127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082

Analysis

max time kernel
115s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
Size

232KB
MD5

f58a38386bfb38a323a8081660ddef80
SHA1

af55b0bf9cde4194a9b55cf03eb9613205c79122
SHA256

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082
SHA512

f616c62ee3bf29dd22a01d072e993b15e43658bbb757d5553ae27daabe5623b18871c284536f0894057df77c46c970feba16e9e4be91c91bb20abbd196f1d0b7
SSDEEP

3072:k1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1Vne1i/NU82OMYcYU:Ci/NjO5xbg/CSUFLTwMjs6wi/N+O7

Score

8^/10

defense_evasion persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4660-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
C:\WINDOWS\windows.exe	upx
C:\system.exe	upx
behavioral2/memory/4660-388-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\ie.bat	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid process

2148 cmd.exe
4220 cmd.exe
2024 cmd.exe
3736 cmd.exe
4988 cmd.exe
4544 cmd.exe
4972 cmd.exe

pid	process
2148	cmd.exe
4220	cmd.exe
2024	cmd.exe
3736	cmd.exe
4988	cmd.exe
4544	cmd.exe
4972	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exeattrib.exe

description	ioc	process
File created	C:\WINDOWS\windows.exe	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
File opened for modification	C:\WINDOWS\windows.exe	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e090fed15eceda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E55E3F3E-3A51-11EF-BCE7-4A64FBB68FC2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eac5ff4fa30c4c4ab59d935a49d7115100000000020000000000106600000001000020000000b720b48406359b1c0166d58e1fbdc9874f7d14667916102bcd5be8e3d7d3e8fc000000000e80000000020000200000008877640f95a07cdfa9d6b58a167b4bcfd8dfb5525c5b5c4e2b559dc24c9520b8200000006eb1fdbb753bd101e0ee0e903a8bdcef268f007508ea4c11ae1059c99d2581cc40000000b6c31a6926d51b1bfd59642ddf3cc9a167fca6a171927f5066552e690ba3b0f2d7b7c35ead4649c267cdf10296aa01947ec4ef74fe9b37e4d7cb2226b3cde588	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Main	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eac5ff4fa30c4c4ab59d935a49d7115100000000020000000000106600000001000020000000e636bed1ee6958562295323f1b3994c4316f42f5581feaee2c4c5a16b803a998000000000e8000000002000020000000acb02f508341e4ba28ca979ed8ecf43752c99cbb08f0b47192f6c9562bb75921200000001c04be458a058c3b453b3b0d05abb4e09571f810dbd2206fd04cc07ff798bdef400000004b2b436f2a157a0cf7bd74120518fb5996cfa7df8d8d6f5396ffcb707f7f9b8dd21407c5bea952b717400ec45a7f970184db3de2eca56094435fd22280dd0d40	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426895863"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f064f7d15eceda01	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

pid	process
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4364 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exeiexplore.exeIEXPLORE.EXE

pid process

4660 127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
4364 iexplore.exe
4364 iexplore.exe
1656 IEXPLORE.EXE
1656 IEXPLORE.EXE
1656 IEXPLORE.EXE
1656 IEXPLORE.EXE

pid	process
4364	iexplore.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exeiexplore.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4660 wrote to memory of 4364	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	iexplore.exe
PID 4660 wrote to memory of 4364	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	iexplore.exe
PID 4364 wrote to memory of 1656	4364	iexplore.exe	IEXPLORE.EXE
PID 4364 wrote to memory of 1656	4364	iexplore.exe	IEXPLORE.EXE
PID 4364 wrote to memory of 1656	4364	iexplore.exe	IEXPLORE.EXE
PID 4660 wrote to memory of 2148	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 2148	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 2148	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 2148 wrote to memory of 2696	2148	cmd.exe	attrib.exe
PID 2148 wrote to memory of 2696	2148	cmd.exe	attrib.exe
PID 2148 wrote to memory of 2696	2148	cmd.exe	attrib.exe
PID 4660 wrote to memory of 4220	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4220	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4220	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4220 wrote to memory of 4908	4220	cmd.exe	attrib.exe
PID 4220 wrote to memory of 4908	4220	cmd.exe	attrib.exe
PID 4220 wrote to memory of 4908	4220	cmd.exe	attrib.exe
PID 4660 wrote to memory of 2024	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 2024	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 2024	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 2024 wrote to memory of 1704	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1704	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1704	2024	cmd.exe	attrib.exe
PID 4660 wrote to memory of 3736	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 3736	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 3736	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 3736 wrote to memory of 4952	3736	cmd.exe	attrib.exe
PID 3736 wrote to memory of 4952	3736	cmd.exe	attrib.exe
PID 3736 wrote to memory of 4952	3736	cmd.exe	attrib.exe
PID 4660 wrote to memory of 4988	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4988	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4988	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4988 wrote to memory of 3912	4988	cmd.exe	attrib.exe
PID 4988 wrote to memory of 3912	4988	cmd.exe	attrib.exe
PID 4988 wrote to memory of 3912	4988	cmd.exe	attrib.exe
PID 4660 wrote to memory of 4544	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4544	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4544	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4544 wrote to memory of 4656	4544	cmd.exe	attrib.exe
PID 4544 wrote to memory of 4656	4544	cmd.exe	attrib.exe
PID 4544 wrote to memory of 4656	4544	cmd.exe	attrib.exe
PID 4660 wrote to memory of 4972	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4972	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4660 wrote to memory of 4972	4660	127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe	cmd.exe
PID 4972 wrote to memory of 4756	4972	cmd.exe	attrib.exe
PID 4972 wrote to memory of 4756	4972	cmd.exe	attrib.exe
PID 4972 wrote to memory of 4756	4972	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4756 attrib.exe
2696 attrib.exe
4908 attrib.exe
1704 attrib.exe
4952 attrib.exe
3912 attrib.exe
4656 attrib.exe

