866ee1d09dd6ccdf816a26161b15d3b17917be57785961548d5b6177537fe405

Analysis

max time kernel
71s
max time network
73s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 23:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
Size

232KB
MD5

9814f5b6ddba2aa1a9d8ed3ea72525b0
SHA1

4cf4f6469b9081448d0aaea382956f19f78373f7
SHA256

866ee1d09dd6ccdf816a26161b15d3b17917be57785961548d5b6177537fe405
SHA512

224acd9d10630439ef451002dbe1551ef4b3b10381d978ab34b5ebaf35da995e3d73be8f36a277b27dcd01dd687820e300efd39708b1d74336865bbb5d5a7c21
SSDEEP

3072:J1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1Vne1i/NU82OMYcYU:Li/NjO5xbg/CSUFLTwMjs6wi/N+O7

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x00080000000174a8-10.dat	upx
behavioral1/files/0x0015000000018655-11.dat	upx
behavioral1/memory/2604-16-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2740	cmd.exe
2532	cmd.exe
2788	cmd.exe
2852	cmd.exe
2576	cmd.exe
2540	cmd.exe
2572	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
File opened for modification	C:\WINDOWS\windows.exe	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83969C91-60DF-11EF-AD79-76B5B9884319} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000005116656061f0b1ed2e855d2fb8ba16dd436a5b78b273509eeb29ead3b6a530db000000000e8000000002000020000000bc2b7b9010dd99cbacd7402252eb97e138c8797336f15dc649330db8fb8c6ae2900000000fad76f556cf7ad5a63a5198c6c556ae7c5e5632ebf480430db4219b87610a6f2f7a649994fda2e526977a81ea9e9ad4a5ea3f63ddcecf5b0b7be2653559ff20a3fde91e4e49cd91340c2607db77cf6f26944989c752d9995453236c71c35e5eb4e405840a8ec1680882b4330a7c53b520a0f8362f9b3551d6f63bf6365928b6678c96cdb15b2d8e22fa98fd1b60941b40000000a4a2ed6cfa5d7770ec0086be4f381d4731fd7f944ff44861403b7000a0a02a9a99b2393520d845eb15c327afd536691bb9258458c00b3047dfa1991aee884522	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108b5e5cecf4da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000f428bf144895131cf1ffa8d6bfd01d8e41069f3d7f67feaa4e1e236cf8216b01000000000e80000000020000200000001128ba10eca01fe7ce9a4dcba34b72326329b8db38d374aeeb4edfa55bfdaacf2000000087b545043724fadd2e858650bdce6a659f050b221d6d8bd9b32421b7d5ccbb7d40000000895555bd66985c3e1595d57ce4b79a718cfa70806fe1d9ac77f44e71a3643fe3431afa82c6b09683dcdc056bd14785252bd66de43617217c81619a37960ef72b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430531730"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
1224	iexplore.exe
1224	iexplore.exe
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1224	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	31
PID 2604 wrote to memory of 1224	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	31
PID 2604 wrote to memory of 1224	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	31
PID 2604 wrote to memory of 1224	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	31
PID 1224 wrote to memory of 2976	1224	iexplore.exe	32
PID 1224 wrote to memory of 2976	1224	iexplore.exe	32
PID 1224 wrote to memory of 2976	1224	iexplore.exe	32
PID 1224 wrote to memory of 2976	1224	iexplore.exe	32
PID 2604 wrote to memory of 2740	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	33
PID 2604 wrote to memory of 2740	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	33
PID 2604 wrote to memory of 2740	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	33
PID 2604 wrote to memory of 2740	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	33
PID 2740 wrote to memory of 2668	2740	cmd.exe	35
PID 2740 wrote to memory of 2668	2740	cmd.exe	35
PID 2740 wrote to memory of 2668	2740	cmd.exe	35
PID 2740 wrote to memory of 2668	2740	cmd.exe	35
PID 2604 wrote to memory of 2532	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	36
PID 2604 wrote to memory of 2532	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	36
PID 2604 wrote to memory of 2532	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	36
PID 2604 wrote to memory of 2532	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	36
PID 2532 wrote to memory of 2480	2532	cmd.exe	38
PID 2532 wrote to memory of 2480	2532	cmd.exe	38
PID 2532 wrote to memory of 2480	2532	cmd.exe	38
PID 2532 wrote to memory of 2480	2532	cmd.exe	38
PID 2604 wrote to memory of 2788	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	39
PID 2604 wrote to memory of 2788	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	39
PID 2604 wrote to memory of 2788	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	39
PID 2604 wrote to memory of 2788	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	39
PID 2788 wrote to memory of 2836	2788	cmd.exe	41
PID 2788 wrote to memory of 2836	2788	cmd.exe	41
PID 2788 wrote to memory of 2836	2788	cmd.exe	41
PID 2788 wrote to memory of 2836	2788	cmd.exe	41
PID 2604 wrote to memory of 2852	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	42
PID 2604 wrote to memory of 2852	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	42
PID 2604 wrote to memory of 2852	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	42
PID 2604 wrote to memory of 2852	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	42
PID 2852 wrote to memory of 2724	2852	cmd.exe	44
PID 2852 wrote to memory of 2724	2852	cmd.exe	44
PID 2852 wrote to memory of 2724	2852	cmd.exe	44
PID 2852 wrote to memory of 2724	2852	cmd.exe	44
PID 2604 wrote to memory of 2576	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	45
PID 2604 wrote to memory of 2576	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	45
PID 2604 wrote to memory of 2576	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	45
PID 2604 wrote to memory of 2576	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	45
PID 2576 wrote to memory of 2524	2576	cmd.exe	47
PID 2576 wrote to memory of 2524	2576	cmd.exe	47
PID 2576 wrote to memory of 2524	2576	cmd.exe	47
PID 2576 wrote to memory of 2524	2576	cmd.exe	47
PID 2604 wrote to memory of 2540	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	48
PID 2604 wrote to memory of 2540	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	48
PID 2604 wrote to memory of 2540	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	48
PID 2604 wrote to memory of 2540	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	48
PID 2540 wrote to memory of 2596	2540	cmd.exe	50
PID 2540 wrote to memory of 2596	2540	cmd.exe	50
PID 2540 wrote to memory of 2596	2540	cmd.exe	50
PID 2540 wrote to memory of 2596	2540	cmd.exe	50
PID 2604 wrote to memory of 2572	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	51
PID 2604 wrote to memory of 2572	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	51
PID 2604 wrote to memory of 2572	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	51
PID 2604 wrote to memory of 2572	2604	9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe	51
PID 2572 wrote to memory of 3032	2572	cmd.exe	53
PID 2572 wrote to memory of 3032	2572	cmd.exe	53
PID 2572 wrote to memory of 3032	2572	cmd.exe	53
PID 2572 wrote to memory of 3032	2572	cmd.exe	53

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2668	attrib.exe
2480	attrib.exe
2836	attrib.exe
2724	attrib.exe
2524	attrib.exe
2596	attrib.exe
3032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9814f5b6ddba2aa1a9d8ed3ea72525b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
66e6a65e84134787fce64fc3429bd94f

SHA1
6c9afa96efeff7b65001d7e679d244a647d020d8

SHA256
3ef64c610309b1eacd32fb6fe6b33dad9a3b825fc4f5522cff8fdc4cfaca0ddb

SHA512
55cfbecd36411bbee6f8179deb22bc05ba19b0347f4d15c470479e805470844a442f31b6c5bf0585b230c8b4181857f15a2a916c484401495074524010f3d836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a68b562c9047a6c99e8c0e9b189b7b7e

SHA1
8b84153e8335e0d83e58aac3c3631c0fc9ca5ef2

SHA256
99256620f051980d36e1ce35dbae3f36eda1eb32a3fc82116bca0cfe12240d96

SHA512
c14c83676bce0ef824186f5ae38d4bd835d5070be9835633fd7cfdf39131a7760f6a375809c39e897667f91c1c96d10c0963ba577f3fa71890bb44db153c05ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b6864967fa3d40ae8e807a9ce98811d6

SHA1
e8dc800f2b90b283bf004c53533c06a1a185bdb2

SHA256
5e165e8a740c03c49087371aabf21a48a4ab5432837cb956672c1db2ff587003

SHA512
e4ef5b480e28673dd4e7508dd2a1cca8911c73b1ec2d12589ed81dc80306a0459b2314e7fe806fcc6ea155d185a3ba1be68920855600786ca5708be06da34fbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d92d4bca2ff7c161bb6d0347b4a40e4d

