9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
Size

45KB
MD5

a8b164ab743df1e0b2f497f238382a25
SHA1

4c9f3ee5862dec411c1872c08a83ca430f1b90ad
SHA256

9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a
SHA512

a577bf946985a943670097bd5b3878e9a606df988a2e75a33f36349e7c060062bcf8f9f3cd7ad7d7b1efaca1eb78913c8110276c24eac8b8f45b3aae4f08ce72
SSDEEP

768:8V5hy+7c6OXdfwEQ90NoZCi5TXbRzjEDta8jFqjsZvI2YxrQiP+ZRDd+RYTl/iU3:8h7xsCKosi5pzjIcdRiTpqMGxs33lt

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe "	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\regedit.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Mail\wabmig.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\Chess.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\keytool.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\java.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\vlc.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\orbd.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\klist.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\sidebar.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\java-rmi.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Media Player\wmpconfig.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\write.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\bfsvc.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\explorer.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\fveupdate.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\twunk_16.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\winhlp32.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\Boot\PCAT\memtest.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\HelpPane.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\hh.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\notepad.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\splwow64.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
File opened for modification	\??\c:\Windows\twunk_32.exe	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe "	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe "	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe "	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1672	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	28
PID 1676 wrote to memory of 1672	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	28
PID 1676 wrote to memory of 1672	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	28
PID 1676 wrote to memory of 1672	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	28
PID 1676 wrote to memory of 2808	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	30
PID 1676 wrote to memory of 2808	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	30
PID 1676 wrote to memory of 2808	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	30
PID 1676 wrote to memory of 2808	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	30
PID 1676 wrote to memory of 3024	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	31
PID 1676 wrote to memory of 3024	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	31
PID 1676 wrote to memory of 3024	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	31
PID 1676 wrote to memory of 3024	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	31
PID 1676 wrote to memory of 2204	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	33
PID 1676 wrote to memory of 2204	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	33
PID 1676 wrote to memory of 2204	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	33
PID 1676 wrote to memory of 2204	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	33
PID 1676 wrote to memory of 820	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	34
PID 1676 wrote to memory of 820	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	34
PID 1676 wrote to memory of 820	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	34
PID 1676 wrote to memory of 820	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	34
PID 2808 wrote to memory of 1320	2808	cmd.exe	38
PID 2808 wrote to memory of 1320	2808	cmd.exe	38
PID 2808 wrote to memory of 1320	2808	cmd.exe	38
PID 2808 wrote to memory of 1320	2808	cmd.exe	38
PID 1676 wrote to memory of 944	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	39
PID 1676 wrote to memory of 944	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	39
PID 1676 wrote to memory of 944	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	39
PID 1676 wrote to memory of 944	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	39
PID 1676 wrote to memory of 928	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	41
PID 1676 wrote to memory of 928	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	41
PID 1676 wrote to memory of 928	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	41
PID 1676 wrote to memory of 928	1676	9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe	41
PID 2808 wrote to memory of 1556	2808	cmd.exe	43
PID 2808 wrote to memory of 1556	2808	cmd.exe	43
PID 2808 wrote to memory of 1556	2808	cmd.exe	43
PID 2808 wrote to memory of 1556	2808	cmd.exe	43
PID 2808 wrote to memory of 860	2808	cmd.exe	44
PID 2808 wrote to memory of 860	2808	cmd.exe	44
PID 2808 wrote to memory of 860	2808	cmd.exe	44
PID 2808 wrote to memory of 860	2808	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
"C:\Users\Admin\AppData\Local\Temp\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\123.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1320
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c assoc .txt = exefile
  2⤵
  - Modifies registry class
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
  2⤵
  - Modifies registry class
  PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
  2⤵
  - Modifies registry class
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\9fad79f1f9c9eeb65eb8eeb8e03da6d75d210b3115db8fb85335ef61dce9939a.exe
  2⤵
  - Modifies registry class
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\123.bat

Filesize
443B

MD5
70170ba16a737a438223b88279dc6c85

SHA1
cc066efa0fca9bc9f44013660dea6b28ddfd6a24

SHA256
d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

SHA512
37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
45KB

MD5
442df6956f0554e9d613af2b6b9d4aac

SHA1
e0470d18a2146fa57b902d6fa591c1cc60c68542

SHA256
a42aa00b7da81c2ddfc4cc15f7a6bcaaa9eeeb7ac99b6047906d17c0bffeaccc

SHA512
763a35149b074b6a327adfe783fde6986a7d215fc29d48484e7befcd6b35a87ef8b977920bec692e613eb6ae540c05cb7bedd5449c4be6ae7b5b8b1188f720c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads