0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
Size

88KB
MD5

c5cdf1176286efaa5fc3d7185d0e51c0
SHA1

a7dabf9f070ff73be95a488393d988cd8e6f1ffa
SHA256

0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814
SHA512

d371bdd24c03096d5c67fdfbf0758cf22a1a129fefaaf61e602fb9ab26271e700bdccf31bf0983aeb96608cee1f4f9fc1ca45e5535730bedbacf87bb6b682e9a
SSDEEP

1536:8h7xsCKosi5pzjIcdRiTpqMGxs3lh7xsCKosi5pzjIcdRiTpqMGxs34:8EhWbcpqIlEhWbcpqI4

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d"	reg.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe "	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jconsole.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msotd.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jstat.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\dotnet\dotnet.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jmap.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\pack200.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\serialver.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\xjc.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javah.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jstatd.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javaw.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\policytool.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\java.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\klist.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\keytool.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\orbd.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\pack200.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\wsimport.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jjs.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javapackager.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jps.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\kinit.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3336	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	82
PID 2792 wrote to memory of 3336	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	82
PID 2792 wrote to memory of 3336	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	82
PID 2792 wrote to memory of 4440	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	84
PID 2792 wrote to memory of 4440	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	84
PID 2792 wrote to memory of 4440	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	84
PID 2792 wrote to memory of 1140	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	85
PID 2792 wrote to memory of 1140	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	85
PID 2792 wrote to memory of 1140	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	85
PID 2792 wrote to memory of 4348	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	86
PID 2792 wrote to memory of 4348	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	86
PID 2792 wrote to memory of 4348	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	86
PID 2792 wrote to memory of 4556	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	87
PID 2792 wrote to memory of 4556	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	87
PID 2792 wrote to memory of 4556	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	87
PID 2792 wrote to memory of 4592	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	88
PID 2792 wrote to memory of 4592	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	88
PID 2792 wrote to memory of 4592	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	88
PID 2792 wrote to memory of 4396	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	89
PID 2792 wrote to memory of 4396	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	89
PID 2792 wrote to memory of 4396	2792	0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe	89
PID 4440 wrote to memory of 940	4440	cmd.exe	96
PID 4440 wrote to memory of 940	4440	cmd.exe	96
PID 4440 wrote to memory of 940	4440	cmd.exe	96
PID 4440 wrote to memory of 2776	4440	cmd.exe	97
PID 4440 wrote to memory of 2776	4440	cmd.exe	97
PID 4440 wrote to memory of 2776	4440	cmd.exe	97
PID 4440 wrote to memory of 4056	4440	cmd.exe	98
PID 4440 wrote to memory of 4056	4440	cmd.exe	98
PID 4440 wrote to memory of 4056	4440	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
"C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\123.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c assoc .txt = exefile
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
  2⤵
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\0589a4577444ad44f26bf0c27d53fbc74b07eeb6cd0db927a85576c06224c814N.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\123.bat

Filesize
443B

MD5
70170ba16a737a438223b88279dc6c85

SHA1
cc066efa0fca9bc9f44013660dea6b28ddfd6a24

SHA256
d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

SHA512
37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
88KB

MD5
90a9a90e8c1e2e1b95ea9f71eb8c53fc

SHA1
0b82e7a00dde5829cabcaf1efd08112bac9f8b44

SHA256
ad46c59a20d00952a9e3a1769f10cb45ea18e6d59cfdd35f853c3eb6fdbb60c5

SHA512
b7e9b29fe3c3ebde728d29f7f3e050136a5a47cc48371a1a714b9fb57bb3f59e9c6aab569a1a7a39c0221cd373ff80f17e872246eaa51addfa43264a1bcfb421

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads