cd85e07c7edf5bb29d2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1988	IEXPLORE.EXE
2908	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 1152 wrote to memory of 2232	1152	c279f06866979cd85e07c7edf5bb29d2.exe	28
PID 2232 wrote to memory of 1988	2232	IEXPLORE.EXE	29
PID 2232 wrote to memory of 1988	2232	IEXPLORE.EXE	29
PID 2232 wrote to memory of 1988	2232	IEXPLORE.EXE	29
PID 2232 wrote to memory of 1988	2232	IEXPLORE.EXE	29
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 1152 wrote to memory of 3040	1152	c279f06866979cd85e07c7edf5bb29d2.exe	30
PID 3040 wrote to memory of 2908	3040	IEXPLORE.EXE	31
PID 3040 wrote to memory of 2908	3040	IEXPLORE.EXE	31
PID 3040 wrote to memory of 2908	3040	IEXPLORE.EXE	31
PID 3040 wrote to memory of 2908	3040	IEXPLORE.EXE	31
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1152 wrote to memory of 2488	1152	c279f06866979cd85e07c7edf5bb29d2.exe	32
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 1988 wrote to memory of 2508	1988	IEXPLORE.EXE	33
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2488 wrote to memory of 2496	2488	Wscript.exe	34
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36
PID 2908 wrote to memory of 2444	2908	IEXPLORE.EXE	36

C:\Users\Admin\AppData\Local\Temp\c279f06866979cd85e07c7edf5bb29d2.exe
"C:\Users\Admin\AppData\Local\Temp\c279f06866979cd85e07c7edf5bb29d2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2444
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft162309\b_1609.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft162309\300.bat" "
    3⤵
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft162309\300.bat

Filesize
3KB

MD5
800fdd954e9194ac252f5b8bafcebd37

SHA1
93599e031a30cec4c6a8052ff6595a2db45e4cd1

SHA256
554902376610895ec100b9eed251f9c114ca93e03a7a300f2926ec473b46f3a9

SHA512
23fa22ac22f2ac9fa6a21cc0419c3a17a47918ec9456173240b5292070db695525f5af18484c353d8e63215ea2b04ea20f4f7f26a80c1a3c471a3126af8041cc

Download Submit
C:\Program Files (x86)\soft162309\b_1609.vbs

Filesize
247B

MD5
412d1ae5d11ce9d78e87ca64e9852c15

SHA1
88d21752191ff06db90a3b0df5a23618fd4e04cc

SHA256
4191ac3694d2ed52b7f245858a2529f2dbc6db223049499705c50204ca859641

SHA512
c1cf0eb397f577ac2e845d0a6618d3a198e7443492a3348dfd3cafe7c1df01364afc43e101483977209bd1748c894d1593179de3cab8b4d85144ca8fb9e83ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d2508721528b6ab7e08076acb9c1c9e

SHA1
a3e8db684a105dbc7d62637abd98d4d3d25a9b69

SHA256
70370fb6a0c118fdae3cfbc74e5d20b8d823b947b215839839d6a8accf561fb7

SHA512
ad3121ca1e6e9e58466f897dd4a45d13ae84fe282fe8d6e496bb413eeccffcd05d1afcac128dedea586c44985ccab1d6f09894c91d6e5624548811e0d714ab80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad8201ed083ee9ee5ea4a8e912fcd132

SHA1
15cf1e225d422bbddcd561a97ce72535264fd769

SHA256
ec1e96a5a88385eee2382fd7fdb3265e7425b704498863af36e0431d1fd38045

SHA512
a79642cc3642f5a4b2b1a48f984a18efd56ab09313235a9c4866a790ddfb63c6bf51c724dccf3e9b5cb3c4c1b8dce448c07a77e77b67b48a414780e9075ec682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f0b4c22ee77e6853c3558e32955aa71

SHA1
844e13b16ff5d4d352a562acc34a3ca4fede766d

SHA256
497012b72ca6747c8404909c690d74fcef778c188d96cb9c88b508f2dae51a12

SHA512
a0f65af47f815957a0f9a85591f01eaa47143e805b62bbb4519657b0e06306a0dd261dfa7769a126991e0ea0b09b28aa2cd2382d09877da770d5add1a3c182fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff200e0892efe8c242574d702419ec23

SHA1
1677f29ebf4082c03a1f6db7de97898b12a4a93c

SHA256
9c1e2242608fff029bde066d88049459733838fcb7f23b6373075436a8d39162

SHA512
0b6bd5a5f642c6e1ed3a9f543592e64fa3a9e9044c22f285839763db0750ec3116fc57ce9b007b7d784da4456fdadcf7201a121d88a3f6770ae0aa44719dd7f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
130e4c71f19c8dc66d0322e6b459a1e2

SHA1
6e2609ca5748f02dd42d21b09045f360a6fcf4a0

SHA256
b07a166b468d8cf1726ccd58b8e244b2655a8f6fe2e9c97a9647090f9003c9a8

SHA512
270d06a7bb4e3664c2a84f57c90f8d06107a01f039ccffece3b8421cac38d40faa7c3582c8dbe7fb4862264d6798025a19c23c83e4c38abe03a602e9f4e5c5b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21079232867a5e6e2db32563dd3c24c4

SHA1
e73280eebe879ba8f3b3bf932f2a39655d188ce4

SHA256
a846d662e6a1ae3f193ab85873369517307f6d6445a82105be1388f1f6ca5835

SHA512
5d768f56e870363ba0d36aa8ada86b5ad87314747e81344b8ec8f9d1483091fc5b24e263fa49c0232ff32ddc0fff71baa9fa7695bc7cf805b4505f13d0b841b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b2adaec88861d5cb22702e56bc60e98

SHA1
149680af988997d7df0b184f87308268122ce332

SHA256
3d7e3490deddc157e5d053013fc60ecbe3b1288055863f6b452e7589dc0b0f46

SHA512
1c5081d13dda4a78e07fae108bcb82354f60b993fef0f4777186812a29f7e9fcaadbc39e547a2e8cf39aa8308a9721cfabb367532cd2db34f1d76806c0788c38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49fe5f8614a805da2de1bdcb4ed0cb32

SHA1
4a78e32f9c7c9da34f76457a34c0de7f948ff060

SHA256
8009dfa19cdf6a00d3fcc01b2de978b879c1772fe3ca5e36bf4ed835887a00a3

SHA512
004d2581e9b60ed7a7b2b630d18aaf38e608183d3c76b416753b8cb47225868ce944a27d3d2ed343b03f54419233c1be61883c9acd880770f14cd9590dd86304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4ce3232565ddc80aa87cb53c995e7c4

SHA1
503d320c8a9c5fb4d801dd113e4a34f3861e54fd

SHA256
ec86dba60efa50e49424c596b65cfaaf58b787d8f30c0ed41ac377a06ce8940b

SHA512
65db9a8373bcac2b18c55d4dd2f31141859adae92599a7b57994c320958900ef0d68aaf01354343c9dc15ee1ffe6457c378fc0b1422ac60ef59364df5157f779

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
479bcd4d9bb75e85f39706b673d1aae0

SHA1
12da2e19c4f72ad8fedaa59c69ca19318866013b

SHA256
638d856d576282cedb255cd6079d90575155392050c70393ca31ae63e02bdc19

SHA512
bf983358205d989e7086f17c738387fc31381ad862a72d0cca20374cc94f84b63fc3ee0fa420370fad469306be1b39720b51b347a905a82fb5de87ec7b36d75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afed32e687aef5291fef5f7edff04ccc

SHA1
098422e3b8a13b814a8a20c01f906a003de2406b

SHA256
5840841049b2e3e87359acfdf0cdfcb480fd4d3da2deccde07f6e1dba3cf81b9

SHA512
7bf1aa0dbc7b111dfcc8b1a7f219a279ce313458ac218115b55f2130e5a94fd9dcd71c64bb4df7471c69f9833bcb1ae820605e9dfa9e8a4c7836a687c5f1028b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90376d47f65abb7b73f73d8211a5bb3e

SHA1
367cfb42bdbf193861ec25cdaa77e03b49c4e805

SHA256
af6f09fa7f9149d83aad8bc33187eb963999c89e80d4f50e170e6e3b29eb142c

SHA512
dff1a7c0e2fa3e741d6e5dc074c9fbafb048c0a1135a371d62205415b0f6e662470952c990e12518f83f3ec70c47fcc87db3c0835bb7b4c1560dd399e7a34e88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bec5ad638268bf029ff17c9d6480840a

SHA1
95a044fde2d52b5d62870d3c39dffd094abd0fac

SHA256
c3fe96f9a1aed3cc71578f93c32d5d8fa2335e607e7d81b09f6fa13db31f7d55

SHA512
f029825f7ef12ce1da56844675143f2cec620f11ef46249b2a256445cc3627c0b732dec5a60e41a8a964ab4bf91f33aaeae3753f221d19c241fa75729e521e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ba2341f52a336459a39f3607e87bd3e