SHA1
7f7dfe80fdbae96cbf73fa43c3f4db7d5654f40c

SHA256
3d459743945c08465c371c54d6bd8de6e37e21f4a31359e2cf8c553b017043c5

SHA512
c6f98b964f90282c78a69907505be39fa182e7c85e62802832b712f0cf9a4d686b7b3f78cbd92d41ff253faf01252067d44646c0ca3eee03bd82bfe2d71b7d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2c0e8363a79836d80331fb30debed84c

SHA1
20ebd932dbbfeea14d9d5c26a9624145091220fb

SHA256
53d8e07e0b05466aa3790258c5d61a51bab505b71a81e2fe6ebe7ded87459561

SHA512
cb00607c97915c296e90ad3cb93ddd9bebd8a67d7b6acefcc765b141b0aa1c213f0770628bf649cde323408dd1397fc1eae34cf2833f7a26bee1ce0a10fee3cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2bd09624f4cc799115195655317dff95

SHA1
3ca2904987fdda4e213d56e153c218362f30ec10

SHA256
6ca5ce114395bf102579b4b3aa98426a4ef8f4cb504c4f74d23df111034aa4fd

SHA512
df1e15f28d86e89766eb8104ab2a2799ec3476dfd77dd452ca553652bed1439f41fa720fe590181cd7b9cda5d339dec7ce74b4032a97a3d5c600026663270477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d87b6b913d1053279d635664894b52b5

SHA1
47b11e79917ecf7a7f64f1d8cc805c766ec4f9de

SHA256
340a99b518e1fce529a0e46c9ea054cd9b305ddecc11d347a9d3b3a6f4871d86

SHA512
06df842599e01dbf927733e9f7e6d3987707a0ca31d2b3d2eb92ced16f93f6541b21cdd64dfa680918edfd908ac65b43b58cefd2751f2b3920f40539604fa1b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b3223339620b048e2da5b607fd8fba60

SHA1
aa0126628d20ed80126772da241f39b5554bd5b0

SHA256
ea05bc071cad5e50d7bdbfa291339396eaa6659b279e703a3f31bc9e0dc3a028

SHA512
10f9a807baa73a6f9a3396fdfb21f7f9946c46651fb0a2764d7fcb9eed64d237a4cdf8e07d020b489ee97c2ddbff97f5fd3d8771189ee8db90e4a4437481bf0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f35b789ffb3eb39a56b85218c898ac99

SHA1
5a64f5d6b648b42c0e463ebb04d0c3ec757cf35d

SHA256
588b086aab9f36ee366d320b9d40f18c70cc7512f8382e44065a5f2e7faadbf1

SHA512
8f635a5ed916da0ac817291e9741893a66f140e3c6b671c71c22c095b00788aca430655cab7a4e4e05efb2d8a4b22029bfd852946a0f0fdcde0a479576097fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab53F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar600.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\WINDOWS\windows.exe

Filesize
232KB

MD5
d37584fdd5959d934254535ec27b28b5

SHA1
0285e946805a651afb8c41fafc83857bca82e9ea

SHA256
d73d902399cffe2944e5e10b10f772342d82587b8b64cf80d74a79b9a871c2d0

SHA512
0261f54ba298ef2219b48a1058043e90d38d6fd04f77eb76c205e547c7ab8e501fd7337355bbca0149af522be64b3bd3a1c27ed6cd4f3bc3daf036900fefa677

Download Submit
C:\system.exe

Filesize
232KB

MD5
2f83cea8a9e5660f7c0dddadfc04177d

SHA1
3a3a02b7ba1709d1717c261d7684747782db93cb

SHA256
767f7e5b9684d3b5ad31c5cc897d42d6c0b4adaeb5a95e183d259898e8119829

SHA512
3087724d23db43864eb0a17a069492cbac504e57350a6f511154bbec8b6454157d6dc31086dd60962128998211839db3f3d1ba26788379ea23c5e89c928e6afb

Download Submit
memory/2604-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2604-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download