Analysis
-
max time kernel
104s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 02:29
Behavioral task
behavioral1
Sample
68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe
Resource
win10v2004-20241007-en
General
-
Target
68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe
-
Size
232KB
-
MD5
ad3ac6898ef80f13400f509c20f837a0
-
SHA1
19c5c89c62dc1c21777ebe91ff4dc96d296df52c
-
SHA256
68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592e
-
SHA512
ac3f7cfa6d28d1650f73dbed065fe4dd14786eacc34e1f3f923342875ac53256cd3c1845ce8c536fc21d2c32582c41b61833e51b489507d60a4112670f10b2eb
-
SSDEEP
3072:LI1i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgO5s1i/NU82OMYcYYamv5b:6i/NjO5YBgegD0PHzSni/N+O7
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\qx.bat 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe File created C:\WINDOWS\SysWOW64\ie.bat 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
pid Process 1956 cmd.exe 3936 cmd.exe 2008 cmd.exe 3900 cmd.exe 3568 cmd.exe 5052 cmd.exe 3016 cmd.exe -
resource yara_rule behavioral2/memory/2388-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000c000000023b92-12.dat upx behavioral2/files/0x000a000000023b99-15.dat upx behavioral2/memory/2388-20-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\windows.exe 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe File opened for modification C:\WINDOWS\windows.exe 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe File opened for modification C:\WINDOWS\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1014096290" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6040543d3e2bdb01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1014096290" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000022042b5ee06d1322f3d11e6307d39fc402ac3550350b4bb4d0c675d6e3748e07000000000e8000000002000020000000d4e110f2eceb5745ab091154b2d17854d313da53b752848a9a36766222d0a82f20000000404cc68edce51bdba8698d1d3b40f90e41f0dcdb71c0842b18f20767bbd0285d40000000d0785872255fe3b0f12642e3d48f9548f9ff75afa991edca733e6aee537307566a3781f8325a1c65d4147e977fd689fd591958130218c5a35ad2674f22eb2e34 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70144d3d3e2bdb01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67FA072D-9731-11EF-ADF2-DA67B56E6C1B} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1017065054" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140670" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437107367" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000005f00d7c89993a1e889b6901f18dee9f297ff66be915ca2814bf79f31a2ee0faa000000000e800000000200002000000098da16899f2ccfc2cd51e5c5afe11ca8d44a756860082878c5c9ae493f12383c20000000272a1e74611c338e6ad52561fad547de9557004214260a4d91330d8c5fbace9e40000000b385e5fa6561715e4e7ff971050fc229a67b424b07689d45b2497fc843351867cf5e0a0e65fe4b6e3b5b614c00b5ad8f09420ebd626a7aa3683f37d34c02b88e IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4460 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 4460 IEXPLORE.EXE 4460 IEXPLORE.EXE 2092 IEXPLORE.EXE 2092 IEXPLORE.EXE 2092 IEXPLORE.EXE 2092 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2388 wrote to memory of 4460 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 84 PID 2388 wrote to memory of 4460 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 84 PID 4460 wrote to memory of 2092 4460 IEXPLORE.EXE 85 PID 4460 wrote to memory of 2092 4460 IEXPLORE.EXE 85 PID 4460 wrote to memory of 2092 4460 IEXPLORE.EXE 85 PID 2388 wrote to memory of 640 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 86 PID 2388 wrote to memory of 640 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 86 PID 2388 wrote to memory of 3936 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 87 PID 2388 wrote to memory of 3936 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 87 PID 2388 wrote to memory of 3936 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 87 PID 3936 wrote to memory of 4344 3936 cmd.exe 89 PID 3936 wrote to memory of 4344 3936 cmd.exe 89 PID 3936 wrote to memory of 4344 3936 cmd.exe 89 PID 2388 wrote to memory of 2008 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 90 PID 2388 wrote to memory of 2008 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 90 PID 2388 wrote to memory of 2008 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 90 PID 2008 wrote to memory of 3060 2008 cmd.exe 92 PID 2008 wrote to memory of 3060 2008 cmd.exe 92 PID 2008 wrote to memory of 3060 2008 cmd.exe 92 PID 2388 wrote to memory of 3900 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 93 PID 2388 wrote to memory of 3900 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 93 PID 2388 wrote to memory of 3900 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 93 PID 3900 wrote to memory of 4320 3900 cmd.exe 96 PID 3900 wrote to memory of 4320 3900 cmd.exe 96 PID 3900 wrote to memory of 4320 3900 cmd.exe 96 PID 2388 wrote to memory of 3568 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 97 PID 2388 wrote to memory of 3568 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 97 PID 2388 wrote to memory of 3568 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 97 PID 3568 wrote to memory of 5024 3568 cmd.exe 99 PID 3568 wrote to memory of 5024 3568 cmd.exe 99 PID 3568 wrote to memory of 5024 3568 cmd.exe 99 PID 2388 wrote to memory of 5052 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 100 PID 2388 wrote to memory of 5052 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 100 PID 2388 wrote to memory of 5052 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 100 PID 5052 wrote to memory of 3668 5052 cmd.exe 102 PID 5052 wrote to memory of 3668 5052 cmd.exe 102 PID 5052 wrote to memory of 3668 5052 cmd.exe 102 PID 2388 wrote to memory of 3016 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 103 PID 2388 wrote to memory of 3016 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 103 PID 2388 wrote to memory of 3016 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 103 PID 3016 wrote to memory of 1504 3016 cmd.exe 106 PID 3016 wrote to memory of 1504 3016 cmd.exe 106 PID 3016 wrote to memory of 1504 3016 cmd.exe 106 PID 2388 wrote to memory of 1956 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 107 PID 2388 wrote to memory of 1956 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 107 PID 2388 wrote to memory of 1956 2388 68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe 107 PID 1956 wrote to memory of 3484 1956 cmd.exe 109 PID 1956 wrote to memory of 3484 1956 cmd.exe 109 PID 1956 wrote to memory of 3484 1956 cmd.exe 109 -
Views/modifies file attributes 1 TTPs 7 IoCs
pid Process 3668 attrib.exe 1504 attrib.exe 3484 attrib.exe 4344 attrib.exe 3060 attrib.exe 4320 attrib.exe 5024 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe"C:\Users\Admin\AppData\Local\Temp\68d1fbf6673478572d7c88bc1eab9d4c1d3564ff6ec670a6427dcd5d6926592eN.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4460 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan2⤵
- Modifies Internet Explorer settings
PID:640
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\windows.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\system.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ee4ada789158c1e5a14d597cf1d5edd0
SHA19593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD529df1b7a507e2c042e03935e546145aa
SHA1ed7f0d2af19d512b2ab7b0bc411281c86f26177b
SHA2564f156ed018fb99858b42b9ff71a0f3c5d92fc8d9d86b275b7dea82c5621b55fb
SHA5122ebdc4c6caf33b1dec6187977b7d0539e5cc852213b588af72cb8dfb59dbade0673a09141b34cb42305d9f7fb89230f2ef12457d8dfda2d0adcfb35b9fb8c6b4
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
232KB
MD57eaa05eb2f9fe1626109501ef1facde5
SHA16dc0dbd279aa295c8947d30957196eab34ddfe64
SHA2568d4aee84ab79c6df337910ae253b03e3ec99e5e73913b3bfff3eac0c2abe7d20
SHA5123c4e874aed552e1ccd31aaa4756209052857817e4ba60a5525f965f59aa37745bc360efeaef8ec7e115d9fcd2d07a6ede149001d616517682efa71d6933ec013
-
Filesize
232KB
MD531f13a0bcd6ebfcfb96b3805cded8832
SHA1ec1011ad7f407280c964951d8cf19533a79eeb4a
SHA2562351f199267877ecdd14a10684e08411be0388dfe19c215317135d02454d5a0c
SHA512398a869d8f2c2275f01c852cda2fec3d0d6c249f97effed8c8e093188a6fde2f9e55861041ed8c196c4c8a14c69a77784727ef9d5dcd792deccf875d89c1ec98