Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 15:50
Static task
static1
Behavioral task
behavioral1
Sample
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe
Resource
win10v2004-20241007-en
General
-
Target
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe
-
Size
137KB
-
MD5
52aca881f673c6addcd9b9ddb989fba0
-
SHA1
0a8dd50f4a5c3bd7e5b67ec83f15d45ba86f39de
-
SHA256
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4e
-
SHA512
f7e27b4a091f05b14c2d0af02a40b305290dfaff2136dd3d06407eeaca153996529a2bf69d202445b4c49652fa754811783d1afc4f1ee3fb3bc35a04efb6fc67
-
SSDEEP
3072:51i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU8T:7i/NjO5x0Xg+UGSYnuy3Oai/Nr
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
sys.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "file:\\\\C:\\sys.exe" sys.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2372 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
sys.exepid process 1984 sys.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
Processes:
sys.exedescription ioc process File created C:\WINDOWS\SysWOW64\ie.bat sys.exe File created C:\WINDOWS\SysWOW64\qx.bat sys.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.exepid process 1720 cmd.exe 3024 cmd.exe 2060 cmd.exe 1756 cmd.exe 1804 cmd.exe 2640 cmd.exe 3036 cmd.exe -
Drops file in Windows directory 5 IoCs
Processes:
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exesys.exeattrib.exedescription ioc process File created C:\WINDOWS\sys.exe 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe File opened for modification C:\WINDOWS\sys.exe 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe File created C:\WINDOWS\sys.exe sys.exe File opened for modification C:\WINDOWS\sys.exe sys.exe File opened for modification C:\WINDOWS\sys.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
attrib.exetaskkill.execmd.exeattrib.execmd.exetaskkill.exeIEXPLORE.EXEattrib.execmd.execmd.exeattrib.execmd.exe0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exesys.execmd.execmd.exeattrib.exeattrib.execmd.exeattrib.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1992 taskkill.exe 2140 taskkill.exe -
Processes:
iexplore.exesys.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main sys.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000009a38f8e9f694f09e5872beb41868d60aa0a53f986adc18e33f3e7c440202b973000000000e80000000020000200000007bd8394c06683c404d3230129fe3375978317c1141d1a7c1f3b2832898e3501e20000000062a0637fc99c81362e01923addbd3ccd6b60cb61726cae1ced76796dea30d25400000008a6157a8195ab42e82f3c085bfef699b4d476f12d5874dd5707592cada123080bcd33ba7caf8be544f682d97b1ca116cb3e2edbcfc487dc873ad36f2e5c4e481 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000946c78110f06d2a80a42d1000d179025c5900e89c6c14f276e7901531c2ff7c1000000000e8000000002000020000000cc80d5a93e2e20f4a34cbbd69ec3193017bdd5ff936150876d6627060c1b9a4090000000fba392f96339f7075f025681bcecd8ff42b7c5248de879a8328ee736a9b4d5fd8f696915f0c5e9a75ac9df8036d9a39614aa73fa1b744302108935e3872ca60c8b98468febb6be2da158d26800dec45936da61137671acbc4fc65ef5ef8370b9f1d75a2ae7c70124937f8f02819a6a1924f9d427bd0c1694d55a2d58e37dfc80510f4dd7f949d19b7db6ccc11a9bf85640000000d1ee49e68b51331bbc3fbd6f3c85f2b07a468a7b1bfef754ba2cd4631bc6e95c085fd12f5baed24dd90b714e9a781635557998d81c49316278e2f43f4c38a084 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20df2c696325db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{90542F91-9156-11EF-809B-F2DF7204BD4F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435860512" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
sys.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" sys.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sys.exepid process 1984 sys.exe 1984 sys.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1272 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exesys.exeiexplore.exeIEXPLORE.EXEpid process 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe 1984 sys.exe 1272 iexplore.exe 1272 iexplore.exe 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE 2432 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exesys.exeiexplore.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3008 wrote to memory of 1992 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe taskkill.exe PID 3008 wrote to memory of 1992 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe taskkill.exe PID 3008 wrote to memory of 1992 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe taskkill.exe PID 3008 wrote to memory of 1992 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe taskkill.exe PID 3008 wrote to memory of 1984 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe sys.exe PID 3008 wrote to memory of 1984 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe sys.exe PID 3008 wrote to memory of 1984 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe sys.exe PID 3008 wrote to memory of 1984 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe sys.exe PID 3008 wrote to memory of 2372 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe cmd.exe PID 3008 wrote to memory of 2372 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe cmd.exe PID 3008 wrote to memory of 2372 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe cmd.exe PID 3008 wrote to memory of 2372 3008 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe cmd.exe PID 1984 wrote to memory of 2140 1984 sys.exe taskkill.exe PID 1984 wrote to memory of 2140 1984 sys.exe taskkill.exe PID 1984 wrote to memory of 2140 1984 sys.exe taskkill.exe PID 1984 wrote to memory of 2140 1984 sys.exe taskkill.exe PID 1984 wrote to memory of 1272 1984 sys.exe iexplore.exe PID 1984 wrote to memory of 1272 1984 sys.exe iexplore.exe PID 1984 wrote to memory of 1272 1984 sys.exe iexplore.exe PID 1984 wrote to memory of 1272 1984 sys.exe iexplore.exe PID 1272 wrote to memory of 2432 1272 iexplore.exe IEXPLORE.EXE PID 1272 wrote to memory of 2432 1272 iexplore.exe IEXPLORE.EXE PID 1272 wrote to memory of 2432 1272 iexplore.exe IEXPLORE.EXE PID 1272 wrote to memory of 2432 1272 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1804 1984 sys.exe cmd.exe PID 1984 wrote to memory of 1804 1984 sys.exe cmd.exe PID 1984 wrote to memory of 1804 1984 sys.exe cmd.exe PID 1984 wrote to memory of 1804 1984 sys.exe cmd.exe PID 1804 wrote to memory of 2708 1804 cmd.exe attrib.exe PID 1804 wrote to memory of 2708 1804 cmd.exe attrib.exe PID 1804 wrote to memory of 2708 1804 cmd.exe attrib.exe PID 1804 wrote to memory of 2708 1804 cmd.exe attrib.exe PID 1984 wrote to memory of 2640 1984 sys.exe cmd.exe PID 1984 wrote to memory of 2640 1984 sys.exe cmd.exe PID 1984 wrote to memory of 2640 