SHA1
b6662f19d30d725bad692870a4346e2213316ca9

SHA256
05c515689ec5641afd14da3dcaaee121afc0d5e0f6eb9440b22ef0b649510b1a

SHA512
3074aba2bc17b6a866c3573cbdee61ff7232f9437b81f63db77828a34ef3424784ee494b0795918214f01f09f579d2db133aefbebdee7cfb6020ae0a41fb534c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14de41801b987ca1e633e9db1d47c0cb

SHA1
3768c2fef09f8918c2987707e2170fe142129daa

SHA256
2a87a777ff32cd843a1deaf7ea9f2a4d3a244b43de64d66390ef078b574a2c8d

SHA512
fa4a8087c7d00358737970775da0c48f1796fc33ffd33fe670f9095dc931ade45f8aa1bd85c82f547c8ac2b743beb2e6038ac5100b76e537ece2673b51c30918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25c18f9bc0f11551c6a359b35720a99a

SHA1
093596bb9c3d19ecf84697c7e4e9bac1a83d0541

SHA256
515e791960f02d290e1bfe1934a4604bb7087d6cd155758d01fa447bd2484ee6

SHA512
1f115a034652fbfdddea953f1030f57d1d147c83825ead3fc63db1b530eb3daa41f9b07e1225a7afda5a5e777899cdd88f35f5314fbd4340a7ecd55c97c71a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c75887b147017d41da4e665317e2c7ad

SHA1
428e35e5bd66b8d0ab6f532a8b781ce9f3f18e06

SHA256
112b9da7275b7ac3ca7806fe9e60e3ca064edb0b468a4554a6b64b0db6b5c9f7

SHA512
4658d1215902c2456f747294bea86ca4971223c30f2535691f7bc18688b5d3c96527006b0cd4492722731519462a6892a3ecca5f63920a967b28028d48814e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb5209e353cf1bdc1eed9c84b1bed8c3

SHA1
d86c5ec83a52691cf89ccddf8f6b6c851cc6cc06

SHA256
e39d87a6771a473a6c1b557d085f070e9cd6461aff006029d2dc1bb43c35a085

SHA512
ff71ea13c91b4e923a9f62d1c253a7e48e5e6a368e8099de95e5d37c255f51ef8f0141318d559a402c09b6eb1ba3114e5fb9532142b7d39cbcdffc9d114fff6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cc0bc51de45c9b1cdbd543c4d3a0e22

SHA1
6fd4bf4d14ca6e44175c4f0313b30618eb7859ab

SHA256
ab80224b29ee774975d07f2a5582b5657f7d1c484dc49b927793e94a5cd7c53a

SHA512
6a9221dd1ddaaed9aa85c44637b647b56d718e9277f14b268df043a7c94797c79e575e13815683fae332060147764da07af57755b58d60107f29961c6b1ef58e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b3b9532616583204856593e8ade2598

SHA1
4118556f6eb4cece4f960867571b1d60ecf317e8

SHA256
04384df9d19d2170a57b6342ec20a3a426c2686273cfbeab4fc7b1ef56bfdf92

SHA512
e86605f171880c4a4f2f19f01450d41c3765a95d703a205b3c481e9991e1c9faaba29de3197ff52306cb7a46fad339e0145e1d576b128446d719164ebf05f124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{24C15691-E02B-11EE-9511-66DD11CD6629}.dat

Filesize
5KB

MD5
da73f80ea476aa53f533d123cc1a5176

SHA1
d0b214689a04aea815b8f6ddc2f5799027f0d5ee

SHA256
4b7b61cb70a54e3ac39160e555a3e9070fc94909784d915ea0fd5a13d08d91ba

SHA512
37393a457f34d79861b3db12fa743e97095d9459741a210ed6006400aab3e221ccadc13333fce89fffef4f57d629cc6ee242db5efa11d0777080d56b0b63f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F1A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7125.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
36e22823106377b964afc529b27d23a7

SHA1
7ed148119629682a1902451c972a0f8ca9f19ac3

SHA256
d0e184f8a6d4f970e898caffbcbae2accd0f9f1ac7b679114686d3556f9db50a

SHA512
d15ef8adf39c65cbb55aefc9c65083fb4565852853f76ed0adcb7c4d6c9b42c09c9867497a0c7d0f2d6800b0774ee68eebf4139df32bf3986ea0781a676d1998

Download Submit
\Program Files (x86)\jishu_162309\jishu_162309.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nstA304.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nstA304.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit