16ffc20967f73bd4ff0229972cb7732589f2fd96336505bdb25544cfa0912844

Analysis

max time kernel
135s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
Size

104KB
MD5

cd9e021b58de5ccc6a2fbbe41b0a2bab
SHA1

9db7e920c7cc4eb539b0d1ef97582700d34cd512
SHA256

16ffc20967f73bd4ff0229972cb7732589f2fd96336505bdb25544cfa0912844
SHA512

ef8ce8b51ea8e95aa44730ffd379f51d5cc8065b27d785d2a439244dc1816a4e7465728bd69536481a3323cecffa1acf47c00261c0c85ab0b1a5527e297d341c
SSDEEP

1536:9yVOmTBYa0XkuDkxP4P2g9iB0orjaJLtgb:8dpckuDkxP4Hb+aJLtgb

Score

7^/10

adware evasion persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2268	YS8N7RF8304Z.EXE

Loads dropped DLL 1 IoCs

pid	Process
4816	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72000669-841C-D39B-8178-A1AEC41A9DB3}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\QSNB74R0VO\S1MI1DJ.EXE	YS8N7RF8304Z.EXE
File opened for modification	C:\Program Files\QSNB74R0VO\S1MI1DJ.EXE	YS8N7RF8304Z.EXE
File created	C:\Program Files\QSNB74R0VO\4816QTOV6PM.EXE	YS8N7RF8304Z.EXE
File opened for modification	C:\Program Files\QSNB74R0VO\4816QTOV6PM.EXE	YS8N7RF8304Z.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
File created	\??\c:\windows\fdonszuycqs.dll	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "c:\\windows"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72000669-841C-D39B-8178-A1AEC41A9DB3}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "c:\\windows\\fdonszuycqs.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4756	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
2268	YS8N7RF8304Z.EXE
2268	YS8N7RF8304Z.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2268	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	100
PID 2024 wrote to memory of 2268	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	100
PID 2024 wrote to memory of 2268	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	100
PID 2024 wrote to memory of 4816	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	101
PID 2024 wrote to memory of 4816	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	101
PID 2024 wrote to memory of 4816	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	101
PID 2024 wrote to memory of 208	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	102
PID 2024 wrote to memory of 208	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	102
PID 2024 wrote to memory of 208	2024	cd9e021b58de5ccc6a2fbbe41b0a2bab.exe	102
PID 208 wrote to memory of 4868	208	cmd.exe	104
PID 208 wrote to memory of 4868	208	cmd.exe	104
PID 208 wrote to memory of 4868	208	cmd.exe	104
PID 208 wrote to memory of 2204	208	cmd.exe	105
PID 208 wrote to memory of 2204	208	cmd.exe	105
PID 208 wrote to memory of 2204	208	cmd.exe	105
PID 208 wrote to memory of 2008	208	cmd.exe	106
PID 208 wrote to memory of 2008	208	cmd.exe	106
PID 208 wrote to memory of 2008	208	cmd.exe	106
PID 208 wrote to memory of 4136	208	cmd.exe	107
PID 208 wrote to memory of 4136	208	cmd.exe	107
PID 208 wrote to memory of 4136	208	cmd.exe	107
PID 208 wrote to memory of 5060	208	cmd.exe	108
PID 208 wrote to memory of 5060	208	cmd.exe	108
PID 208 wrote to memory of 5060	208	cmd.exe	108
PID 208 wrote to memory of 448	208	cmd.exe	110
PID 208 wrote to memory of 448	208	cmd.exe	110
PID 208 wrote to memory of 448	208	cmd.exe	110
PID 208 wrote to memory of 1448	208	cmd.exe	111
PID 208 wrote to memory of 1448	208	cmd.exe	111
PID 208 wrote to memory of 1448	208	cmd.exe	111
PID 208 wrote to memory of 1760	208	cmd.exe	112
PID 208 wrote to memory of 1760	208	cmd.exe	112
PID 208 wrote to memory of 1760	208	cmd.exe	112
PID 208 wrote to memory of 1828	208	cmd.exe	113
PID 208 wrote to memory of 1828	208	cmd.exe	113
PID 208 wrote to memory of 1828	208	cmd.exe	113
PID 208 wrote to memory of 2228	208	cmd.exe	114
PID 208 wrote to memory of 2228	208	cmd.exe	114
PID 208 wrote to memory of 2228	208	cmd.exe	114
PID 208 wrote to memory of 4756	208	cmd.exe	115
PID 208 wrote to memory of 4756	208	cmd.exe	115
PID 208 wrote to memory of 4756	208	cmd.exe	115
PID 208 wrote to memory of 3176	208	cmd.exe	116
PID 208 wrote to memory of 3176	208	cmd.exe	116
PID 208 wrote to memory of 3176	208	cmd.exe	116
PID 208 wrote to memory of 1068	208	cmd.exe	117
PID 208 wrote to memory of 1068	208	cmd.exe	117
PID 208 wrote to memory of 1068	208	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\cd9e021b58de5ccc6a2fbbe41b0a2bab.exe
"C:\Users\Admin\AppData\Local\Temp\cd9e021b58de5ccc6a2fbbe41b0a2bab.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\YS8N7RF8304Z.EXE
  C:\YS8N7RF8304Z.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\F8UKRTWB0S0P.BAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2204
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2008
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:4136
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:448
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1828
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4756
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:3176
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\F8UKRTWB0S0P.BAT

Filesize
1KB

MD5
91d17ba69c29686ec8929044ff7fcf56

SHA1
db0f273606c7eb9825f57caf9338abf0981d477f

SHA256
2f62c3275b2af56b9801147a9c876bbb9b4cd9ed284f4355d9b66dd557c41eb7

SHA512
171213b4095a7fb299a2ba35da4ed7ac201844b05d5329b08a0f5fc297a1971751f04579a9e7925d5d2c3438696eb8fecf4f27869cda16fca030c1a50cb301dc

Download Submit
C:\Program Files\QSNB74R0VO\4816QTOV6PM.EXE

Filesize
104KB

MD5
cd9e021b58de5ccc6a2fbbe41b0a2bab

SHA1
9db7e920c7cc4eb539b0d1ef97582700d34cd512

SHA256
16ffc20967f73bd4ff0229972cb7732589f2fd96336505bdb25544cfa0912844

SHA512
ef8ce8b51ea8e95aa44730ffd379f51d5cc8065b27d785d2a439244dc1816a4e7465728bd69536481a3323cecffa1acf47c00261c0c85ab0b1a5527e297d341c

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
104KB

MD5
97a9dc422523b7b7106565ee8a4e8ac9

SHA1
6183c83b0bd90bdd9f9504b192f84488d10bf594

SHA256
dd81008218161e65ccab6b6420c9ffe4ae1a7f19f90402adaaef19a20efa8a26

SHA512
18ff0a6d085040c06bd16bcefb2c106142d217ce3431515300dd07baa4dd5756fcb9e4d71f27a71893852a16e25e4695ca3cddf031553a8ef1268a8e36846d0e

Download Submit
C:\YS8N7RF8304Z.EXE

Filesize
10KB

MD5
19595de7fbed86bc29d5d9547073ca63

SHA1
8fa2edaa9e3edefeb672bb3139436fddc5bb3d27

SHA256
e3c841c3b05305890c2496dadf759a8077860f4b1e6a73a12e90bd97cfd95b44

SHA512
740d859c835fd168b6f9951475fd5054515fd83150e655ab6f3d24b320ef235a6af711a08adc615b1186c06c0c2ef5480152c6b53cfcafbd8fa79a5133916747

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
ecfee270c2d71fbfe96568bd1e214665

SHA1
c6ebebe2e6313fee775454451fe8cf460733939b

SHA256
fcfba5ab83249f8335eed513d3541833fa612d6e483bc77417c55ac6732b78b8

SHA512
2ef6e08a7fd7915e857877ce5bcc0812fbb18bd69c840fce57d01363b70ea503ecfffde3b03af576655011220dd4f4e730d56be5f9985c240d08303b23564078

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads