2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
Size

45KB
MD5

20daa3beea9d39ed8d3ce80fe9af9e30
SHA1

b4a03d323c3c79b3bf4c1f8f00d46e93017e4d2e
SHA256

2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4
SHA512

1d49787764cc27a182e10604e72455898d0375705c9159d23fddacf56295c85ba2c318e5b58b566d66f1c542564855ea3df9571d74c207643ea4544a7668e699
SSDEEP

768:8V5hy+7c6OXdfwEQ90NoZCi5TXbRzjEDta8jFqjsZvI2YxrQiP+ZRDd+RYTl/iUh:8h7xsCKosi5pzjIcdRiTpqMGxs3EI

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d"	reg.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe "	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\AppVLP.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msoasb.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\ktab.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\misc.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javaw.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\javacpl.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msoia.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jmap.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\pack200.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\dotnet\dotnet.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\orbd.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\javaws.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\orbd.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\xjc.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jhat.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe "	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe "	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4188	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	82
PID 2036 wrote to memory of 4188	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	82
PID 2036 wrote to memory of 4188	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	82
PID 2036 wrote to memory of 3600	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	86
PID 2036 wrote to memory of 3600	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	86
PID 2036 wrote to memory of 3600	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	86
PID 2036 wrote to memory of 4536	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	87
PID 2036 wrote to memory of 4536	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	87
PID 2036 wrote to memory of 4536	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	87
PID 2036 wrote to memory of 2412	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	88
PID 2036 wrote to memory of 2412	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	88
PID 2036 wrote to memory of 2412	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	88
PID 2036 wrote to memory of 776	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	89
PID 2036 wrote to memory of 776	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	89
PID 2036 wrote to memory of 776	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	89
PID 2036 wrote to memory of 2076	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	90
PID 2036 wrote to memory of 2076	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	90
PID 2036 wrote to memory of 2076	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	90
PID 2036 wrote to memory of 3772	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	91
PID 2036 wrote to memory of 3772	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	91
PID 2036 wrote to memory of 3772	2036	2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe	91
PID 3600 wrote to memory of 4400	3600	cmd.exe	98
PID 3600 wrote to memory of 4400	3600	cmd.exe	98
PID 3600 wrote to memory of 4400	3600	cmd.exe	98
PID 3600 wrote to memory of 2068	3600	cmd.exe	99
PID 3600 wrote to memory of 2068	3600	cmd.exe	99
PID 3600 wrote to memory of 2068	3600	cmd.exe	99
PID 3600 wrote to memory of 3208	3600	cmd.exe	100
PID 3600 wrote to memory of 3208	3600	cmd.exe	100
PID 3600 wrote to memory of 3208	3600	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
"C:\Users\Admin\AppData\Local\Temp\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\123.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4400
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c assoc .txt = exefile
  2⤵
  - Modifies registry class
  PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
  2⤵
  - Modifies registry class
  PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
  2⤵
  - Modifies registry class
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\2271d66694f2b404390003838cf34fa8cf0b9290f8e2447b6530090c8f92e7e4.exe
  2⤵
  - Modifies registry class
  PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\123.bat

Filesize
443B

MD5
70170ba16a737a438223b88279dc6c85

SHA1
cc066efa0fca9bc9f44013660dea6b28ddfd6a24

SHA256
d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

SHA512
37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
45KB

MD5
4a2c75c051f6353150b5faef46adbd3a

SHA1
4c8aa1cc7bab526036dd9ed7baa6b9ebed371c78

SHA256
a69b8a474b5bed878ca8fcbbac1ec3ef3f6ef6c00d07f666872ef7ed26a134bf

SHA512
a60d74d7ad67df169711196e56113386b069c623fed4c3b38f91f72e933a50fed8d35d55ad4d6b9b51768cfb881e3113c610584cc4fdeccb59f6323864a08434

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads