Analysis
-
max time kernel
140s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 04:26
Behavioral task
behavioral1
Sample
bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe
Resource
win10v2004-20241007-en
General
-
Target
bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe
-
Size
55KB
-
MD5
2d54ff543c33342641b636d0ad93b32b
-
SHA1
8c469b687a6ea57c560873c8afefac0c6fcdd54d
-
SHA256
bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b
-
SHA512
36621147818e4f70fcf1131ed05e3f5cce8d0daa2d05844c83d1776a57da1f554d739a6ec39bd9e602a31c36cb70d64be88cdb3da77766beb1ef9e05bbc017eb
-
SSDEEP
1536:RhBZ1b9c409y1G1i35Bo01i/gcU8eVTOK/YqjYYamvbtb:BZl2zoxV1i/NU82OMYcYYamv5b
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\qx.bat bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe File created C:\WINDOWS\SysWOW64\ie.bat bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
pid Process 2688 cmd.exe 2472 cmd.exe 2956 cmd.exe 2860 cmd.exe 2492 cmd.exe 2668 cmd.exe 2264 cmd.exe -
resource yara_rule behavioral1/memory/516-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000800000001660b-10.dat upx behavioral1/files/0x000b000000016c1a-12.dat upx behavioral1/memory/516-25-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\windows.exe bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe File opened for modification C:\WINDOWS\windows.exe bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe File opened for modification C:\WINDOWS\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436510691" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000002c734558c2b9d022ac789c0f27c7f3cc3f40ce72d83dacf9c7629774f5cc0cf1000000000e8000000002000020000000b479babbf94163da0da5e61782889b5b48f4cbd5074ba81e124e6e928a4b5f74200000006dd7434dd67b234c1d241e353461006203f56b3395b225008b7293a3bc585a4f40000000944ef153df62e38737cb56c778c1918dc5849bacc2d077fe8f47ded5b8673129f3f56b826808935f8796f5d5afd4ed9523b3bcd96971c4d91a51ac121bb5cf34 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c666374d2bdb01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000009a3d5b820d6d88a4f49aa9c6b76020e922aa6288c71b2aab60b7ec62cb131fbc000000000e80000000020000200000000b7a63a8de754146fafc68a858363643710f7d8d0acf84da9e3be34cf818efef90000000f93bd18d516115ea01cdf4190de27b03dac24fa8ad7fe8600663d7a9303b4c213c1f6855392bdac9095cd8f008c9e0dcd6149af06b140434a8db0db61b61ab53e7aef87739b339c55cc103da0590ac2008f70494e66b47957719f42e64cd12c30d5088b7b3c5115fcf01e089286ba8d497daf67077713e9fac76f2d07c1ebf0d072f31fb249ff661f0be1a378a468d5940000000a6f12b43885b85d115ff01e9b5d552c3f352eb752de211df627974317c17f748d16a1c5133bc98a63dc10f736d077a0137861213e1b33f4d05047bd5ecf0b7a9 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5FF0CB21-9740-11EF-A5FC-C670A0C1054F} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60194281-9740-11EF-A5FC-C670A0C1054F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2548 IEXPLORE.EXE 2932 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 1692 IEXPLORE.EXE 1692 IEXPLORE.EXE 2932 iexplore.exe 2932 iexplore.exe 1144 IEXPLORE.EXE 1144 IEXPLORE.EXE 1144 IEXPLORE.EXE 1144 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 516 wrote to memory of 2548 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 31 PID 516 wrote to memory of 2548 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 31 PID 516 wrote to memory of 2548 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 31 PID 516 wrote to memory of 2548 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 31 PID 2548 wrote to memory of 1692 2548 IEXPLORE.EXE 32 PID 2548 wrote to memory of 1692 2548 IEXPLORE.EXE 32 PID 2548 wrote to memory of 1692 2548 IEXPLORE.EXE 32 PID 2548 wrote to memory of 1692 2548 IEXPLORE.EXE 32 PID 516 wrote to memory of 2932 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 33 PID 516 wrote to memory of 2932 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 33 PID 516 wrote to memory of 2932 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 33 PID 516 wrote to memory of 2932 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 33 PID 516 wrote to memory of 2860 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 34 PID 516 wrote to memory of 2860 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 34 PID 516 wrote to memory of 2860 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 34 PID 516 wrote to memory of 2860 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 34 PID 2860 wrote to memory of 2756 2860 cmd.exe 36 PID 2860 wrote to memory of 2756 2860 cmd.exe 36 PID 2860 wrote to memory of 2756 2860 cmd.exe 36 PID 2860 wrote to memory of 2756 2860 cmd.exe 36 PID 516 wrote to memory of 2492 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 37 PID 516 wrote to memory of 2492 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 37 PID 516 wrote to memory of 2492 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 37 PID 516 wrote to memory of 2492 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 37 PID 2492 wrote to memory of 3040 2492 cmd.exe 39 PID 2492 wrote to memory of 3040 2492 cmd.exe 39 PID 2492 wrote to memory of 3040 2492 cmd.exe 39 PID 2492 wrote to memory of 3040 2492 cmd.exe 39 PID 516 wrote to memory of 2668 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 40 PID 516 wrote to memory of 2668 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 40 PID 516 wrote to memory of 2668 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 40 PID 516 wrote to memory of 2668 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 40 PID 2668 wrote to memory of 3024 2668 cmd.exe 42 PID 2668 wrote to memory of 3024 2668 cmd.exe 42 PID 2668 wrote to memory of 3024 2668 cmd.exe 42 PID 2668 wrote to memory of 3024 2668 cmd.exe 42 PID 516 wrote to memory of 2264 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 43 PID 516 wrote to memory of 2264 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 43 PID 516 wrote to memory of 2264 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 43 PID 516 wrote to memory of 2264 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 43 PID 2264 wrote to memory of 2800 2264 cmd.exe 45 PID 2264 wrote to memory of 2800 2264 cmd.exe 45 PID 2264 wrote to memory of 2800 2264 cmd.exe 45 PID 2264 wrote to memory of 2800 2264 cmd.exe 45 PID 516 wrote to memory of 2688 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 46 PID 516 wrote to memory of 2688 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 46 PID 516 wrote to memory of 2688 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 46 PID 516 wrote to memory of 2688 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 46 PID 2688 wrote to memory of 2696 2688 cmd.exe 48 PID 2688 wrote to memory of 2696 2688 cmd.exe 48 PID 2688 wrote to memory of 2696 2688 cmd.exe 48 PID 2688 wrote to memory of 2696 2688 cmd.exe 48 PID 2932 wrote to memory of 1144 2932 iexplore.exe 50 PID 2932 wrote to memory of 1144 2932 iexplore.exe 50 PID 2932 wrote to memory of 1144 2932 iexplore.exe 50 PID 2932 wrote to memory of 1144 2932 iexplore.exe 50 PID 516 wrote to memory of 2472 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 49 PID 516 wrote to memory of 2472 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 49 PID 516 wrote to memory of 2472 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 49 PID 516 wrote to memory of 2472 516 bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe 49 PID 2472 wrote to memory of 940 2472 cmd.exe 52 PID 2472 wrote to memory of 940 2472 cmd.exe 52 PID 2472 wrote to memory of 940 2472 cmd.exe 52 PID 2472 wrote to memory of 940 2472 cmd.exe 52 -
Views/modifies file attributes 1 TTPs 7 IoCs
pid Process 2696 attrib.exe 940 attrib.exe 1456 attrib.exe 2756 attrib.exe 3040 attrib.exe 3024 attrib.exe 2800 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\windows.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\system.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1456
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597068992ed64966401aff6105dc74228
SHA1e401d9f3697aa03b2a756c0cfde5720c5a87e046
SHA256b1669dc32c85fe27e7af8914aaa42c5f7a35729c66fb9a23afdcd76c4cff27e2
SHA5122234538aa9499ce0c06cfe86ed73777d7a841432227dfa842a582396b806f04113464424f6c6105c3d0080bef09cb94012e4abc62b4bbf07c576ecb3e729e12d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f6c972d8d724849430b704cac9c1298
SHA1869437c5e0d32b5f0835b000b9dfb1412496589b
SHA2568227c0887f7c5d2928d6d6cb9e3264ee9cf4d02968972bc4493e0c024a0ac597
SHA512577f26759a5f5312d4c60a3923d345ba7e11f94d24d4cb5217b55d27a2a0f3f07fbdb0853426852b0acc99d9466e41f077c7105c6abec6883bb5c61608392caf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52aa6d5d3b3e6f1504875ab58761781fc
SHA19eeb986f957ea8076bbd8b71ff487769e74ffcaf
SHA2568e470d93dfc18a089c34b2611a4b64b09210b13150ce827c1446c13713a4a3db
SHA512ae7bca8b15f7095e98ab4026a269db537a5122fc5945fd0b5c766a7230a23a7fd924ccf870df04a7c6ba6dbf4de27328f485266751b40d41bb1cf53a26f1da6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538affb8a0b9f8342f5b305c38b86d57b
SHA13ae788431e4e7d15f5f9c02cfb92224118a1f507
SHA25646dd8a0276937d1bc0b4840328bca1bea7789b916dfe9e9063c55352cf185398
SHA51275f9b3c6b4fe70da9090b588e1f5c4f7d7d8d47f2039b70c329100c4e5b6c8346268b42446fc85645b0e7eeac2eb4526c72365f624e6b495961f4fe1e16da74f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5685829012a04e6651100a17c43010dab
SHA1161181f8509a23e98c70e0f0d3840f310db4e472
SHA256f2362a671476aad1c67f5598ee583c44d5f6b0aa770bf82b70aac6e0a7773331
SHA512622235df63f35a5a879e13c893e8869a8bbd5cff619dfb5485718c935b45d56e716675e30937fe05c3347705f7c64d6a40a5dd3288dd5c54af8e5e5b80a24209
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3092bc69bb373ecab7ab9321397da1e
SHA1d92c4ea70e585481b3c2089a15ca3da2b1f03fc0
SHA256c5d02fb621d559e30435be9868286674eb88b45a68efb0e30ee54ee9aa5d10be
SHA5122b6e92c60824b4cbe0b0ca3995381d0c87c9947b81d05a996d739b6e414d7752ee7a09cd5caec24f5928a33b79aebf660cd9472ea13555b4e14c3c14674a0260
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55bcde82a1e9e563c45715728b6786750
SHA129c04e2b6b22287c90945654e17ea55545436115
SHA256ab59ce3400fdb1f98408aa9618521672efb7a8c67a52c4dfb3104ca327cd14e9
SHA512339abb92b1b0437ea42b800d2050c99c07eed6d186d0372bdf43d893a21d3945af9333ddcac2bfb93b8edb31d1906823477c8d9c1f2df74b4f572944a02aa9bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9dd15371a909a064933a977a176cb09
SHA1f22658e91e0195f84ebe7eac3fad51257fe2e9b0
SHA25627b885efd19ffe2f45e05046506bab505864f33ae2c61a68cb4665fdb373edce
SHA5127d21c31bbe63bb764b6008635436d187654082edb6ff1525b85cf5df7511cf0baf22402ea3d038d45d4b50acd8f5dfe25e3e3eedf95c2a76d15f1d4fc7dddda6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd6dbf8a14280dfa5d9f41377e366461
SHA18f0d01f0cc8358d30a159110402b7d339a483caa
SHA2562ba1d43f4e1bc9909f853a891ff9b454f31f8c75d922ae262481e69b63f27198
SHA512ac4764cf84f72be426bf6897581e5a1c2b0bf5383bc74738498f929db2be895e591592da15bdad0392873aca87b79d81c0232d4daecd7b86263a4a92838a1a6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5554094881fe586c0ae29bb149e0116b0
SHA16cf8cd47feffbc7c99f54226782301e8669c02d6
SHA2560d6be37219e30d0f47a9dacb8822e2c9eacfc1d1ae07ec8e2b87dec30a555ba6
SHA512728124eeb9310217f107118e67ac0792542fb6fee87d1cd7c4d7b0cfffdd3fc7fc29e78fd466bac11c2d5dbac29b53785ded0e7cca314ac81a44cb671395d4ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f360c041b048146ff6faf87ce927c011
SHA13afd76f107d2a0464ab2956b9b30236f67b131e5
SHA256a0553dea98769121e713f0fff1edcb81edd5823633c853b605b539322b3cc011
SHA5125abd5ac86baa61dadcdf9716cd4f9965449734b57cfd554715d786681e4a7900620e8f057d385b3287eae395ca44ff951b51285b9471555ce2ea18e55fbb0e0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5db26b8c923007cadcee647e9357c5949
SHA1864135a0dfb1d8477ca1afc2f652ddbbc97a4475
SHA2569fe56b12fbc696354d7f22f157c1275a6417c4e7aa73c9a782afe45e1de0854e
SHA5120d6c5c25454648412fc5b66be13ea7fcde1546549b8198e8d8197c17980932ac681fce3759275bf3e99aa6d4dbceb50d73c710cbb41acb5fcb9d343619e3180c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b6a80773b969a427727f1160a323b3f
SHA1b3a38568f6a45bb0ef31aac4f4f5debd33c474da
SHA256ece87ca13efd4af78cfc901b8e893dd0d0402691efcd35d132524f8711153df0
SHA512653f69d57e9795f1a7e7d12d368d888f5b05c1fe9c1c96680fa75e7909c5d3ef50dc6427fac8cf6eb85b93be06b30789ad01dab5ee10bb698459cba9a11482c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a872a84010b4f542ba8883c3b5b1ad8
SHA11cfef5483c939e935e89c54399a970e61508a51d
SHA25602103ee074b75da809ee0b7029260e5e99118ecad123a5185d1b5940ba1a9e77
SHA5124bc976a1d4584d0c03c181c250f53787756eae6ce380c6fddfb128e2f822ffa7d2ad23ddc0180de763e0e26e4ca68c81e41c80c215360fe9c796804a38f0ae19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae4d1244dd81d9a0b0145d855c616c99
SHA1147c952a2042ad717d94d29af922607294a9bbff
SHA25670577f4430c649a37c1ab0d92008b94be3a7c9f8af5520efc0cae2bf859add2e
SHA5121f47088d666cfac8814c97e56a1063fb0b3ed5ba3bb1613d788a63adc2c6207df7661f64d17d881b71e05cc37f6ca067cca4f359f9fbf94699ba9b8f042bbef8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56eec9ed26284299866f26eef9b4507e5
SHA1c714d2167e2a8cba6240af46b61762447b0c4039
SHA256028983b3284a5722397c2f74bd93b6b6ada8c73d432ef659b5a5a811d4a12721
SHA512282ff1be3b4022dfefdadb566f48353b66b7d886ddd9297bc3876b1de20c33a3bf2c8c2ac6e57cadeaa20eaf3ebae3cb0bc345049d2894c376b05a4f0103d1d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518df4f08c4b6ee0ab90285f7ba4a7bf8
SHA16b7d9d2bfd2c9718a24be191594f6495fcb4c0ee
SHA256a75493b9b909d43f7503b93225e02c8967a6d86159b5d9c1019243b92a5cb313
SHA512eec2b3c4bfbc60277dfb1aba6e0e0be08a3ea28196ae6b9f33137859966eaf7c530555cdec4dcb5675444d040526b0c7807031159cd172306e37066cff3fb1ce
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF0CB21-9740-11EF-A5FC-C670A0C1054F}.dat
Filesize5KB
MD55c7d06241871b92c6743a4045b2b6a7a
SHA1221601389dbb1dd1d982bbffd19ee7c84d4fae7a
SHA25607a1196b9f908bba84e8b8a12058f4610aa849190959ddca5f9989a51ee9265e
SHA512c30dced3884c6d90d281186aa000b37f9f85be64c9429972ba8e9cd9ec22acd7a2199f97741345a6a3d4812a1268d0f2496be3cfd0bc67b68cd058dc1141d0f2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5959580a2d105e6140652d2a3ec6e5630
SHA16d407fa2193dba88750a29aa2872f42fa6d939fb
SHA25611c9d47686b80ee6ed67d479344368e7e115736461712bd335af225e650d4d71
SHA512e7706fa6993e33543df08405eb019412015cf99da7f8034007c8740d2d890e96af211f51cb2aa72f03f72ee97aa745ee57cee1b8e09f54d49c3ec48f68ad26b6
-
Filesize
55KB
MD53125f9d1dc071b11b2ee21dcb8f844a7
SHA1b98911e4c2ef5397245154fa3b914f5c756dea97
SHA25616c93102e4b7efc4146b2d0d31da792026b38815be54409594a74677c99e5721
SHA5128558e5fc790f0119867181ce4be488e0408a37b4067e5617e47a44aa7995dd9a87c2bbc3423fd116aad070b8f2a6b9f255f890f7837b7c93b8c5cbac527beb52