2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5a

Analysis

max time kernel
103s
max time network
67s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 08:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
Size

232KB
MD5

e2b911be24eeeedb2024a8ee9dfabe90
SHA1

c58de4d5c0ebb0b831aef9999079505a72e74bd4
SHA256

2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5a
SHA512

61986dcdee5a449b894366303f7c112a5e09717486b5e7a0de82b3f76087ebf832fdf90d9566868f683684d26578afd738ce5a607f14279fd3b91bf46d579e5f
SSDEEP

3072:61i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ki/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0008000000015ed2-10.dat	upx
behavioral1/files/0x0008000000015f96-11.dat	upx
behavioral1/memory/2376-16-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2660	cmd.exe
824	cmd.exe
2864	cmd.exe
2296	cmd.exe
2196	cmd.exe
2752	cmd.exe
2584	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
File opened for modification	C:\WINDOWS\windows.exe	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{305D9EA1-77F7-11EF-8287-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433070769"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30252809040cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000001b12d0b3f759a1583a43207eabec69d6c9a81d4d5bea61638252dce8fa49aca8000000000e8000000002000020000000d7eb34a92dbc1d926fbc1f5a32c7ec549dc78dc12523c5d78e08a3c4db189d5c900000007040465dc9973329b06112005dded1028cc80db15441e7a820a927e64865dbc671e1ccf2827a095592a4c6ed40b78559a48b309cc1a87b1e2d1bc602881024f86a8f41d80b02a64a069f489ff49c24f11e217339a527b0b10e5bf41ecaf8341e0c9de36752c5aee62794668f1961150bc33b88be746e1b8c719ecc60de9cc4ce6c54c1f3204d9e80a45e375efa60f0cc4000000052725fdcb5b5464029146752c150eef0721d0aeb9e41ab899e51712aacd9aeef05ac6c03c6a16ac560bc7dd38ae15f528e60f4bc7537c9cf541740af7425452d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000007d3894d99bcb59da9bde1f3f17f2b88201e419056200826366287c4eabb46c3d000000000e80000000020000200000004e5d9f695d7070ee2115433df8a4f4d0212a053e74970dd9f4aeb5c72d6a3ea2200000007f9f29b3cd08f8a75182d910687f091b9d043203294e030e5263eb2142f7f8ad400000005d6f5a0773583810e8c8a9a99e70fe38c6d6bc1ca84dde4241fba2b30785d4cc107554f3436dbb32a3c102c62428730759a4eca84903ed161abca418b6a9b379	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
2328	iexplore.exe
2328	iexplore.exe
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2328	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	31
PID 2376 wrote to memory of 2328	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	31
PID 2376 wrote to memory of 2328	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	31
PID 2376 wrote to memory of 2328	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	31
PID 2328 wrote to memory of 2424	2328	iexplore.exe	32
PID 2328 wrote to memory of 2424	2328	iexplore.exe	32
PID 2328 wrote to memory of 2424	2328	iexplore.exe	32
PID 2328 wrote to memory of 2424	2328	iexplore.exe	32
PID 2376 wrote to memory of 2864	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	33
PID 2376 wrote to memory of 2864	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	33
PID 2376 wrote to memory of 2864	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	33
PID 2376 wrote to memory of 2864	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	33
PID 2864 wrote to memory of 2432	2864	cmd.exe	35
PID 2864 wrote to memory of 2432	2864	cmd.exe	35
PID 2864 wrote to memory of 2432	2864	cmd.exe	35
PID 2864 wrote to memory of 2432	2864	cmd.exe	35
PID 2376 wrote to memory of 2296	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	36
PID 2376 wrote to memory of 2296	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	36
PID 2376 wrote to memory of 2296	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	36
PID 2376 wrote to memory of 2296	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	36
PID 2296 wrote to memory of 2748	2296	cmd.exe	38
PID 2296 wrote to memory of 2748	2296	cmd.exe	38
PID 2296 wrote to memory of 2748	2296	cmd.exe	38
PID 2296 wrote to memory of 2748	2296	cmd.exe	38
PID 2376 wrote to memory of 2196	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	39
PID 2376 wrote to memory of 2196	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	39
PID 2376 wrote to memory of 2196	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	39
PID 2376 wrote to memory of 2196	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	39
PID 2196 wrote to memory of 2624	2196	cmd.exe	41
PID 2196 wrote to memory of 2624	2196	cmd.exe	41
PID 2196 wrote to memory of 2624	2196	cmd.exe	41
PID 2196 wrote to memory of 2624	2196	cmd.exe	41
PID 2376 wrote to memory of 2752	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	42
PID 2376 wrote to memory of 2752	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	42
PID 2376 wrote to memory of 2752	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	42
PID 2376 wrote to memory of 2752	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	42
PID 2752 wrote to memory of 2700	2752	cmd.exe	44
PID 2752 wrote to memory of 2700	2752	cmd.exe	44
PID 2752 wrote to memory of 2700	2752	cmd.exe	44
PID 2752 wrote to memory of 2700	2752	cmd.exe	44
PID 2376 wrote to memory of 2584	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	45
PID 2376 wrote to memory of 2584	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	45
PID 2376 wrote to memory of 2584	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	45
PID 2376 wrote to memory of 2584	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	45
PID 2584 wrote to memory of 2012	2584	cmd.exe	47
PID 2584 wrote to memory of 2012	2584	cmd.exe	47
PID 2584 wrote to memory of 2012	2584	cmd.exe	47
PID 2584 wrote to memory of 2012	2584	cmd.exe	47
PID 2376 wrote to memory of 2660	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	48
PID 2376 wrote to memory of 2660	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	48
PID 2376 wrote to memory of 2660	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	48
PID 2376 wrote to memory of 2660	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	48
PID 2660 wrote to memory of 2108	2660	cmd.exe	50
PID 2660 wrote to memory of 2108	2660	cmd.exe	50
PID 2660 wrote to memory of 2108	2660	cmd.exe	50
PID 2660 wrote to memory of 2108	2660	cmd.exe	50
PID 2376 wrote to memory of 824	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	51
PID 2376 wrote to memory of 824	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	51
PID 2376 wrote to memory of 824	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	51
PID 2376 wrote to memory of 824	2376	2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe	51
PID 824 wrote to memory of 1744	824	cmd.exe	53
PID 824 wrote to memory of 1744	824	cmd.exe	53
PID 824 wrote to memory of 1744	824	cmd.exe	53
PID 824 wrote to memory of 1744	824	cmd.exe	53

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2432	attrib.exe
2748	attrib.exe
2624	attrib.exe
2700	attrib.exe
2012	attrib.exe
2108	attrib.exe
1744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe
"C:\Users\Admin\AppData\Local\Temp\2aa0325ff08421ac6e5644d98ae20f90862910cfcea899c5d009e5fe72bffe5aN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd87b45e2613df3642736cf6e157f41

SHA1
4c7bc0d14a1a58381ad5069af7ef024b30207260

SHA256
36765c92fe12fbc6335ad954f4056af17d7262b5f01a34943085b876e26943fe

SHA512
f31b8a04c18ff3a613b5ba33c7b167f5442dd25703ef17df31e93e39b3ea0a090f15a61bf28cbdd18c7c0c820176cdb303a7ee1cf9ea8421966867931507b5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4209cd19c428ae92d4aad1c8f352d241

SHA1
9744a1febea4f96268c239a3d6ba7f939cf2c5a4

SHA256
45fa8531cf006a7648395ab4508c4dbe39b30367c64b0a9fa4a5846d800c3fdc

SHA512
3371f29594d55091b8534fb834f4d44af1cc80a75698282835acb5a274265d8c6f508e474ee47b4a497e2f447c46f2bba7c2c1a58031ca3e63e04453a1bec4e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51cf44a2ada5c054050ba3069c624a96

SHA1
c0b1b7b387af8960c0be7ea020194137f8b48286

SHA256
214c56b86ffb03749b164cfecc340c862d999308bc0b21ec69e4e7a1013a8b28

SHA512
1d9fa6f7dae7f4b888ec9670eb072f10c541f3d12a8a7dc6674198cdfa460162642996b881f172f97178d950fd609197fefba0539d5e4310275856b3e51fdb71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c28fac0047975c3d5b3ada3d238678e9

SHA1
34f4257b6b96ed69bb3eb8a412670c1d13f20046

SHA256
acf39a9e98610cd82d5b293f7ec64fc6154cbb1d2e791fdbad8bb81a7518de50

SHA512
7215e3ec3e49bb3a489533844cde71f0b2189aa51c6ac54077340307e1d5bbe6ef26153cc8cc02cf7b2e11045f932ae996237d84c7c8990e246ee927fbc49a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71426256754e56c39cf6484c170b7318

SHA1
490f86dc4c5621d451534b1a346bf327675ba5b0

SHA256
55bbd32bc766cb4eb4cb8f81104b842aaf3560f1de9286d82a1e0d26c16c01d2

SHA512
e65a5e6b10e696fc9504b0a0a2e774318a0ca93a2ef0bcc7789f0bb8d1feaf997b879955090f3aeff8ae811f82e1f36520e0cce2e6a9917499b170c898852fa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c182e02857a421f0b51afc66fffe74d0

SHA1
d61a40ca8f63d3e1c859d8c02d80ed6729d9d2df

SHA256
7868522e179dd3d72e3d13d1f965d8c75f3d645268f2ba0e29ae4f32ef284ce7

SHA512
897907190543dafed5234bb4d5b215ac160a668f1feaf80a5bf4b2a33d60eae87e194d58c279e68a5ba6d49a4a4335a11ad4c523a717a045088329446af2c7de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
002d3ebf4ed586cea38e106cb90c86a6

SHA1
26ef48ecc5b1f6f3604b7f68b7e717cd6188ff55

SHA256
47f5cdf1735cd9452d67729479da2e9597adf53b6b44fc31b48d6a0c12deeb39

SHA512
0cdb74c6cad934635ba3bc24423a2d1d1774ff1b7ccfbeb4d6bba62804ea0b2a791cf56d3b24695e5eb8f7d534a9df47d9181cd70257babf332adee5cafb620f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45973d25d9872488dffba272af69dfb4

SHA1
451a03dd5551a72979909aed4bdcedb557bb91e4

SHA256
251df989cb236bead17dcca1518f78101f4d441f1d90a88901c39e24c6696437

SHA512
72cc4098a992d1e0b587ed90012f8051dbd0d84561dcc2f05053c0c0915ed16f69d84ba5541c0c5a13dff00d44ba48d109848bf1aeaa875c0abe943fdc63f2e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78bfa7e068f81ef1908bf3fcd59aa843

SHA1
90caef3945b0ab356740be8fa9f808fa34049f06

SHA256
5be46b15eda9e88c4a40aae4b741e11e0a2bcdb14bbdf237cbd8ca95b23fcf6f

SHA512
b67b786774f8e2b5b8ef5d70b0847f1f1981e8ac9af15c7090e5a94c483eab5ae06f9fb3b6f41027388d91b63f9d11bbbd637e160b391ba7b057c5b9321c214f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
449493a2217c926577bb30bd56fc7918

SHA1
c67bcb8be47753c31c9e13b5e1744082228b89df

SHA256
ccc23500c9e417ba1937fb110ca2c3ae758249a2cd22f5ee38b4bd91d600833a

SHA512
d3715bf760dae5b7677c5f8fe12d2f480619d458ba474b07ac694c209685d5aa54e75e99821363e7b8139c28947c54204b066fbecfad36158b7baee989fc0a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef235486f680352deb72669789d6ad7b

SHA1
625e1dfa079856dbbe62583277d320553b686343

SHA256
f47bbb30018fb6a943dc5ce8e9350cd6f6658baecd4d509e4517c4d400cb2b7c

SHA512
88817f531a68c2ffb72b3a1dda569f6c27d2ee28028cbfc63803de635ac6b3b3c6ca391c4323442267d8ed63bdf2b8eaecbffb104a60bd0d9e77fcfb62fb2070

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b8a28357bc9a82df3f48e81c358b5ac

SHA1
5c2b687722c9d62bcd9778d72c50043334df2146

SHA256
ecbf833bf0f374f2d251de8c0243b7f0137f7fb49f8258c2b365cff63cfda5e5

SHA512
9378d1fa7dac9ff88b56af93ecdbd6df4686869b51ce4c8c0018e0cd647cfd4c2ff6ae149f7f1b7176c4162018f93f34bea5898c1f346cb33305544225b07188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b21642a9a55722d9b9742976ca36263d

SHA1
d149f66736113a6a9a65dadf4435416783829b30

SHA256
4b7eac3a28c4d226e1b02cad48ffae4e035d0ba89a7e7922a02aab21dad2890e

SHA512
32c2890998b0bb78814557ab3d385f1a488c03d3e33b270e73b45685309cca59923ab6dbd5af5810f6e90734cf8f06e9f6c3eada3ab07ff237de661ca37a287a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar46A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\WINDOWS\windows.exe

Filesize
232KB

MD5
a46cbda5947262eab38e7fc2a9b3d443

SHA1
924e5906c5745478f5e7e94e0b333ea9def8b144

SHA256
d782c992a18bbea5ec31f1470ff5c22c9481941172a8cf6a07cd8afc159ba986

SHA512
05ab7f4c6ab31b67386d1c5e62f6f4549ecc1f1ffb82019ee32c76ecb1d4f6f3a1b233c144bcc4feeb10fc8ddc0fd1b36dd47257a9e5a1a9cf446b4495937222

Download Submit
C:\system.exe

Filesize
232KB

MD5
8eca6c15068b3300c0104e243a16b83a

SHA1
453daca4c9c1c867da905f5f2e65161593db994a

SHA256
595aab730c1350d9f0c321f20819e9fe155b4b7d1209a73f4d99ec690c6936ba

SHA512
a4854f5198805c65918e8684796fce74fa7b6ed9edd063f90b97e84dd20e70e7ae8dbced35a6f4c33f13055260f0a922c527ef3a62983b2a0fc5632be3645e44

Download Submit
memory/2376-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download