1984 sys.exe cmd.exe PID 1984 wrote to memory of 2640 1984 sys.exe cmd.exe PID 2640 wrote to memory of 2000 2640 cmd.exe attrib.exe PID 2640 wrote to memory of 2000 2640 cmd.exe attrib.exe PID 2640 wrote to memory of 2000 2640 cmd.exe attrib.exe PID 2640 wrote to memory of 2000 2640 cmd.exe attrib.exe PID 1984 wrote to memory of 3036 1984 sys.exe cmd.exe PID 1984 wrote to memory of 3036 1984 sys.exe cmd.exe PID 1984 wrote to memory of 3036 1984 sys.exe cmd.exe PID 1984 wrote to memory of 3036 1984 sys.exe cmd.exe PID 3036 wrote to memory of 3048 3036 cmd.exe attrib.exe PID 3036 wrote to memory of 3048 3036 cmd.exe attrib.exe PID 3036 wrote to memory of 3048 3036 cmd.exe attrib.exe PID 3036 wrote to memory of 3048 3036 cmd.exe attrib.exe PID 1984 wrote to memory of 1720 1984 sys.exe cmd.exe PID 1984 wrote to memory of 1720 1984 sys.exe cmd.exe PID 1984 wrote to memory of 1720 1984 sys.exe cmd.exe PID 1984 wrote to memory of 1720 1984 sys.exe cmd.exe PID 1720 wrote to memory of 2464 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 2464 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 2464 1720 cmd.exe attrib.exe PID 1720 wrote to memory of 2464 1720 cmd.exe attrib.exe PID 1984 wrote to memory of 3024 1984 sys.exe cmd.exe PID 1984 wrote to memory of 3024 1984 sys.exe cmd.exe PID 1984 wrote to memory of 3024 1984 sys.exe cmd.exe PID 1984 wrote to memory of 3024 1984 sys.exe cmd.exe PID 3024 wrote to memory of 1864 3024 cmd.exe attrib.exe PID 3024 wrote to memory of 1864 3024 cmd.exe attrib.exe PID 3024 wrote to memory of 1864 3024 cmd.exe attrib.exe PID 3024 wrote to memory of 1864 3024 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 7 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2464 attrib.exe 1864 attrib.exe 2312 attrib.exe 2776 attrib.exe 2708 attrib.exe 2000 attrib.exe 3048 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe"C:\Users\Admin\AppData\Local\Temp\0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /im KSafeTray.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\WINDOWS\sys.exe"C:\WINDOWS\sys.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /im KSafeTray.exe /f3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\sys.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\sys.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c del 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e5dbe34cbf815232f3ace4b002d8ce5
SHA1006b11640901373cd4a059228395e4f2b60fa09e
SHA25660fb3b0cb4481f1fd813c87ef3128c6aef01f821014eb64c648ecaf38b203fe0
SHA512a2f0a9d66fa639648b9ed005b7040eaaf5ad7bddd6d61542ec64fe5595ce629948698d47db48a413e0167998daf244ce5188420dce9dd4e839d1ff691e87f05d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574fd4017cf598d45d3c8c42b3dc6edd7
SHA1429965460bbd1f2a2c2d7067c87731d04f4ac519
SHA2567bb86aa4025aedd14315789b7b06b32b78bca63e5933fc23cccdcb1795e37f24
SHA512201ebf7e92d212f80df2e814e4f3e9273ea0cd059ea034450c3adf56cb207e28939b44dbb864254a87fb4b3780b0eaae510cf9bdb2b9a305fe0d7d49b4696fba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f75e7acfcdd6cf1b48a84615e179c17
SHA1a657162f54a54c64d2f761c09e6122c68444e4a0
SHA256839250c39e3683cd115fe633009f16a34e4464188ea0243cf1731fa298d97aba
SHA512dafa22cce27939ceb51a64ef55a2194276db07b8f9fca4a7ec6d1269e9a8d71494a282e6297ac251364d2a28744f51b855382969495a0f9d6c9755df6397b1f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c739df82dd9729a7039af0c3f7acd938
SHA16178514145e82c87a584b604af099af16340fc84
SHA25662c268c588002d7084913965af409d6b21f422dbfd1f3b0fe3fbd8ccb8f10517
SHA512e4324ef92197fd9670cf2ebbc65b11292f07b9c939445c90137140ee6a695c728483f8a5f4b1059d9497766e142489dab3ef0072d95717399839c7871a37d538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588bb39ab1587583b06de7ef87c3ef8ee
SHA13e8d9c31c7098fd92728c7265e9d374bd12b7e0a
SHA256ea9e0528e2eb212d18b79806fde168fd97659c6a2d8079c57bfa314d512b4688
SHA51283382d5a2298022aaec1b8c2808888cc12697fdf1e2222fe8ff7596e5dec5e253205f70670e1a79be98443de8e4b4edd441a910b1030d0a08e2bf8629ecf3f9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50c25172ea600b52592c42e67f421db6e
SHA1f1e60a3c90c6d531af6f9ffd4affe0ee7b19f643
SHA2566385e5289f0b389aa16c1a7158cbbf91ad5780e0df393788138f212f7d8e3a2f
SHA51282181f9584bfe32e2fb1fc05414626f9bca6aae04f0d30c3e5404cb8b9c3753cf187806f5e3b2848f9ba7afd324e57478b694a40f630019ceacca4e4e75c561a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571eb704a57ba3d1c2b08abc6fd54eb55
SHA130621c20d5b98c080860ade2c27b49a4680ac83d
SHA25682d334fc12de8cae030680e84e0c02b90ba05f3a79e661a5f463830af6ef53c2
SHA5122d50214714752bd3456c03acc981048452edb6688e9853c49a3ea042d92a6e0d3b923a7cc494467d0456ef1843fffc7fe0926a1844cbe88532b190823ddf7e22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558176c5e96de99656c3978acb8fde6e6
SHA1eb0ddd434fa0e4330e926e133a05a7a1f8ffafbf
SHA25651986240f0b317ecf31c1d143be98a5a5278448637adad2f0f029e13fda28651
SHA512297c25357dddc3f8c31ba37357317e41866814c6d23c31611cf116d11974ae28f1cdb28521a2140c0b5b2c1d1d3a4742b5d22b9c6f41c72e1005145f64596bba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e2db2678af4e71726654bd118182bccb
SHA15eee915318584fff5d49ec5dd6573d5f838e671e
SHA2561b2236a096a097064b76053d6a03fc51c9b931cc4fa4955d83cfc8c7a3ab27f9
SHA51268e9fed0bd77b870611c26b1cd20ec2dee410b062bc837763c48decbf6bbe5b24c2a89e905889e0f1aabe1b3b55a3b8751cb0d8f948360a9e70d438dc48284a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5edc15bc4f5c682a0fdffa9e15ae5ed42
SHA113b9f0dc45d183083c1d4f7cd6e63ee1780c4c67
SHA25651fb588939dc6dc4e6a5303236c35141f4ffca9f92b9892ade8bc7e3f88b04c8
SHA512dc91f4bc1b6c6b4548eae9861ae4433238a2692c679e17d85748a475a3db35519b9e38b7014fb4cefb3148d9cf37f99f750aa92c77f363e945e4efe925d51581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ca89e4f60f303a4bdbd88b17665a978
SHA199c3653b064aee57469553e9483f8357edca728f
SHA256c38845cc99edd4ce8241f658becd203483fb376fffba3f1d6edb63696031bcc7
SHA5128989ffd1c9072e89163ab2095cbcdee724a6a3386a20c3191f985adaf6a1333d7102f3082f06550dce8a2c22fc948335ed543352568707536f2850af904a2d5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5994a2bb27090148e6d6bd5b9195508a8
SHA160ea61dd392e3ddf25a0c3f7a446fe5f71e708e0
SHA25622f43678a950a04eecd6f7121c962b508f398065fa296c35c3999cc9cbde2731
SHA512056252a76911132d88c66033475dc511949bf17246609b2b8546eaf92c127e2d010b88fc1c3bf14359e39acff48609435315bbc3597fbf63fb8b20342ff4bc09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fdf8535bb3a28f6631da0de5a6131ad
SHA1bf58f539570a090f5edc948759180fc8ad27eef7
SHA256a3133770c409c70791dea096b8a115aa0c929e9466dd8c6fc7b39845e8931fc6
SHA5129dec5cb070d29c9c59cf47126882f1f589dd1c945dad902b66de8e8bd59a9f51282ec98127b33321d87c41cb0401541fb103b54dbbbb61b85935968b98b26a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f59d04acee6fd8f86f079f2ed32f8c05
SHA14e50ce0575b791fc33831b00c0e5c03887832d0e
SHA25699d72bcad37afb5ce7b739d478ad25cc22272c0e29f674ce94ac53f2faaa404a
SHA5127efc3b774c56ea45124d596a7b1a697d75485dbee7387654f9647eaddd40bdc517ed22896b2149abdcb72bab6f624a29f95abf3469ae34d7bae6f5a901354c2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df6d817e59c3297e60b19e9690e91304
SHA18b5ea8461bb94b6b03e773b11d92710b48c129ee
SHA256c288dce75474223c59580bc98adb7e8fb06778f13d519b41e66921d8d446cbeb
SHA512cac1867a9a31b5a8613b0b04018f078c0e680bc167a5bc6ac7658504d79bd059212dc2ef25d3ffea842de3a6e91df8db3aafa1bb9c00122c88bee049b401aea8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b425886f02f506a4cfc3c8d6a569adb
SHA171128e2cec26f6d8d110b03f31773998afc3bb26
SHA2562dc66bbadb03a1b18e6bece63c6b3343fcd64a90e64c4536b1e99956c2833eb3
SHA5124486811a226bac06bf8e40b803d1fb5a8fe6cb58dab1f0d71a0f524c762708291e6b0a7d6b011bc63b342d6baf5dac22fd06dc9a26b719ddfae81402d9580f9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fba1c9614d9220d8b17332a00e65c59a
SHA10124b4a96cdbb4e58be9ee971902eb7e4b9cbeec
SHA256abea308467ea03d8d201e8ce1d0ae94f456a7bb238164e8a85e891491ed64b3c
SHA512208d97fa88330d4a8ec99031b6085909ee1049f922b7ba78dcbffc021f95fba62e656263b91a7c77668dab149ef789e67bc2b3c6102023e3340e13c95c56eeaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afa6c3051227c87ec7e431d30a7a2760
SHA179b4804f1d8a382259ba1329aa3f62466ebe63d3
SHA256b5a2fed5a463b763aee10efefd653803950e34ee8b1137bd24cf572d087f24b3
SHA512403679c9b7254db4be7052bf00f1b9cbcf88e214109901ae7b8df38f9716e812abe917d0342a9270a6766629961662c76d594e081c80dd60edf7abb4834cd55d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8343fecd53cd8643f56dc3d262ed23e
SHA10063545fa5bf24909e6e3b8ceb1d56254509afde
SHA256d2d05ab4427a3ac3b9c6bedf77638032592b8b69eea32320a9545b30ce85fcf4
SHA512ec193e1881840b1c9c9e55e3bad12681056857ae2a58c279c784ac198923fece0f09f7ed3db293a4cc3db36c2e6b3ddeb56f9fa9a419d565e022385669d367d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f79a830b7e2e01d837eeb4eb5facd551
SHA190de33d6fd3d0107e17e4efba37e158a6a4dbf56
SHA25640fb4f62a029696573a43cda0dbafc12262067cf52df836f15bd0ff90d12112e
SHA512da4a6fcef208a6b322edb30438503ad5882d57ceb0b0c37f8989a66c25f973878743d4ac18ab3414c4d7f8e02906b0e422f36acc57276698ffe79ab7eb4c3bd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e8689589b8fe2207bb1fbd92cf27708
SHA1ace9f0bc7ca4f97e7be6b80e9888384b756d1852
SHA256077cc5b3a2d46e8b1be7a3e514d3ac782b1c3a9c58328c4708867197d7127a28
SHA512040a102514dd2ef005feed0d7ab35b40c298eea48e8127b64d650b87dac4a7a0cbe8edf65c2a720352ac59c16e3e1b4f16a867930c04bbff6b22f6d6fdf11bb0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
137KB
MD5f514d63802ca66e3d384cad7bf9206bc
SHA1368ad897415f0ab38259af4f838ec181c764418e
SHA256947a36ced94a4b008159a44b2685866b9165eb06b368888467106f5ba29202fa
SHA51260f841410e7087c1c2fe27e2bccc1cf511f2a20eb8147834ac05108450f6b417b5d311d184209d95d4fdc732a88c2211fe87831e33715d9e2b07a91fa4e022fb
-
Filesize
137KB
MD53b78672dd934a42f591a4eddecfe4442
SHA12c5abac4d7d65f83f1691fc6e63c88618dcd47cf
SHA25605d6bcc83bea02dae9aa36b28bd52ab5a650ddab42a98842c7732d4761d4e081
SHA5123426ca2049793c2b9b172e5789ceecb4a3a846bbd5b7977d6c3e3be336b97e683399deb9e1c79ade36838fd8b464ce0699a2cd9aa734303350308792e95eef81