005c1bafc1f15abfe83bae9d250248a75d33d0b043ded9188e8598ef89b75bd5

Analysis

max time kernel
142s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 00:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe
Size

222KB
MD5

476f64a4b3a159a63d1066e63f0ff1c6
SHA1

8371f27ed97c9b0d7bc8da5c013c689a2f378021
SHA256

005c1bafc1f15abfe83bae9d250248a75d33d0b043ded9188e8598ef89b75bd5
SHA512

2b37f483d097a816be63151e44d571729b4dab548c5f0f8a798aa202b5879d16f881f5902ec491f0f93acf4d9e475567efe94cabb555fef56368338172593464
SSDEEP

6144:TwTc//////MS9Yd2fRYVe0e68y++fxxZu4YpHmAaGJDlAvTCi1K:yc//////2duRUe1SHvZu4YT9JIhK

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000187c0-18.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2100	QQ×ÔÓÉ.exe
2076	¼òµ¥°Ù±¦Ïä.exe

Loads dropped DLL 5 IoCs

pid	Process
2112	cmd.exe
2112	cmd.exe
2100	QQ×ÔÓÉ.exe
2076	¼òµ¥°Ù±¦Ïä.exe
2076	¼òµ¥°Ù±¦Ïä.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000187a7-5.dat	upx
behavioral1/memory/2100-10-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2076-14-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/files/0x000a00000001202b-4.dat	upx
behavioral1/memory/2100-20-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/files/0x00070000000187c0-18.dat	upx
behavioral1/memory/2076-57-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/2100-61-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/2076-81-0x0000000000400000-0x000000000056C000-memory.dmp	upx
behavioral1/memory/2076-83-0x0000000000400000-0x000000000056C000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ACg9ycsarj8y.dll	QQ×ÔÓÉ.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fOnts\CTwZYd7mY2XCUkn5.Ttf	QQ×ÔÓÉ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	¼òµ¥°Ù±¦Ïä.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E59A94E1-4240-11EF-A207-6A2ECC9B5790} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000c32e8f1423e4daf51d8d0f4a0394041f96d75a399983324b75938ef6ce5c358c000000000e800000000200002000000073fa691898681a842c1edc2613fe27355941cd8988353d7d54807c741cf2fa8a20000000f890b8e218f509ee367d27dde01d568ce31f9d40d302a97506c8309afc7d607040000000fff2d855bffc9837b504acfafd5232792b3a4c5ff4efffae0d7d8bfa78d2cab92b150477c84f6eda6cf552948a4fd67da88c911bd6a9a35dfe40d5e669ba4e62	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427165064"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000008d36d0a742b6ab8ee477cd1ac6774062d91f91023400b1b73906e983456adfa2000000000e80000000020000200000006ea341cd2abb9db05858206eb523a556ebe73c645ad252605a39c7050f1285c490000000ccbf23ed1748dde8a809104d3c8dfcad56c2f80eacde4b2b59a1d62de9b7e448836b296e766e6a1fe009758c73569709ec3fcb93505f35669c640b57ecb41a4d595cb7e45ac274f5e7b2202172dc1dbf60dfa16d30b9ce7c60fe08822b881acc5529fe1f0aa1d826e403a9a30076dd3efe2931e9560f8d91ef36cf83f567782d03556e65b5dd735d917834e4d4ae569e40000000cc4fc81f8873103891767d3ab9d7a58d3d0b6914747c9b85fdab9b64a5bb2de2f6c5447d17ddab6e8b740c3f9fef547f8619ae2263e0aa8a7db80580bec3df9d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a5f1bc4dd6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B74576A-BB20-47B3-AE0A-046B062897D0}	QQ×ÔÓÉ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B74576A-BB20-47B3-AE0A-046B062897D0}\InprocServer32	QQ×ÔÓÉ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B74576A-BB20-47B3-AE0A-046B062897D0}\InprocServer32\ = "C:\\Windows\\SysWow64\\ACg9ycsarj8y.dll"	QQ×ÔÓÉ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B74576A-BB20-47B3-AE0A-046B062897D0}\InprocServer32\ThreadingModel = "Apartment"	QQ×ÔÓÉ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{6B74576A-BB20-47B3-AE0A-046B062897D0}\InprocServer32	QQ×ÔÓÉ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	QQ×ÔÓÉ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	QQ×ÔÓÉ.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2100	QQ×ÔÓÉ.exe
2100	QQ×ÔÓÉ.exe
2100	QQ×ÔÓÉ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe
Token: SeDebugPrivilege	2100	QQ×ÔÓÉ.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	¼òµ¥°Ù±¦Ïä.exe
2168	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2076	¼òµ¥°Ù±¦Ïä.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2100	QQ×ÔÓÉ.exe
2100	QQ×ÔÓÉ.exe
2076	¼òµ¥°Ù±¦Ïä.exe
2076	¼òµ¥°Ù±¦Ïä.exe
2076	¼òµ¥°Ù±¦Ïä.exe
2076	¼òµ¥°Ù±¦Ïä.exe
2168	iexplore.exe
2168	iexplore.exe
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2160	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2160	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2160	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2160	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2112	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2112	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2112	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2112	2384	476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe	32
PID 2160 wrote to memory of 2100	2160	cmd.exe	34
PID 2160 wrote to memory of 2100	2160	cmd.exe	34
PID 2160 wrote to memory of 2100	2160	cmd.exe	34
PID 2160 wrote to memory of 2100	2160	cmd.exe	34
PID 2112 wrote to memory of 2076	2112	cmd.exe	35
PID 2112 wrote to memory of 2076	2112	cmd.exe	35
PID 2112 wrote to memory of 2076	2112	cmd.exe	35
PID 2112 wrote to memory of 2076	2112	cmd.exe	35
PID 2100 wrote to memory of 2504	2100	QQ×ÔÓÉ.exe	36
PID 2100 wrote to memory of 2504	2100	QQ×ÔÓÉ.exe	36
PID 2100 wrote to memory of 2504	2100	QQ×ÔÓÉ.exe	36
PID 2100 wrote to memory of 2504	2100	QQ×ÔÓÉ.exe	36
PID 2076 wrote to memory of 2168	2076	¼òµ¥°Ù±¦Ïä.exe	40
PID 2076 wrote to memory of 2168	2076	¼òµ¥°Ù±¦Ïä.exe	40
PID 2076 wrote to memory of 2168	2076	¼òµ¥°Ù±¦Ïä.exe	40
PID 2076 wrote to memory of 2168	2076	¼òµ¥°Ù±¦Ïä.exe	40
PID 2168 wrote to memory of 1784	2168	iexplore.exe	41
PID 2168 wrote to memory of 1784	2168	iexplore.exe	41
PID 2168 wrote to memory of 1784	2168	iexplore.exe	41
PID 2168 wrote to memory of 1784	2168	iexplore.exe	41

C:\Users\Admin\AppData\Local\Temp\476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\476f64a4b3a159a63d1066e63f0ff1c6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\QQ×ÔÓÉ.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\QQ×ÔÓÉ.exe
    C:\QQ×ÔÓÉ.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\QQ1166~1.EXE >> NUL
      4⤵
      PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\¼òµ¥°Ù±¦Ïä.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\¼òµ¥°Ù±¦Ïä.exe
    C:\Users\Admin\AppData\Local\Temp\\¼òµ¥°Ù±¦Ïä.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://bbx.jdyou.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\QQ×ÔÓÉ.exe

Filesize
23KB

MD5
c1fe85d419a39d72b17169d78bccf86e

SHA1
b87fdbaa328630910252f504eaae0f51c40a7405

SHA256
44029d096beabfda50745c9c85ff76777759ef80ba03cc4186b8d50f59f6402b

SHA512
39c7b135bad1333c2c3f6999e6ff977b4256e4398eeee4d544b60b028b765191b2a7189a0fcdb5bed7fe3846c1ddff12dee40f48f322862c6d8fee8a21af76f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce77adfe390d767e58341f7f3ab97105

SHA1
38b38e68ba22ec50187ebabdaec5d05a688dbf67

SHA256
c7f629a3ab69eecc3a3127b58113afa0cdc9dfea4ae7bbe80064efece8ba139f

SHA512
e2a591285fa6f1c90931788cb18816f76f6c117e5ec202dfa285f485163eb6de57f11705c027201728800711727e47bd0ec122f9d508d0871806efb28fd2deb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7a33afb55a334539af5f55dbba2e5bd

SHA1
eb5f80b5fd9b62ef54c0e2f86099a0b56baaf9f2

SHA256
0bd5a28951d3e8ebb805abfa56da815ae44eb5dd4039164193772d9146d67c4c

SHA512
30f646b922541d7ed2b6cfb97af0949682978f3148ec16ec43dd6027a0737d6de070e986fc1201e69f6ea74076da0dbcf0728f54b2493e7813ac8baccb55f4ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d530c80bd016730e58fbcf0ec9a5b69d

SHA1
ab742a5b37869f7e99398ce77c8774d17d9e90b4

SHA256
f0b3821a0c7cfc0f55c1672e8fc5df80078fdb02298d15a96a9932f7ca06106c

SHA512
6022a0dff17d742116a884745a73937534c61490a27286c376d89508acd6d53711aa20dfe6e46b630d68d8771c775a6710dd94908823074568ba2347f778c95c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d20c5bd5d81d75c34d74a5fde113c9c

SHA1
11eeb7cd8315b1c8893420b8fdfc91b792ced390

SHA256
8328910f86211f34153dfbb6b9822327e485562995315d0b0a35da98688678a7

SHA512
6c253747625d11907aad036118ebe4aa862184e8c5ed9fc99b59fadddd43947a92c4a5276f909994fb305f692c067708b6fdfdaddc25d4e409c48560dfcd1420

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d37c945d8e94f591f0478dd466ba34a

SHA1
d8833678b180d2254549e796d9eb0a13fe184e36

SHA256
e0d01a25ee2fcd9d609488a6ed0aca75e1871d62bd7376762b8a01f8d4ab68c5

SHA512
525745b6e4008e5f893030369a128a9e34631ea5523e3fdcd0d3b578a1e853c3d2de063f7881c51ad05ac1047e03b6b2462d795ee23d757577f0bbd100ad095e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
134c23375e4410001f6efc3600a0a454

SHA1
d3eb3b1c5bb47a0303dbd91e582b7e58eaa7c3b4

SHA256
a5c785311fa51c63f9e35486bfa6769793154a0fc432cc61f3dd8b1f935331f8

SHA512
a7754f7b748b69cd386d683e5a4113228d7360fc42f0bca3d0fcf11a9af57bbdc415112ecbc7ad7d8ee33771611c0584cb5d8bc0ea661aca0415163ff1832119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
621e6ad777591a27816a35ab5e490c3d

SHA1
7b0d9a0767f0da978f1620b6023da76524ea1899

SHA256
057c2b9f3023841de0c134322cbcc07d7ac63876987f8c47dd8602a2ebe590a7

SHA512
5b451a6c90ae6a1cb420c3e30bd52f6960a14480d756e6003a414f9d70cb6bdaa2e77e7b9d77675d01968c737ceb53b094c680811dc1deb793905ae810c88ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15bf574bb937e6977917e60f9185f9f8

SHA1
5ba159452d89d83aaedfc111ab908bc5e4e87f2f

SHA256
23a04b4d6a68b75e41bafcf29d3d88d700556a0cf682b838459a9ede12fdde3c

SHA512
80e5d2e031034b16455c0a4dcf95323c91fca810caf778dbcbf61e22124db9e82a915eb95a6f6b1aa049f3ddedebd40eb7713a4b92f50f75a717867bae622c69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6f3945ce0ad8b9128903e154ac84ae0

SHA1
be5ffbd31c761de76b121b7fd4ea79cee5b467b0

SHA256
515be320f45f5a0c89e11ccd9f9c3cb3265dfb3a17a729a0b06365d1e72a89a5

SHA512
e53629a402bec14f0c3af6ae76516421d1cc7f76f1a1e773651c1d906787d4ab6fe490f6ed9319100db87b0d79f82213eeb0dc0a82a623403bce585da1dbc459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a5844d1e126c6ab6070a1dd52f4bdd0

SHA1
30b96ca6b025812e2864ca8ba32c7a71679d5b6e

SHA256
bb4a30c247910b96125e433f0898f227918cf694075a3f8985e4b33801fcc3bc

SHA512
c7a727ec8e960ed577e9c6d70f2806ede7c0b360beaee83ff0be235df889337de1a0719346ff8cf9296ff3ebe163f0e42345e747bd1ab127143ac5d3a8d56983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
711a448913ed2518148dd719baebf81c

SHA1
527f7dafdada08394c9d6680ffb0edcfe14b08aa

SHA256
b54fa1ef8d8b25e085b9f699489d9ff212734245c191fb41c329ee86aac36a3d

SHA512
8947ccf718354571c17466a8783555536eb286fdc2ecd7e80e133e8f7cd8f3a378ab1e18bd70aa8be1ceeca9a1e1b2cbbc57a6b9d184cd9ce0e2357410044720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c09e884b494740dbbe72f0e6c6cfec0

SHA1
eb0d62abe2c7f0972f3c9a3bb561d1a4b89f41da

SHA256
dc2172e3c52692ba7f41d62b08d6d0aaa1a3b68d0d777de31625b8e6f5efc0b9

SHA512
90f2a362ee9c641d50e60b4452390ff557f7b7f8ab1fb426009e1ac559f5dd4c082efd99ca5dc9971507b894907bbe7cb1d5085535c3af35bfb56347205d485a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49d632f67033ed654fcfa678e6c0df50

SHA1
e6af6d37fb5491a97b639da4089242300dc95c0a

SHA256
a6977f98cb8725e0df835b658789f54cdfa2d0edb52fcd253f543236cff32061

SHA512
ee4ce3f342c4fc3ae3524b355ebc7867f4dc402cb67c56e2138532a2fcfc2b1ea24726d96799bc575223529aed884e806329465bf1286bf8aba5ff08fe400011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b68175034165b9b545f6e5ce4e7796f7

SHA1
689fafda3350bee1cccc2771c4c02020ba0547c0

SHA256
6be4d71b943b4b14196d3eac041282df540fe84be9a7ab3853361b50da5ac25c

SHA512
7bc4dd6e3f4de745e7fc15ea4c1ede1b29546d9cc9b6cdaccc3f8b34fbbe2d800842595f07b32ff140650d60fb1bc4759b80007c6aab15d8e7aea7bdf0329879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9067ee981f252a8f51f4f56c8a2bd474

SHA1
daa41fa6a3f1ce7e0373644c4ef70a5d1ec387a2

SHA256
4708ef2c4b36a3d800ced681ade49c815cf784e80b7b47be31683311f8c6a0f4

SHA512
938c512242b8c0ae32a8963ef345decdcc6427ce4473ac5c0736c7fdf15cccda904cfc8f72033a6738507bf46279708844d55cb5f305b371e9e258827f0b9a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02560077b13f5de46644e7951170905b

SHA1
953be41354ddb719c85ec1e669eebaec856a2c4f

SHA256
a08a6c9a48d2263a174da9a6579e96a2bde3600661f43a805e66d0c4770bc610

SHA512
25026954aa0455ac78c22a081d69b95771dd944f502cffcc15033d895e628204a37011bc140874457ab4a1d35ee207bc418127710a486dc60a145f10718c21a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f18e910630a96a8db88230e89c8ac22

SHA1
91e5cd0190474f3ca815f61fe189c493e66551b1

SHA256
9a6b813f30354099dda2b55a7a05c9e3154ecdfca588c5bd0e03d7342755e434

SHA512
5f36ab4758a9806bb1b1cf54050f2b7458905cd38b606e9f1ec6de282e08e9440c260dcd47b64844efd8dff49419dcc8e184d0765ed8ea5d50996152f4581ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1677188ddd2684400a98a4eef389de9

SHA1
2941a6218320f71be6561113fddfb2e159d7ac93

SHA256
d402155e4788c114e326c309f2a0de1ae9b6bc89874a041c0c189b44fb09b529

SHA512
53399365cb7889a5fe1d3c5ee150336faee757d8645930307556502b07cd744692d9dc976e5fdfe8d436aab997505d519b56f0f513c791706b79040a90ae81ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab190E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbx.ini

Filesize
26B

MD5
47cd87bfe3bdf0a12bcaa80a6c5fabd8

SHA1
c7c99708f0d7f26a9b3ebea907f51d0f438853d5

SHA256
576476f8633bb3cda7ddc9cc20bf5aa34a68313270bc828ec5b623338109d786

SHA512
b078d58502b759d25acd52218bce6d89333d0df99af64d60b4232c0f4469da90e108a511287936c81beddc80ce80cbf3531751965206c12e4336c83ec3b940f6

Download Submit
\Users\Admin\AppData\Local\Temp\¼òµ¥°Ù±¦Ïä.exe

Filesize
163KB

MD5
c12eb4929834678ddc010cdd43c4e949

SHA1
8b4dd490057d87347fa0dd3469ef11ad5b9d5046

SHA256
5bb9ad66b2f99af7d8c71aa71842f0da103d78d63627133255eb7a1c5788f84e

SHA512
62c01a6f2efd25cf2d4eace26d299e288e3ebefba31cb0a30b7d4da14baa4a03bfdd1ecf4c0e4eecbfc55e118687add34b8956aed248366cb0cc22b25149fb6a

Download Submit
\Windows\SysWOW64\ACg9ycsarj8y.dll

Filesize
16KB

MD5
d0b4240e54c55db5957f8f5fccd04f99

SHA1
252956aa1276af9c61e075480be81677a9754b9d

SHA256
270992c8afee89f43c4c73189731119a04e24ad6c5337d5e585b91b0b1f827dc

SHA512
ac6058dcc8cfb9693bcb9eb7ab0158fea2369a5d96a63652ceece46540d1ab921d1f3b6db88eed32574d9d4ddef8dc5749f40a6da5cc913fc7e83847c8d6406f

Download Submit
memory/2076-81-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2076-57-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2076-43-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2076-83-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2076-89-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2076-14-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2100-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2100-20-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2100-61-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2112-13-0x0000000002430000-0x000000000259C000-memory.dmp

Filesize
1.4MB

Download
memory/2112-11-0x0000000002430000-0x000000000259C000-memory.dmp

Filesize
1.4MB

Download
memory/2160-8-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/2160-9-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/2384-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download