8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc

Analysis

max time kernel
69s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
Size

232KB
MD5

b24254e3e87672aab635de2b145aa100
SHA1

47d032142348eb41de9e64245e5a7ebb6a165ee3
SHA256

8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc
SHA512

9f14b31d955e057577040c240d7f751a01ad4b75edc5f20cd078b9f941edb853f091ced0fcebb898eddd68b74398db6c9d83e5c1dff4ddf27579c575c59bf82c
SSDEEP

3072:G1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:gi/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score

8^/10

defense_evasion persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x001f00000001722f-10.dat	upx
behavioral1/files/0x00070000000186b7-11.dat	upx
behavioral1/memory/2904-444-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2112	cmd.exe
1632	cmd.exe
2572	cmd.exe
2752	cmd.exe
2876	cmd.exe
2756	cmd.exe
2696	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
File opened for modification	C:\WINDOWS\windows.exe	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70bad38a35d3da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2BE4B41-3F28-11EF-B39C-C278C12D1CB0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000c75dc93064612318b4ac85630bedc6cbbc8a44a1182057fc15285c8d33cf552f000000000e8000000002000020000000b2efdcf1a4a02061deb1d95052163035f7fc0c1153b2fa94618f9911c5967784200000000d6c8149f6d4c683b178f0b146463a9241f9c4aca4ee904c1d4680ccd14e3380400000001690cf34e930f268f772be49adbc91a84ad71a6665f90f0826037025b35ab0cdeceff1cd8661073b0debf82356bebc1c586679122336e47314528a676a48e443	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000002cbb5b94e371bd4cfba88fb052d7965996bb62ad50583dab05060c73b3dff1b4000000000e800000000200002000000043387702b8c87910d26033410167c1ac48e95860e428cbe0bd458dbd1d0cb3fc9000000082134fd754016928d642739606e6eaa14fc06a94df0ba893ca3e007e63e04039927efeb49325baee0550c5d35fe5bd97a5e87b969e1e1f7afd042c8b77ac178bf45c68f8d62a011a37da3abd9f4546b07e6af22cb34a2670e50bfbaf87cfa7676fdae96c387e17260034736694baff901296ff56bc2e6bd09e3b67ffbe0f8d2314dc8a1a1beaf6c8ec09108e7399d6bd40000000af5493241ea9eeeae1e4d970abb92d96808af7db973f6e1dbb850204abcce03610934d5217bc2b60bfcc8aff33b8bbc97ae6926dd4641b0af07228e569618ed2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426824819"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
2372	iexplore.exe
2372	iexplore.exe
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2372	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	29
PID 2904 wrote to memory of 2372	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	29
PID 2904 wrote to memory of 2372	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	29
PID 2904 wrote to memory of 2372	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	29
PID 2372 wrote to memory of 2768	2372	iexplore.exe	30
PID 2372 wrote to memory of 2768	2372	iexplore.exe	30
PID 2372 wrote to memory of 2768	2372	iexplore.exe	30
PID 2372 wrote to memory of 2768	2372	iexplore.exe	30
PID 2904 wrote to memory of 2752	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	31
PID 2904 wrote to memory of 2752	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	31
PID 2904 wrote to memory of 2752	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	31
PID 2904 wrote to memory of 2752	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	31
PID 2752 wrote to memory of 2812	2752	cmd.exe	33
PID 2752 wrote to memory of 2812	2752	cmd.exe	33
PID 2752 wrote to memory of 2812	2752	cmd.exe	33
PID 2752 wrote to memory of 2812	2752	cmd.exe	33
PID 2904 wrote to memory of 2876	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	34
PID 2904 wrote to memory of 2876	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	34
PID 2904 wrote to memory of 2876	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	34
PID 2904 wrote to memory of 2876	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	34
PID 2876 wrote to memory of 2644	2876	cmd.exe	36
PID 2876 wrote to memory of 2644	2876	cmd.exe	36
PID 2876 wrote to memory of 2644	2876	cmd.exe	36
PID 2876 wrote to memory of 2644	2876	cmd.exe	36
PID 2904 wrote to memory of 2756	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	37
PID 2904 wrote to memory of 2756	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	37
PID 2904 wrote to memory of 2756	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	37
PID 2904 wrote to memory of 2756	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	37
PID 2756 wrote to memory of 2676	2756	cmd.exe	39
PID 2756 wrote to memory of 2676	2756	cmd.exe	39
PID 2756 wrote to memory of 2676	2756	cmd.exe	39
PID 2756 wrote to memory of 2676	2756	cmd.exe	39
PID 2904 wrote to memory of 2696	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	40
PID 2904 wrote to memory of 2696	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	40
PID 2904 wrote to memory of 2696	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	40
PID 2904 wrote to memory of 2696	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	40
PID 2696 wrote to memory of 1748	2696	cmd.exe	42
PID 2696 wrote to memory of 1748	2696	cmd.exe	42
PID 2696 wrote to memory of 1748	2696	cmd.exe	42
PID 2696 wrote to memory of 1748	2696	cmd.exe	42
PID 2904 wrote to memory of 2112	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	43
PID 2904 wrote to memory of 2112	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	43
PID 2904 wrote to memory of 2112	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	43
PID 2904 wrote to memory of 2112	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	43
PID 2112 wrote to memory of 2328	2112	cmd.exe	45
PID 2112 wrote to memory of 2328	2112	cmd.exe	45
PID 2112 wrote to memory of 2328	2112	cmd.exe	45
PID 2112 wrote to memory of 2328	2112	cmd.exe	45
PID 2904 wrote to memory of 1632	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	46
PID 2904 wrote to memory of 1632	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	46
PID 2904 wrote to memory of 1632	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	46
PID 2904 wrote to memory of 1632	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	46
PID 1632 wrote to memory of 2436	1632	cmd.exe	48
PID 1632 wrote to memory of 2436	1632	cmd.exe	48
PID 1632 wrote to memory of 2436	1632	cmd.exe	48
PID 1632 wrote to memory of 2436	1632	cmd.exe	48
PID 2904 wrote to memory of 2572	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	49
PID 2904 wrote to memory of 2572	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	49
PID 2904 wrote to memory of 2572	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	49
PID 2904 wrote to memory of 2572	2904	8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe	49
PID 2572 wrote to memory of 924	2572	cmd.exe	51
PID 2572 wrote to memory of 924	2572	cmd.exe	51
PID 2572 wrote to memory of 924	2572	cmd.exe	51
PID 2572 wrote to memory of 924	2572	cmd.exe	51

