9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717

Analysis

max time kernel
95s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
Size

232KB
MD5

ff4b9cbb64f24f6ced273213a30319d8
SHA1

9a2accc2adb3c4aca9e661d61ea035d4d8eae125
SHA256

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717
SHA512

73d4cc3e470f148c9dc8abe63a9b3fe2c03fa0b44ccc9345abf29e32ef616f04bcbc06d7b6dbf7fc191e37e507b7d86d8b8c808516ea7a5be0cb7510883476ed
SSDEEP

3072:YI1i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgO5s1i/NU82OMYcYYamv5bW:bi/NjO5YBgegD0PHzSni/N+O7n

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

Drops file in System32 directory 2 IoCs

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\ie.bat	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid process

3064 cmd.exe
3296 cmd.exe
2536 cmd.exe
1740 cmd.exe
2704 cmd.exe
2456 cmd.exe
4056 cmd.exe

pid	process
3064	cmd.exe
3296	cmd.exe
2536	cmd.exe
1740	cmd.exe
2704	cmd.exe
2456	cmd.exe
4056	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5108-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
C:\WINDOWS\windows.exe	upx
C:\system.exe	upx
behavioral2/memory/5108-20-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exeattrib.exe

description	ioc	process
File created	C:\WINDOWS\windows.exe	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
File opened for modification	C:\WINDOWS\windows.exe	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeattrib.execmd.execmd.exeattrib.exeattrib.exeattrib.exeattrib.exe9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.execmd.exeattrib.execmd.exeIEXPLORE.EXEcmd.exeattrib.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exe9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000028e76085f1f7640a0643881d549bbfc0000000002000000000010660000000100002000000028662bc6d137c2b10d1d85fcfc07e49cd19a13e1cacf7d88c0aae36acc7a19b3000000000e8000000002000020000000ab21f5cc1398b7aa3a29423680d53e3974475176524fa7482a7f0d02dc4e8c282000000061d8ecba6637c5dd4078c6be0425344fa41d1097f80e53d634b3892d8afb2a63400000002cd8795aec9930106ff512948b67844b80c6978b5a07e755b9c8700c0c8241819372af5b0f3e833f24b23c2c003947366fb495c66db539d1bfdbde5b853dc98e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145350"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{99A1436F-A979-11EF-A4B7-CAF61997B0B0} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1845733206"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000028e76085f1f7640a0643881d549bbfc00000000020000000000106600000001000020000000fc270ac96b12cf393de63f6c2c2bc68fca7496261813785da79840b6facb4390000000000e80000000020000200000008024c2c54c6510c9d17e7c48c3475ea91988ac54c25fd54ea0640466b49312852000000000de690fd7f813c793f7e297bc355a2fe4642a8670ee152f6b86230949028f8f40000000cb6ddd90ff28da648955ff15ca2a9f3c1632298d596cdaac6907e3d40d731152864db68913ef696f2abc32c7d69210754f421d2f2e01b6444b7522d8858f66d7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1031186f863ddb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145350"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1850733682"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1845733206"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145350"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e061266f863ddb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439117495"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

