e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510

Analysis

max time kernel
117s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/11/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Size

100KB
MD5

ad65f99b3e14ea7021b3867fcac52ed9
SHA1

904c41ef1cc28f568da89eff5fcfe76f0166feb8
SHA256

e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510
SHA512

c3ebdd9ae66773e10ec6ce209ba9deecc40eb2b804b767c3fa060cd2f553c4c45dc13aefc44758eb3249a54e89ba0f459d9db7296125af38c5eea307d8cf24a7
SSDEEP

1536:Vf4exGDkeZ4mOoSgJEAJJh/1scO8V5m10ghfF4LMbk1pZR/yNdPY4y3NYh0Da:94eYZ4+1JXJJN1si4n0VR/yPY4gNE0Da

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	Installer.exe

Loads dropped DLL 57 IoCs

pid	Process
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2900	Installer.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2900	Installer.exe
2900	Installer.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\taobao.ico	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16358831-AED9-11EF-807F-4E1013F8E3B1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000059a075f91f392dbdd7f83f0a5de5c6a86772c9959e0e32592bb6478a229c0a75000000000e800000000200002000000071efef1de56436bf1ea4fb428a1522ec6370c38add03e5e7aca9945789391bab900000008dbb9473018abc4d78378a83396553bab051199861db0dd9e4e017e83efe8d0cb850de128d3f80e1414f456dd8d79942b6d10f8ba42d6cee0093b27d90080dc8ce90edd936e63755abfe5f06fdf0016c2571bf8fd91c3b64c5357180b6387564f51a483185789aad68aff1ddb3f7427d620e30c3c0a18741ddef0b884b37f4250caf391d19f8aebbaafd8437619e15b140000000197ab4a966fda070c8558d05993b013373cb6cbcf1bec2dac9c4b806b287c3055c4ecb1173b1048f8e4f0229712516ea7e6e5a12d2e7d6f0c86c14f41076bc48	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439105155"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702964ede542db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005e461c4d834b94c43b21f9e2cf7f37c1ff00b03e833ce209eef56f1c12f9dabf000000000e80000000020000200000006cff6522e8623ce45e62f33529f477fbc4b28b6bedc1bce9de7fec3b24c42793200000008e780d6d4038845998116f2705dbb3e722d9796737d994c22f0f6b1b1067c63b4000000069e58f8d1900ce2b22581b0a085151cea6d1e0b18b5430dc1c99200926d2596208ea394da8a2ca188c27e8cc3fb68d7626ce185c488f6a2b893cdb2f02a8bf2b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\ = "Internet Explorer"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\TypeLib	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\Shell\Internet Explorer	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\ShellFolder	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\InfoTip = "Internet Explorer"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.my133.net"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\ = "ÌÔ±¦-ÌØ¼Û"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\ShellFolder\Attributes = "0"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\TypeLib	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\DefaultIcon	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.05zw.com/taobao/taobao.html"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\DefaultIcon	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\Shell	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\InfoTip = "ÌÔ±¦-ÌØ¼Û"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\Shell	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\Shell\Internet Explorer	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\ShellFolder	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\TypeLib\ = "{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\Shell\Internet Explorer\Command	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\TypeLib\ = "{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\Shell\Internet Explorer\Command	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94176A85-FCB6-420C-9BF6-FEC82AE52B4F}\ShellFolder\Attributes = "0"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3156F3C-CDE1-4F1C-A207-4C5D5EEB836C}\DefaultIcon\ = "c:\\windows\\taobao.ico"	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2136	iexplore.exe
2900	Installer.exe
2900	Installer.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2900	Installer.exe
2900	Installer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2900	Installer.exe
2900	Installer.exe
2900	Installer.exe
2136	iexplore.exe
2136	iexplore.exe
288	IEXPLORE.EXE
288	IEXPLORE.EXE
288	IEXPLORE.EXE
288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2900	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	30
PID 2744 wrote to memory of 2136	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	31
PID 2744 wrote to memory of 2136	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	31
PID 2744 wrote to memory of 2136	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	31
PID 2744 wrote to memory of 2136	2744	e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe	31
PID 2136 wrote to memory of 288	2136	iexplore.exe	32
PID 2136 wrote to memory of 288	2136	iexplore.exe	32
PID 2136 wrote to memory of 288	2136	iexplore.exe	32
PID 2136 wrote to memory of 288	2136	iexplore.exe	32
PID 2136 wrote to memory of 288	2136	iexplore.exe	32
PID 2136 wrote to memory of 288	2136	iexplore.exe	32
PID 2136 wrote to memory of 288	2136	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe
"C:\Users\Admin\AppData\Local\Temp\e968819c461dd0d1e917641898a0735a25fe4355594019e3380a8a1133943510.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2900
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.my133.net/?32
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8a20ce276e1d060ae4c8eecc4c17005

SHA1
394d90bc57cf705aa043ddec5c5e41de1d231fc1

SHA256
1f0602215f85164bb1139f3f8eacdc3c877661edb7d5dbd3a985dcd553b796fa

SHA512
60148be1baaf4da287517d4b5f270262b4dffece354aa9a52e99def0a6aab8c312dfd6d28b40a8d10250e05ad14c0ce4dabdfccdb9aee984bbdb8255f9ff883a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ed94217b6ea002fa5ab59ac0cfb1eec

SHA1
0f57893bc2c3a623d68fe83f4412f3516c62ffb7

SHA256
683697f5681005c9b82ed3545a023f05a6409404bf832491a915f172a9805f47

SHA512
7adc576585c22edba1a3102b77f321d2ac0faa2aa44afd4a18c8ea84336ee6b7833432a891b57a4448432fbf1fe12810f6f1d2e27c1f80360fc164de018191ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71dcb722dc451788a7f36c9b46eae953

SHA1
3ae5c5b0d24d2732784db3b09b5b72ae2de81ee8

SHA256
dc9d977eb3935eec0b9797e410b868b1f2986dfcd7c7c9ec897f7ce3ed19497e

SHA512
155c783d976a788f7a07597a69950ff12c383e7e9faf5ac25a1df09f02170683076453cdd8548643085415912232a92d0cd5fad5f4bbaaefbb6ec61d72b505ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
213fdb5cc7b670a4ffe3e0512a97c010

SHA1
74d48a717f03ef9cf92e2aba89bb9b6c56cc1234

SHA256
ab532015cbf83db04bdde817949314627cb801dcf3ce3c38831f8bdae7895e36

SHA512
7c87b2f687ddf0f0bfc80a680a1c717b0606e4ee8bfa8c8dd58a6383bce79a2db874a17d3b4f171f079a9c2f35e14559f248392af340c0840466c329ae7a9b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c889ee8e45bcc92a39097811e5bcb245

SHA1
4f2a954aaeddaf8599bb9664fe70454246c84ac6

SHA256
1f11c9ea6b48c6a9bb22b7fe134c4e8c44c10d06272d84cccffbaf2d3ea90ed1

SHA512
dec284f360c28607f3c2e0df8b37662927dc42e5cfbdedeadac68834ce6ffd0f87d663b846e97e23cf06f1e201d48ac1f344bb5256783bd2893ba98ba43aa2d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f82c0b5b0548a6c67d39349149c4281d

SHA1
99b71b9186d5808e4613fc3558575e69c800e759

SHA256
461e26896f9fd4ac326143ee1eccde46295cbe80d9827893d48e08298cdf2807

SHA512
8c59ce4756c431ff26d4b6976b914d5362d451e9956a862aaca129d9fca9b3c3e94d8db85169f63c12d3b4134d3675fb445b350273b67132af79f5c01bba344f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9177364025d141d95514119c1c8bf9c6

SHA1
19165914dd9f88a6f91313b498915c896488e829

SHA256
619ddca4e8dd900d37c9f9c8ba9234d899eb2ec15d8d22947bda84d4e280c394

SHA512
21218f4e638ef15efd33e78f585c4355ab35961e13ffa547fdf323241417bfd3d396a2190508c3bf3aa04115f13d98d99241f693f400b31f391efb467377f05c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c69cdce36955f3554fc197ee289529ba

SHA1
2114b602979171a0f47c664011d662b5ccc0704e

SHA256
38d7903ae5d79dd8e417d748a4e97b8dbf9da4c27ec3bc2e232f6272c7690bc6

SHA512
e921699c2daa559f3709ef54db2d016c7d9da8ed9c1aecfb6acdd884f67a27a5d0ebee19029d234f4b020f211b59d3b257b877895fbb653423699d206312529c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1328d763292c5eb3e34b1fbf4395edd7

SHA1
6364c312be121c64e80886225ad695836ef858df

SHA256
584cb734e17473748dfd604445731c6d23aff9cf61401dd1a3c392e1792f7f6c

SHA512
6baf7bea1e8cbdc1be339907fbf1f5b6e08b4d6d78a46e975ccab5bad925a5e42bb23954857bb61921db223faff19c0f8e63f1adaac4568605a347cf0f5d29e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
399c5c46659f03c08029c94acd4fcb8d

SHA1
f34620f758b606869daaf5f4cf83324d39b93710

SHA256
3e452c272518ca20047eb0ce8c9d3cc7eab1c03a53c35bfda7ada4b3f19eaee6

SHA512
95e5817f5aceb52b559214566a36975caca1252c862b4d1bae06bcc9908eecb7c2046d773336b3502b54fbedc0c89d0def8ec9e8927abe8a01c0913902f80088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
971e68f7fe18f4dfd1069b4e5f84e0a9

SHA1
01a32845c5359409205bef62d1fed2a183b595a9

SHA256
4c71640e43638d38ba4b465af9179db92e58c610b1f47e821d3531ff3ac0289d

SHA512
b47c998c93a43454e8b034b50531072b5d25eb36d57b0c1a2a715bf0cad855cebdb7271b17743b3f4358d7a6d70ab88a1427e996bd46af06b51564337ec1ad74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
931c429022ad4123a43575d2c712c67e

