Analysis
-
max time kernel
120s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 02:42
Behavioral task
behavioral1
Sample
f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe
Resource
win10v2004-20241007-en
General
-
Target
f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe
-
Size
55KB
-
MD5
48ff6c57d2e916036b40d137b227a9a0
-
SHA1
4c31b5082e06afea0afe666f2e85bd5cf25bd14e
-
SHA256
f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cf
-
SHA512
9e2dd565ac011b612e797f2bd00b7a25aa1ca16f8cfed23b3b46a7e22358f3f3fa910fec2e34a2d7fa85f056104ce97bc4cfcc7ee13e683cc685c3683962556b
-
SSDEEP
1536:KhBZ1b9c409y1G1i35Bo01i/gcU8eVTOK/YqjYYamvbtb:GZl2zoxV1i/NU82OMYcYYamv5b
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\ie.bat f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe File created C:\WINDOWS\SysWOW64\qx.bat f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
pid Process 1920 cmd.exe 1136 cmd.exe 2832 cmd.exe 4092 cmd.exe 3188 cmd.exe 3488 cmd.exe 4376 cmd.exe -
resource yara_rule behavioral2/memory/4736-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x000a000000023b93-10.dat upx behavioral2/files/0x000a000000023b94-12.dat upx behavioral2/memory/4736-20-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\windows.exe f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe File opened for modification C:\WINDOWS\windows.exe f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe File opened for modification C:\WINDOWS\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3076325936" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a00000000020000000000106600000001000020000000c0d8f47beb74e3bafd6229cf55627c76b8b2fc2d63dc6478333c3bbd145197b4000000000e800000000200002000000083f845f3ce82c394abe96ef4fd86234330075c5f57d26b0fb89d7e1f4a51d210200000001c1f2f039af198c03007c5e2dc465de2dc1974c55ee3efba7fd26c2e77cf9f5440000000e8ddb85b5a77f494803f1090a1038f6be584635865d1efcbce979ba20a4ff5f4a74ba0359b83618713437383b8be19970689dd587c98eb5e415151260bdcb8a6 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140670" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cdf0b73e2bdb01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a00000000020000000000106600000001000020000000c71a72551557550b7f9c8837992c1bd7611165ab1517f17d9d2b5bcbdb02d268000000000e8000000002000020000000b8b39cdc7e1ad22dcb4710202ea1eb2414773a51091c4fc1bddf1094455d1e90200000009ff62d40862a345cb7e58043f97289616b4eb4bddc252e187bfbdb5f43db29f1400000006184799138f4d061fecb179c6312510bc68b0e180b23566f958b6022929ac17e7fa5ead357cb5cd80bb69922eb4a44f46b6af2d8544e47eef451587bb533937d IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2BF02A5-9731-11EF-AF2A-CAFD856C81B1} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3073825717" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3073825717" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0043fab73e2bdb01 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437107573" IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3288 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 3288 IEXPLORE.EXE 3288 IEXPLORE.EXE 2172 IEXPLORE.EXE 2172 IEXPLORE.EXE 2172 IEXPLORE.EXE 2172 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4736 wrote to memory of 3288 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 84 PID 4736 wrote to memory of 3288 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 84 PID 3288 wrote to memory of 2172 3288 IEXPLORE.EXE 85 PID 3288 wrote to memory of 2172 3288 IEXPLORE.EXE 85 PID 3288 wrote to memory of 2172 3288 IEXPLORE.EXE 85 PID 4736 wrote to memory of 2072 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 86 PID 4736 wrote to memory of 2072 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 86 PID 4736 wrote to memory of 3188 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 87 PID 4736 wrote to memory of 3188 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 87 PID 4736 wrote to memory of 3188 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 87 PID 3188 wrote to memory of 2028 3188 cmd.exe 89 PID 3188 wrote to memory of 2028 3188 cmd.exe 89 PID 3188 wrote to memory of 2028 3188 cmd.exe 89 PID 4736 wrote to