583b51287187df514ef222f1aee18d48424a64a9f50909dd27a47ad245f863c2

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

theworld.exe
Size

614KB
MD5

86304066455028632cb42c34a2b42b21
SHA1

3b00e902ce09a241024330b122ba10a354af2b93
SHA256

52b304f491abd2f4f2b364371b632eb31a99af2b9da5a63a82a00b091bac6289
SHA512

b59048f1c007f33053faa776643811a34da7882243de672c3c6692a2b08af30f84949f747237d7a5ab08e34c7205f0ad340fe8c33012f0c37497c2ac4e6698b8
SSDEEP

12288:kaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQYn:7adMv6CYrjqnyLQ+

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	theworld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\Obfuscated.n\" \"%1\" %*"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "678078609"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "678078609"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116754"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a6b017d2cdda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116754"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116754"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb7b7aaa19eb84499a1cb94a069837d1000000000200000000001066000000010000200000001c896d92c3ff876f11543da570aae9b8b5f907a0a85ab36104bb0d9c7f58961f000000000e80000000020000200000006fe0a5417a59ba7f9f2bb5dc3df40839842da536741ca00d0ef4d7b69bfb0bc820000000a0810bdd2efebb70976af08039c154d87b93faf7f2b8788068a84aca4f3205a54000000044107d092873de27921c86be958cec26c170954dacf9d76015efc61f2092213b168a79edfd87482ae5e3fa6fb8dd1b4ce281ff03dbab791a2c3ba63369ea09aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{536AE943-39C5-11EF-B1BC-6A4A723AFC37} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "671047743"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426835489"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "671047743"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116754"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers	theworld.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\ = "打开(&O)"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine\ = "JScript.Encode"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{000214EE-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\{00021401-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ = "JScript 已编码的 Script 文件"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\ = "在命令提示符中打开(&W)"	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\Obfuscated.n\" \"%1\" %*"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\ = "编辑(&E)"	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command	theworld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LNKFILE\SHELLEX\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.n	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{000214F9-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.LNK\SHELLEX\{00021500-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	theworld.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.n\ = "Nfile"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\ = "打印(&P)"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx	theworld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon	theworld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1548	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe
4064	theworld.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	theworld.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3284	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3284	iexplore.exe
3284	iexplore.exe
5084	IEXPLORE.EXE
5084	IEXPLORE.EXE
5084	IEXPLORE.EXE
5084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4548	4064	theworld.exe	83
PID 4064 wrote to memory of 4548	4064	theworld.exe	83
PID 4064 wrote to memory of 4548	4064	theworld.exe	83
PID 4548 wrote to memory of 3284	4548	WScript.exe	85
PID 4548 wrote to memory of 3284	4548	WScript.exe	85
PID 4064 wrote to memory of 3988	4064	theworld.exe	87
PID 4064 wrote to memory of 3988	4064	theworld.exe	87
PID 4064 wrote to memory of 3988	4064	theworld.exe	87
PID 3988 wrote to memory of 1548	3988	cmd.exe	89
PID 3988 wrote to memory of 1548	3988	cmd.exe	89
PID 3988 wrote to memory of 1548	3988	cmd.exe	89
PID 3284 wrote to memory of 5084	3284	iexplore.exe	90
PID 3284 wrote to memory of 5084	3284	iexplore.exe	90
PID 3284 wrote to memory of 5084	3284	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\theworld.exe
"C:\Users\Admin\AppData\Local\Temp\theworld.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.n"
  2⤵
  - Checks computer location settings
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3284 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\theworld.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - Runs ping.exe
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
63a2d2b4cdc269762fe4bdb8cdfde7f8

SHA1
5cce14e5285ce9844b164d37de9f4ad0acc7880f

SHA256
8e323e0354939fd301d8db011a0b007476c93e0e048100922e3e59e34b04f716

SHA512
db3b35b23c3088fdf8f5215d8f9149e717d871be0c7b69541aba232e6f829e18d9d074b53f173387985a3ba4df1c016ec5b75f4387d6123c6c1ba3113c43dec9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
24efc4ae9b31a1a5d7f0b4fc54d9989d

SHA1
cb2f597d7f10277a91f9b4bc91040e6f65aba888

SHA256
fcae1e63aa2adfbf4e88227c68fb84925033419eaddf567a9113d2fef8373630

SHA512
caaac7e4314676d0588a671d280f96552b867beddc95ee098f5fc5f3c4f076fd2e52ca15cf10cc65ae371eb5980aadbf7eee150a84b8556d4336bee07de3a5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA96F.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.n

Filesize
7KB

MD5
a4bf7f9ba9b3e741c3054dfa0b5325ee

SHA1
2d5810b2d46596b4bbd04b565806ea7ec99d9116

SHA256
72f10825026c2f8fa14aaaae7a3919f96c56e6e4d2fe650b0268efe3a9b0469f

SHA512
b7853a9e9f451ad96f4421cb8c5dd8847813a568dc056c309a4296cbf4de05eeead66236001eea0125cb7a6fa7c1baf5555221fa5d0b76e13e4698504e592eef

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
4cd8a4d53ed1939fe0b7765d40eb68d4

SHA1
19d3f59ded3c6e7b505af834dce89a7693685381

SHA256
1ecfdb203fb4186d862974c976a3001d54cd47c45cef9ee3a931ac7df3e978d8

SHA512
ac09263481661e543a565b779472bf1841d07ba07b182081a63419e64642706d1ce51353eb8f86e9ad525b58caa84178c45193d8ec64b7084c92a739218cba2e

Download Submit