pid	process
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

3248 IEXPLORE.EXE

pid	process
3248	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
3248	IEXPLORE.EXE
3248	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exeIEXPLORE.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 3248	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	IEXPLORE.EXE
PID 5108 wrote to memory of 3248	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	IEXPLORE.EXE
PID 3248 wrote to memory of 532	3248	IEXPLORE.EXE	IEXPLORE.EXE
PID 3248 wrote to memory of 532	3248	IEXPLORE.EXE	IEXPLORE.EXE
PID 3248 wrote to memory of 532	3248	IEXPLORE.EXE	IEXPLORE.EXE
PID 5108 wrote to memory of 2052	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	iexplore.exe
PID 5108 wrote to memory of 2052	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	iexplore.exe
PID 5108 wrote to memory of 2536	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 2536	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 2536	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 2536 wrote to memory of 2340	2536	cmd.exe	attrib.exe
PID 2536 wrote to memory of 2340	2536	cmd.exe	attrib.exe
PID 2536 wrote to memory of 2340	2536	cmd.exe	attrib.exe
PID 5108 wrote to memory of 1740	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 1740	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 1740	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 1740 wrote to memory of 3244	1740	cmd.exe	attrib.exe
PID 1740 wrote to memory of 3244	1740	cmd.exe	attrib.exe
PID 1740 wrote to memory of 3244	1740	cmd.exe	attrib.exe
PID 5108 wrote to memory of 2704	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 2704	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 2704	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 2704 wrote to memory of 2884	2704	cmd.exe	attrib.exe
PID 2704 wrote to memory of 2884	2704	cmd.exe	attrib.exe
PID 2704 wrote to memory of 2884	2704	cmd.exe	attrib.exe
PID 5108 wrote to memory of 2456	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 2456	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 2456	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 2456 wrote to memory of 3448	2456	cmd.exe	attrib.exe
PID 2456 wrote to memory of 3448	2456	cmd.exe	attrib.exe
PID 2456 wrote to memory of 3448	2456	cmd.exe	attrib.exe
PID 5108 wrote to memory of 4056	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 4056	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 4056	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 4056 wrote to memory of 3720	4056	cmd.exe	attrib.exe
PID 4056 wrote to memory of 3720	4056	cmd.exe	attrib.exe
PID 4056 wrote to memory of 3720	4056	cmd.exe	attrib.exe
PID 5108 wrote to memory of 3064	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 3064	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 3064	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 3064 wrote to memory of 5044	3064	cmd.exe	attrib.exe
PID 3064 wrote to memory of 5044	3064	cmd.exe	attrib.exe
PID 3064 wrote to memory of 5044	3064	cmd.exe	attrib.exe
PID 5108 wrote to memory of 3296	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 3296	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 5108 wrote to memory of 3296	5108	9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe	cmd.exe
PID 3296 wrote to memory of 1776	3296	cmd.exe	attrib.exe
PID 3296 wrote to memory of 1776	3296	cmd.exe	attrib.exe
PID 3296 wrote to memory of 1776	3296	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3720 attrib.exe
5044 attrib.exe
1776 attrib.exe
2340 attrib.exe
3244 attrib.exe
2884 attrib.exe
3448 attrib.exe

pid	process
3720	attrib.exe
5044	attrib.exe
1776	attrib.exe
2340	attrib.exe
3244	attrib.exe
2884	attrib.exe
3448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe
"C:\Users\Admin\AppData\Local\Temp\9f5920f097e0accf9eb7cd98976779f933410911b47b19eb190eff90fbd64717.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3248 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a5d59031144ac6ab3dbf6358566aa618

SHA1
f6fb4567bbfd07f0df27083b36a179e00c263c5d

SHA256
039ec47b1e431e2555dc8da6bff06a3c78b242c01c9553286128c0f94d4c55ff

SHA512
a3049b32be6a7e8a4b1522d32df205e6433fa81fd540893ca917eb6ca33f51f79ec5571f144727bf145f00a457b4705942f0c55c85ddad96a227465345fc866f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
7c6593f09712e94f69a0bad4b3f92130

SHA1
d4d3e24e94ed1180168f6acc641eb820a80505a4

SHA256
7b9c5806fc992286ea099fa0e90197f8f790aa38fdfc580ff1436af64f96dc2c

SHA512
c0c29742f184192fe381e6bc6c58ea0b21885b3426848097ba6830cbc44b92a62201be51a97377b95845ee1564bbf6a07ccc7dd4ed24af749121bda880431404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\WINDOWS\windows.exe

Filesize
232KB

MD5
8c747063a0ecd6590dad1a9344ed6c39

SHA1
e72dcc69f5a765b8f47e3286db0fb5f0e810dc90

SHA256
1e7348ec57fa063e015fc91dad2eeb606b505a67be101384d2390e71c6b2c5ab

SHA512
f8c06acacb8f5431338e5148b9138274d0b5178a0e8b3eab4293b193d8a6b2b0204e92cfb642dd815aeaf49746f879353d6d1f2338f8d43a118049a8e6e50d2d

Download Submit
C:\system.exe

Filesize
232KB

MD5
8aa038a354be027acac04864f6f4bbbf

SHA1
e2162b0f8274d7f76f69df0865a95a74268d9ca5

SHA256
410eece1f794d41e66a289fb87e8f1ad7ae0118ad135026168dc7d670ad12e01

SHA512
eed7bf5ce2ed73834693ca0c6370578180bd8cb0245a7e63e4ceefc5f44e32e1d3ca9487a03c4987c93def3bef03aa9417cab0c81e9df1306abe81e11b0d1645

Download Submit
memory/5108-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5108-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download