SHA1
6f4797ead96f3c1b61cf978d0e5c6e272a95c10b

SHA256
61c31d6644f54bfcdbb0f01770bd6639841435168ec759df8db65f85c696b8e5

SHA512
44f2d4854ea2c92941e122c8ae2be2ee3b4fa958671375a8cde2416bec48424795559563607d74a45f58cc706887185629507d7a3e2bda99f0de0566a1311467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f68e9ce50438b05faf5bc05080414864

SHA1
41bdd4db13d323153291f17b362c1a136f763952

SHA256
d69aa83fe72d7df255c581b0186468f0a83f6637e01fe229311d008cd1e9ceda

SHA512
0762c54041896c58e2fe381c501fdeed78b493d55433673ab7c8c607f6a2c32d49927a2778ac714ca20aae48979908a4938c48ecabcb56130c3df1b2adeb8013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeffea3010de81ce0f950300049bf883

SHA1
5ec9432aa4578facb115060515d4337d8959cb37

SHA256
793702fd141247886e0b5050c85fea7429651b31471b52d50b630149b14c94ba

SHA512
4b7b3bde61ad976937045816efb41f52e01ba3053061f7871767addc28212237c21b09ce2397e9842a149668f0b587c188ea42a2f50b56aabac8c3631b59a6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ad05df97e8edd7c67713d10b4ab3fb4

SHA1
73b5c79ddf6911e98225e3b534645c17c92498cf

SHA256
56154e191aff6781d5c8429fb4b9cb819e0a4c8e6373f69e288940dfcd97573f

SHA512
f9854d7e76c22c2cd1c98017e08a0f2ce8c0e51fb907ec202be070a9abe26fb05569a9353c1bbee62f5a4339a6447b3f667bb4f8923a46a6b9cecf30cd978840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f183f7ede36d966528bac876ec10afa9

SHA1
edeab2e9fdedd082a5cf42d40afca16243254464

SHA256
dbcd2a75483839079111dd1f0df11f983d2c6c632f4582e2d62004eb8f22d12f

SHA512
d3e9879ab1d90f07a51f9aa1f29b409c33fd910c8db82200c819b8af0af1aede04878657c580221b896136951f202c59959bf0e686bace2450a7c70fe425015e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b465e76485bff30deb47ddd842294bb

SHA1
439c647ca1a56bec7eaed38b6e40202253a9012d

SHA256
39af71c0dedd5d2b74d059431113286f643909473736b729baf1fd2366edbe64

SHA512
98485062af80c2c293da1df504064047d5970fbc98738a6de6887999ffc1fefe9c95d300358140126c9b89464d20e7e2690f070f9358b30edc910dd6da0bb71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81932ce34a17235a3e438e413d3dc180

SHA1
e1b19a904c53e0445d5ae76ec51da1b0051e8e49

SHA256
a66d5fef26c2736cf73bddd2e0ef37c7394e8a800d8a5d2cc44211923b91a7ce

SHA512
be57c4733ba6ec87b5eb1919f182ba01416799f0c55ce48fe4c47e49a1656b4d43f49dad2c73f41412cb097adc87e467565ddddae6514d61ce35fc02c484773b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cbbbabb1d97103857cf632e6ee6f5b6

SHA1
c1372298d69a6b0374849dc70485303fccba0138

SHA256
1bb1945f716c9b3aad193afe4dd501b4501211af6c96e032535a6d85271a7657

SHA512
ccf41f7066ec9bf6f98ee3094157d603950ac5eb65453170372ab4eea8a76b4cbb710afd3b8beac11f8e2601384908b6cf0bc764f3e890703e3289e6d2fb66f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebab6acefc65b02a9cb31d7a3ee91039

SHA1
ff85b00d45d54f3871891bafd8040124a9e3185b

SHA256
d4b9f9a4f9621eca0038fe909a3c762c8d382694ba36fc96e4ecadc72313a7a5

SHA512
04c5ef18c6baf756ff71337fa285263abea614eee7190b5d9b3f2e707b0329e73b2762a697bd7290ac0d0d2244ad69acd11c34f5e0204666038dbd399ae14331

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46F2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47A1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1E4B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1E4B.tmp\inetc.dll

Filesize
20KB

MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1E4B.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Filesize
1KB

MD5
4e16c8977531e73d0ce87ff5883c642b

SHA1
ad0acb4fe5dbee5c8a98900868c03417d7ae3c35

SHA256
bb1992a7ecb23ff97a8ce4f0f7055e55005afefdefa4612ce5b485827d4275d7

SHA512
9f5ee423c386f898408acb8052c875530cbc4728a91d3305103e41050b4f5dba18ab436cd5266e1326efc74049ae6701623b010e559b86046c213eb9477542d5

Download Submit
\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
69KB

MD5
5a4e76ff84eaf2f7f7596a6e0c675b33

SHA1
4d8623f89812fb8b754e3582d73ac97b6c54d98c

SHA256
751099188bdaf484ec2d754beda6ad8a798a9f6f80e4769465b2ac9e02595b27

SHA512
30151d7fe609ade1a8a48d310c9be4dadc8d49f73e6818f2cf807ce30319c78d67d4d92d47af2ab36ae4ca6a38eff264af5036b6c873a8864f5aa6f368c05b3e

Download Submit
\Users\Admin\AppData\Local\Temp\nso1E4B.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit