1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 19:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Size

92KB
MD5

f4be08068c4a95969310d0ee27f3ee8c
SHA1

46f2606b6b84ba5f22af7c0eadc809c502144669
SHA256

1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601
SHA512

9db7aa60dfed027b150dde92235892a8e1f77f97c0840e5ad7e8edd340a030e87b3c18702a53b88dfd2d12a68ef632f99367426df1203c5d202e5b42897c6ec0
SSDEEP

768:AiNeDLfC/mwcJhfCL8aC9R1KVboVsCOuS2GsjOStmoJC6KXIwKmpk55a0B8yGgIr:Ai4Jbxb2pk5wW+ZYzu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe

Deletes itself 1 IoCs

pid	Process
4892	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000c307876f1a03449df7b5923f3e9937130ecf2a376f127ec8b9bc82f90a879943000000000e8000000002000020000000e048036285b5fd9e718a3331895b0ba3348eb152df4c6c1ebd99ffcdefa31265200000008fb4584c6f208395490a5016726bb72f0af8f26ebc8f13dbff7e94352a314ef040000000df61ba786725ed6712b5540f57f863f55bfb5c68e12e6c724b93bc90df535f036bac14c8b674b57c02915eac33c2b6415ce95d73bdc19c94bab465ac074e04a2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.520921.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "201235716"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e0930d7f0fdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31133567"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "201860701"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DOMStorage\520921.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00c9b0d7f0fdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\520921.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\520921.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\520921.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3788E19D-7B72-11EF-B1C5-C63D5579F9B2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31133567"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31133567"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31133567"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "201860701"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000bc68ab0e4363a7f0ce47ba91e82484f2e50a0558514e66c5fd2059d107eb3c73000000000e8000000002000020000000ae5542ff6d1b032da63e579eace1d95180de1650d84ed40b8765adb10325703d200000008934941d26c5648b06014302d756f043d627d2ef8a773fd171d0735f201aadbc40000000376ec81bff7f6750a911243377040fc013c810910bc2bfa1b5fe767f950c2b4e663010477d7b04a93c73378b618006136d894f2417a3a9251334b1ff7926d377	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "201235716"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.520921.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434056570"	iexplore.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.520921.com/1"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.520921.com/1"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2516	regedit.exe
2804	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4688	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
4688	iexplore.exe
4688	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE
920	IEXPLORE.EXE
920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4792	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	85
PID 5084 wrote to memory of 4792	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	85
PID 5084 wrote to memory of 4792	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	85
PID 4792 wrote to memory of 2516	4792	cmd.exe	87
PID 4792 wrote to memory of 2516	4792	cmd.exe	87
PID 4792 wrote to memory of 2516	4792	cmd.exe	87
PID 5084 wrote to memory of 4688	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	88
PID 5084 wrote to memory of 4688	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	88
PID 5084 wrote to memory of 1272	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	89
PID 5084 wrote to memory of 1272	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	89
PID 5084 wrote to memory of 1272	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	89
PID 1272 wrote to memory of 2804	1272	cmd.exe	91
PID 1272 wrote to memory of 2804	1272	cmd.exe	91
PID 1272 wrote to memory of 2804	1272	cmd.exe	91
PID 4688 wrote to memory of 920	4688	iexplore.exe	92
PID 4688 wrote to memory of 920	4688	iexplore.exe	92
PID 4688 wrote to memory of 920	4688	iexplore.exe	92
PID 5084 wrote to memory of 4892	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	93
PID 5084 wrote to memory of 4892	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	93
PID 5084 wrote to memory of 4892	5084	1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe	93

C:\Users\Admin\AppData\Local\Temp\1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe
"C:\Users\Admin\AppData\Local\Temp\1b901588f2a677e36241ec021fe2c6f932279f41ebb58856d47ffa393dbef601.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s c:\reg.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\reg.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2516
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.520921.com/?1
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4688 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s c:\reg2.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\reg2.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2804
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
bf94c1f95b86846942364d11a17851b4

SHA1
63700cc94ae31ecd3bb028332dcdf9a0964ed406

SHA256
66481be25e3d5754ba4c58aa4cceab5cf66f4c82b3bb45d82d6980822efb075d

SHA512
e7a4f19100de4abf24c3cc89e913ca1f5d81b64b6bcad8a377a4d540e45f65b805aafc0ab78c5c2ce7b6b02ad51393272d20996c5d188e4ceabc40c4b9a310cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
eb9575ce4c5cb204ec9e57b14e93c309

SHA1
03d98e89420bccadd9c547c50c435e1617e87763

SHA256
7a378fdeb9788f502ad223de6783d1d8bbb751406f4a46fe25c8d3506b5ee1dc

SHA512
b00c7d25315416e762c46d2dd6289f3962f36a5ee31d53ce23df18a1c90e98f9ca984aef661d9924366350caca23f343411c88baeb2ba6473ae2dd8feeef73ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver265F.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
307B

MD5
e1087903f490ee4bf4c7461716325ca7

SHA1
017645220da9abde5a27a5137d7ccde532ccc93b

SHA256
90e4a46befe4f3f233a47d234feeb2cbac8e290ff829cb2e8b49efae0c32e5e4

SHA512
d2be9be0ac4da40bd60319a839c1660ac0bfc72c193fe113653b89741171ad328286f1ae8b55902b00a607b4b4ae4765301ba15fb02844413f530c678eebefc6

Download Submit
\??\c:\reg.reg

Filesize
195B

MD5
d074af1950aed38a9507428f23df9ad2

SHA1
0313b03e880b283cfacf64aea25c54259d388201

SHA256
5f3cd51950de3b9c7f8bb8a14cf5c39f3d480270d89a7c8fabb54900c9c34ca8

SHA512
484029eb461a182a9b088f9912047d455749381eab696d15af719f020f4982b6a331b20f1ab5437a8f9312724770ac26791f83d20c79e0e1b1340e53d1122fbc

Download Submit
\??\c:\reg2.reg

Filesize
450B

MD5
2944837920fafc0892eb196e7d774b23

SHA1
31269a61616a0064576e0e6a93e23722cf5a2057

SHA256
1c2c0c933e0023e7a24cdd4dd5bf363b00449094d3dc9ff3e7188d893e2580dc

SHA512
027b5677254eb8582a672cee88cd5c82dce09170fdc2fd47e9dfaacbd29b691719a5c7ecacbae1fb8c3a5d4a5243e9d3aad64be63e9c788e01f6dfd24f0e003f

Download Submit