memory of 3488 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 91 PID 4736 wrote to memory of 3488 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 91 PID 4736 wrote to memory of 3488 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 91 PID 3488 wrote to memory of 4836 3488 cmd.exe 93 PID 3488 wrote to memory of 4836 3488 cmd.exe 93 PID 3488 wrote to memory of 4836 3488 cmd.exe 93 PID 4736 wrote to memory of 4376 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 94 PID 4736 wrote to memory of 4376 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 94 PID 4736 wrote to memory of 4376 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 94 PID 4376 wrote to memory of 2960 4376 cmd.exe 96 PID 4376 wrote to memory of 2960 4376 cmd.exe 96 PID 4376 wrote to memory of 2960 4376 cmd.exe 96 PID 4736 wrote to memory of 1920 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 98 PID 4736 wrote to memory of 1920 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 98 PID 4736 wrote to memory of 1920 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 98 PID 1920 wrote to memory of 1224 1920 cmd.exe 100 PID 1920 wrote to memory of 1224 1920 cmd.exe 100 PID 1920 wrote to memory of 1224 1920 cmd.exe 100 PID 4736 wrote to memory of 1136 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 101 PID 4736 wrote to memory of 1136 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 101 PID 4736 wrote to memory of 1136 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 101 PID 1136 wrote to memory of 3412 1136 cmd.exe 103 PID 1136 wrote to memory of 3412 1136 cmd.exe 103 PID 1136 wrote to memory of 3412 1136 cmd.exe 103 PID 4736 wrote to memory of 2832 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 105 PID 4736 wrote to memory of 2832 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 105 PID 4736 wrote to memory of 2832 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 105 PID 2832 wrote to memory of 4400 2832 cmd.exe 107 PID 2832 wrote to memory of 4400 2832 cmd.exe 107 PID 2832 wrote to memory of 4400 2832 cmd.exe 107 PID 4736 wrote to memory of 4092 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 108 PID 4736 wrote to memory of 4092 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 108 PID 4736 wrote to memory of 4092 4736 f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe 108 PID 4092 wrote to memory of 2232 4092 cmd.exe 110 PID 4092 wrote to memory of 2232 4092 cmd.exe 110 PID 4092 wrote to memory of 2232 4092 cmd.exe 110 -
Views/modifies file attributes 1 TTPs 7 IoCs
pid Process 4400 attrib.exe 2232 attrib.exe 2028 attrib.exe 4836 attrib.exe 2960 attrib.exe 1224 attrib.exe 3412 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3288 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2172
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan2⤵
- Modifies Internet Explorer settings
PID:2072
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\windows.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4400
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\system.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ee4ada789158c1e5a14d597cf1d5edd0
SHA19593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD51349e21be487e7d76cb3ee617fcab5fd
SHA14d73fb5b90a3942ea11a66b4a4b8115bf588714c
SHA256c12383cab440a96f7f59fa471ceed52236ac1c1473a5c64a632b29d333a0df92
SHA512e5e44809563ea5d39f0f9546419a6fe86aec611146697b4d4aa467ed6be8d07e6bfd1a5f24d0299198d04a80a98c2f7ff0cc77abd504873f30323c5d7197a42c
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
55KB
MD5bd9acad9d942c154b4e614827b4eb438
SHA1bfc9110059019c5acc94b81a85569906b7d03743
SHA256b40b4b8f0e53675b8e3a8a5c3eddcbd2f90f03dda24df1bbc2bed42c4c2c0d6d
SHA51243366e800c6c2578f2ad69d48d64b41a1696d2532a2311a1286d75318ba684e4879ada0e5f3d0499b86012573fe7c829af7df2487429bf2c1a392c367e526ba7
-
Filesize
55KB
MD58cc70d6861940f85173e6c51c718924e
SHA19fb3f9eb5b4cdce0a9846424fad75fc54f897a99
SHA25656d1df9c0d53edc8aa3abba8f7db089f1217ebb5f8867af76f1ceb213f21f97f
SHA5123621af48c031e663651b505afe8d83bae082b7016b31cfdfd79aeccb635d1107803d79057958ccfb9f9ee657dc99d0a46f29f209b78f7a8485a6df1d27f6785a