600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
Size

1.4MB
MD5

f582e72d5896581b7ecbf6e2ba92a6b0
SHA1

c9ad5b724685bcd3f726371cb3bdda33460973a3
SHA256

600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47
SHA512

5c043b2d327e837a0cbfaa7afdbcc5bf0f0d9d1e11410c414ee2ae1657284df47c65fac460eb2d9e06918c95fedf31abf0b5217dffbe8828b04d2e3ce3315989
SSDEEP

24576:5jr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVCs5s:t/4Qf4pxPctqG8IllnxvdsxZ4UW

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Wscript.exe

Loads dropped DLL 8 IoCs

pid	Process
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft143222\wl0322276.exe	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\soft143222\MiniJJ_12319.exe	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\soft143222\pipi_dae_382.exe	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\jishu_143222\newnew.exe	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\jishu_143222\dailytips.ini	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\jishu_143222\newnew.ini	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File opened for modification	C:\Program Files (x86)\jishu_143222\jishu_143222.ini	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\soft143222\a	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\soft143222\B_2220112205222215322214222222.txt	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\soft143222\2220112205222215322214222222.txt	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\soft143222\d_1422.exe	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
File created	C:\Program Files (x86)\jishu_143222\FlashIcon.ico	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135670"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "213136134"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "212042514"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135670"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434959803"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000a28c451c7da7208279250f26651aa5da44f7201dcb9e02670e45e10d0548e7da000000000e80000000020000200000001eea108c3c96616fcc3c4d50bc80b12a52ce5a07218f978412966a939811812b20000000c841b901eeba895b4598efd9c4874b596980e943e8d37ad1e24165fd8129a15640000000084508438801cddcc8f53cb13a43ce62fce235169e29f454644af7eed423af76ba0061d0b8a54c131b893582eef0a69f6bbf859359ecab1471589f6829a74e0b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 706a8815b617db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "212042514"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "212042514"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135670"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000b7da26e359fd32433d7106480e0ea7657c393083d22ed1e2f74fb26e040c90e1000000000e8000000002000020000000628c0e3854a29f299d4b673bbcebf7a83fcf1e78b730cc55cb29aff98e655c8e20000000c3efe6ef606db0bd3fbdecae95c54ee75ada7ccc5178d46f794f44b9b36fe31340000000860c2a50313cc54fa4ffea861880b728f1472b1b4d069f77f3d1ba78ecea194a11511153e9df44dd6e8e6d299e7d48d6a95a6e24148b0a8ad252b0e71f64e9e3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135670"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135670"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "212042514"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "213136134"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135670"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3826E5B2-83A9-11EF-B1C5-D20DFB866B4D} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60258d15b617db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{382BA990-83A9-11EF-B1C5-D20DFB866B4D} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1668	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4376	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	84
PID 3192 wrote to memory of 4376	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	84
PID 3192 wrote to memory of 4376	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	84
PID 4376 wrote to memory of 2816	4376	IEXPLORE.EXE	85
PID 4376 wrote to memory of 2816	4376	IEXPLORE.EXE	85
PID 3192 wrote to memory of 5056	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	86
PID 3192 wrote to memory of 5056	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	86
PID 3192 wrote to memory of 5056	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	86
PID 3192 wrote to memory of 5088	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	87
PID 3192 wrote to memory of 5088	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	87
PID 3192 wrote to memory of 5088	3192	600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe	87
PID 5056 wrote to memory of 1668	5056	IEXPLORE.EXE	88
PID 5056 wrote to memory of 1668	5056	IEXPLORE.EXE	88
PID 2816 wrote to memory of 2024	2816	IEXPLORE.EXE	89
PID 2816 wrote to memory of 2024	2816	IEXPLORE.EXE	89
PID 2816 wrote to memory of 2024	2816	IEXPLORE.EXE	89
PID 1668 wrote to memory of 1936	1668	IEXPLORE.EXE	90
PID 1668 wrote to memory of 1936	1668	IEXPLORE.EXE	90
PID 1668 wrote to memory of 1936	1668	IEXPLORE.EXE	90
PID 5088 wrote to memory of 2876	5088	Wscript.exe	91
PID 5088 wrote to memory of 2876	5088	Wscript.exe	91
PID 5088 wrote to memory of 2876	5088	Wscript.exe	91

C:\Users\Admin\AppData\Local\Temp\600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe
"C:\Users\Admin\AppData\Local\Temp\600b397d705320abbff5a32a2549f81fece1b1aed8eb363050ede54b15838b47N.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/i0dpw
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/i0dpw
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2024
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1936
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft143222\b_1422.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\soft143222\300.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\jishu_143222\jishu_143222.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
C:\Program Files (x86)\soft143222\300.bat

Filesize
3KB

MD5
e4ea0a3b1b78e58a28669f4de4b54d4a

SHA1
fc55a2ef186936aa5b2453a43dbf22f0f6c9df5e

SHA256
71765e7489014cfd7984fab1973914ae6901c2bd3689ef7308e05fb065bbec28

SHA512
910f38fd135816f36c9743342fd630b40940aad8e70ec90a5b6fe92609aee2b360acf8a7b898f14f4a2694de1b9724b7cea671aed19bce0dd76a8eb8ac397e68

Download Submit
C:\Program Files (x86)\soft143222\b_1422.vbs

Filesize
247B

MD5
80bf931504253f8d6d72c1312d909c91

SHA1
88b48d045b09cf9c1e1125003a1429011b78725e

SHA256
c9b08cba663e22965d9ba37c5994696d45f2edafc281ad6c1ddd3117c0939879

SHA512
70b101f67022108f2906b7b7bedfe398d3bd89c286f67f7e78965e1a3eb41985555decb77290563bd629672fdda413e7f8ededa8bdc3615e84d239ecf0f4e70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ff3165e7b476444aab676dccec6a01aa

SHA1
f2530f7393c832de9e9c707b5bea8b9d250bad37

SHA256
1ad25ca9276220fad43036ca091782b8f4d243cabe72d152f698eaf71cdd5271

SHA512
e32bbf9ec1c3677a78777b8221f1157386092fa37670cd1973db22fb37d5ca079b2d7d91f28d6e491f4c53e5bb6acb3c05f368e79a41ce971f1540e8b17541d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
80903f072f7151a490068ff67b203b39

SHA1
cfbe73040cb2f6dfe2eee01764c771271f7e80bd

SHA256
3a23de801059b7f735faf3c2ac6299c5655c05bcc0e0c1f802d017938aec790d

SHA512
524adc240097654b52e9469a66d941429770f567dd3724dfe89d893fe2970210ad2c07c719b2ddf7bf0fb11dd8ec3704161a8d69b4637160fc55b5374ad0a1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3826E5B2-83A9-11EF-B1C5-D20DFB866B4D}.dat

Filesize
3KB

MD5
2fa9d57529918ce95ca73f77ebd23e47

SHA1
53e2d6e34694604a0e03d8f123f1eaccf153d6ef

SHA256
0c57c5bf8144782239eb22bcb16d1f961c54df7d6381e4b81a02fbf58cf55fc6

SHA512
bf57ca9602e20a38c52e1a02849fbda5e1c172f5a3d3fe047fda44503b91a1521ea2048ac022e6e71e20a7c30b8af273dca07b7d65ac0e72ed0827ab04f422aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{382BA990-83A9-11EF-B1C5-D20DFB866B4D}.dat

Filesize
5KB

MD5
8fd50b808a23f90856079e050a70c17d

SHA1
2fcfce61a0b7f66f64073e9e2fc3c5bd9094b2f2

SHA256
a3f74c13ef6fbb0553acb612a8b395f8747c76aafa14a46a08223ba97eca6005

SHA512
832b5b931768ed1c59c09fbc0dc5331105df378baeef62d0c011593fa4f56e90092cbb0c5355512f287afadcff6cf1ef8afa8740da9768db6a84c17e577db837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFE94.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa86C5.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa86C5.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
2KB

MD5
17a8f7284f946e7d58d59e1fc419134b

SHA1
d3a4d6952ea995a6cdc25daa0d5bde9d9e5823e2

SHA256
f06a895803daec2acb100fe8b040da74d3852df83ec28e760dc706408422afa4

SHA512
fc013754b39253abd0d7ce84e6a61010b25212d2862e521978d73aa925ad4251124cb686b5d9b13ac07a129a6a380d4134f9c5ad9a05b047d3037e7394ffbc1e

Download Submit