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2676	attrib.exe
1748	attrib.exe
2328	attrib.exe
2436	attrib.exe
924	attrib.exe
2812	attrib.exe
2644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe
"C:\Users\Admin\AppData\Local\Temp\8fc6b2e6d05e053e7b528727e6b562f275731828691cc9205a42d1d1fcc216bc.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fca055ff5ef6465e8e277fd5ff5954bb

SHA1
449ca13b0ff3e54b8a805b9e912b4f9024afa8de

SHA256
6a23a73fe8651030b35bdefb4bcd72774c4e4d5e09a59423338929c2536b8d7f

SHA512
e58b083db0343f5e9fbac6b99ab5a6237045bac60d41b5940268f0258e65ac85cd9fdd3ecc81cdf48bbcc2e02f15460eb03e41b425fcd1f393fa54b5921df14b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61bd3ffd9d0079e0f73e94ee1d1f8270

SHA1
ffd1a60620fd552419ab76e8fa068d1fc6422775

SHA256
c1de14a57104849db9694820c88177c9700ca2709d4dbbe6cfca2779f87e9930

SHA512
a0376d715474747e93cbd9072e11b20ae090bfb68c0523acd12a707d117a81773f466ad1e13d504f5d283d4516a9ca4b01c26038bd637aeb76956496ebcbae0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0deecc73adc1f6e08f2448a2c744955a

SHA1
8b3c569d6c646ab35c15539ed64c1583c9199812

SHA256
e8fbc0b9d13932092b0908bee749d5a36e0947f2df4863af6cddfc2d0675c054

SHA512
ed20869e594f7d738a10589aefc02e0ecd44b9d51a8f79e696e589af52e8633048987af414e9c6148da8b2c86212f983761bf1574875e0b0e015587e519faade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfde8212bdc806f05ffd2163fe144227

SHA1
d3250835cf6543510acd3871f7d4c8b5ce6220ef

SHA256
a6d90896a7e460a2215a2077acafdd1e9434dc8427a31fc1053cc0fc35314f3d

SHA512
47398c7a0b4607ebd618779e86ddd722ed78aac591d03514b82ccc5b357b46c85af5f98ea767dd2d90c0cceec0361a5eabeb3e3af5b629ce03764840bf9e7f44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c25b3d968701f183cecbe16b9d8e051

SHA1
1d93653d645f13e92c0e612f56b3949d25ecdf22

SHA256
1158c0e91a1138bd0352205146b9a6003e827b53491480198e6441a5d240b364

SHA512
4babad94455867845478db82f535a05a90c95a03af05b65b693ee1b3499bf28e91e53618de3d8d0574a96deb955e9e373957620dfa16852e64945cc6dbb31406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21163d695cdf02bae3fe68e3ca173ae9

SHA1
c2b197d62971d4c0a022511905c92f3803df7ff2

SHA256
41df90397004957942adcc34e7e5801760ae69db59ea689ebf281f9508be635d

SHA512
b0f3b82f3ee58b5a013ccd722f06f8b2e8e1d2590d01cea4120d914116744ee6eeb188c6ed56b237128039c93d68cb768346da3b93ec8efb6e357e8bc9084c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb0383f37fb3fc7f23d1c19e00de01ad

SHA1
1549ca1b6cd2be39d5713b01d9ed706450927f7a

SHA256
172ae4c9a268eaa3ddb31190686221b157b354a038b2712a673a624bd56846ad

SHA512
2de39b9b931e23f32ee5bfd27b3213044cd490afca2c20d8f548152d7a0d457a1fdc84933b2bbcc0df29ec23072bcd73a7d21f810e0111b070a7f7c2cca3d4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eaae2f399075e7e350ff13ae9dc9948

SHA1
379ceaa93a2d950ffa2ddbcaf10ca83113d0bfa7

SHA256
a955da6de70133d536c32929ebc301f54870728fd6dbdb176766218c10b331f2

SHA512
c4dce8839761d8d7873164d276ab53ee81512a86958ce64cfa6a63470f5cbf48ae8600c77c90adb46a1fe6fd6746a0f142b7cc55bb0b56257453b7b76f768138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fee7f353784a225fbd773cc2e95bd830

SHA1
fe82122631bad9646e23c4fce2f927c464d13080

SHA256
ed6754eaeffbf2bf7b540b2decc645d71532688328485e3192cb285c616b85a9

SHA512
1f6ff41e01dfa0d24dbf34477bbf79d3a459134e22e75c4ca819024b37cc4ac59ac42043417526707ce316aa9784667058ed308abbffb2d6f7a85f027146b8e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5fe44532e9e61972f975f1d37017f7e

SHA1
f453429b4582946eb632ebe9ede128f37d8c5241

SHA256
75ef6a748b0e1660bedbf9bc5de95096c6db9683befb3933d3c9521ed85e472a

SHA512
bb2d72c7bd69cac9065a5436b63ffe6d97c69a89554066874868576fe31481737bc91440fd1b391abc1230cfd01e10430254df2b470fd685e70dc5abb9409c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2383fc5774a949ad2538fb5550e60749

SHA1
1eed4e289d7b8050f6d1de3e72affef88a9b1f6b

SHA256
84ea5d730b31bb4449c9abebc413677094891985b5d097919cb35026bac7f85a

SHA512
535927fb20a718d77cd052e5f3484d1b06a0d5029dc179484a894c19dfcf227c3d83c9d2e056b57c3ffa52c6be3d5d21c0290235967f8833bbea26dd2d24fc95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e3293ad0f237f80e48ae0e9cd783a2

SHA1
33cd70405805e71be44cc2c27c7a24c83177ce04

SHA256
529daf665263afba6e4ffdf8ff4990c21a703c4e441fc33403445f6ed3795445

SHA512
fb74e62fec983efc949cb18fb3efac5078e82aca419b10971d25cf2317c1bfa74e01cdc2df6e1d4e918c1782f66d9c3cd09346db12724e324cb7737c4adcc3d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52f79700d48379c3efc4a97964af75c1

SHA1
19f07ba25308601732dda945e4159baa771d479c

SHA256
cf6258b0df4021a86a451a06762d3398b73a67ac6df86add527e34a85e1edeb1

SHA512
06eef05b43db702440564b8c0477663cf8a2bc990dda20d29ebddc1b6a97e02e926e2af4550079b823b701be22667fe53eabda39f44a70ac55359b2d498a02ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
632acaf8b27fc422267f3191177a523c

SHA1
1d78f93c6e9e0a309c7e2e701f317bfa8ff62ec7

SHA256
704ce092c6bc619b26ba48c752415faf1ed51f5fd256c2c9c1bc114febbefb69

SHA512
453172a87e7c765cca78fd1b1494a7901aa46bba060ee59c7bf77418eaf822f2f7f5bdbccb1566d2adaa3c69a4f0d0dfd5f91742c7923e8e00d29635ce66445b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c48baf7505c60971038435731f1fa95

SHA1
c2ed1928eab86e1b9f2de1908171102d323bd01e

SHA256
1c4c64ff8e9c7ca69dbf64b1aefb34b050df4fbdefc00e936af53dd7bab8e407

SHA512
8e3351253a7ed9bf7403fb84af416831d8721bf90e0c07311a6853e6073faa16fafdf7cbe714ead939aa2b71f4fe001a894ce692e8adcb6abd336e5e925b8438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c814fc2c616d6b3c220d8aea6a5d8a76

SHA1
44952347b706e69fc9ceb18f2de2c8268526b136

SHA256
ef3f192ef84b198410af7f903b03d2e891133f9ddbb9dd6a06a262871d0ecaba

SHA512
d28f9696926305cdbeb3cba141ce8d39e39deed7f82316cbd866539f78e5c76738bdb5cade2a159b75531514b0de032862a54ca27fcb7f6e97c1a2f850b3d73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c369434f47f7adabc185bdde156d91d

SHA1
083ecfe88fd5368ff1209b2ed90ab5af3df4f74f

SHA256
96edd7ab08a6b742b749d3ad3f5c5250eae4a469a99da7802611e4fc43385a0e

SHA512
a2ebbd48f74781c106581094e8a5c9bcbe60080f086082e711a3cd0eea16f44bb915210282e0ac3c3d95cc98b5b7288a3eb76c82d30201174bbb4b404bc1a98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e52bc59a5f3af09308fc952848a2f3dd

SHA1
3d5f0bab7a4c30c2b37d6faa80dcd8d4b869cee8

SHA256
6f15edd219031f9e8898040ef013d43afa3c29a149feeed39d5d3822fda0a1df

SHA512
014c34edc560f58a502eeb1133d71fb3d37093fafa905315d14e455c56ca349c230b4a48e22fb880450fd8197cda240723496e25353868b2445fcbc4d1f68be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab234A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\WINDOWS\windows.exe

Filesize
232KB

MD5
6faa21b1b1ad57b666b9ef4e6e53b401

SHA1
2d0728435addd3d85a85b4f13b2bcacaa86bd9ae

SHA256
4abb97bf28bd19093f9f4164c0935afd84b1ab1401a1dcdca7007eba103ad266

SHA512
22d8daf8c2c962fc87353a5cdb4ce82ec7e78fdca8e2ee6da3cbfbca4c174ef8721aef30c2381d3a6629a344533fab9125429f4283cd5e0790c37cbc2f19490b

Download Submit
C:\system.exe

Filesize
232KB

MD5
21ddabc3d4a06742e41fd2a681086395

SHA1
dd7fafad3214b247e7cc0e17e0902dbf8a9dae2b

SHA256
7d6f26c6428b2b924eb5d51940669f176a9ac0560ff8f61f964538f59cf90f0d

SHA512
b94767800bbd6407d87397cf213f815c84f7ce0c6778fa1fac86e9676c955fda3f7a671c14ab6130afc3df165a68bb80b1d52cb46a865e05c315b9e5acc56ab9

Download Submit
memory/2904-444-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download