pid	process
4756	attrib.exe
2696	attrib.exe
4908	attrib.exe
1704	attrib.exe
4952	attrib.exe
3912	attrib.exe
4656	attrib.exe

C:\Users\Admin\AppData\Local\Temp\127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe
"C:\Users\Admin\AppData\Local\Temp\127fa3cb3fa54d580eb0369fcca7640f388e0ed85c14a3661bd6d0aa5db43082.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4364 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
3⤵
- Views/modifies file attributes
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:4656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
3⤵
- Views/modifies file attributes
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,8915411528919259905,1376069533550353705,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
1⤵
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07DB822C3548410165E7DFA39F71BDE_5D5868E022B51140803CC8EE59C05FA9
Filesize
1KB

MD5
1cc3e8eb1dccaebb9cf5861548cff859

SHA1
39879ef62c696ac63a1d2a4d73b0991be4af2b4b

SHA256
2aad2744daae3bdbb50e6003b4d4ac2df0136b762761af925f8eba8587888899

SHA512
672f4f3684d219d8fb4ba91eb12d34203c5d133d0abec90372fd84d7e9f93b08203c44424fd887eda7ebb6f15d75c4038edaa63ce994b9895524be25554c6ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07DB822C3548410165E7DFA39F71BDE_5D5868E022B51140803CC8EE59C05FA9
Filesize
414B

MD5
03ce770dd136fd93fb0964fffbe5819f

SHA1
f6068f99e6cf27635767573f461363e1c3f7784a

SHA256
db21f411cca041ebe07735cdc8984e4e39924971fd11136b7c2db676d148d970

SHA512
9e3825133fd696eee4d780443607f9e4c633fe4be6f6db363684e3cc5c894e7ebd7bdc666aa1ceeecef5d3f9c0cef38009f923a617de933c955fce5e43ad5465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07DB822C3548410165E7DFA39F71BDE_5D5868E022B51140803CC8EE59C05FA9
Filesize
414B

MD5
67b963d47480a135ea006e41d54bca78

SHA1
a4362796b36d64de0c48c07d346d23bcd0a02a84

SHA256
3893159a73208b848309b2eb90c1538c41964ddb2b37e4bde08af8e5e8cdf0da

SHA512
3a14b3fb8758b62ae242cda5ff9ae395c8ee5e5b58612f2dfef7b6e691a1ab874cc03e3bef9ae421a7ad3fe3c5baf6e19757ca98b048d86380955e2d32a874e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T3O0220F\favicon[1].htm
Filesize
776B

MD5
0542ad8156f4dfca7ddcfcb62a6cb452

SHA1
485282ba12fc0daf6f6aed96f1ababb8f91a6324

SHA256
c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f

SHA512
0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T3O0220F\js-sdk-pro.min[1].js
Filesize
33KB

MD5
24bb520e9517f2ed3ed987b46aeaf723

SHA1
846723563d7dd2bff3954f93633b11af0103adc8

SHA256
d1f1bfe698f2ffb7b3e7a885a301d58f9554d45df0a31c3e8b53c84b33c80d27

SHA512
31afbcd2ee87c84cc3e56355da8ddc741a69d918c2687984265745d8046deb18c494cbca6aaf8d4eae6b035e888e6f7cf9b0d59a255f2714963d7b3edbb3c87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T3O0220F\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\WINDOWS\windows.exe
Filesize
232KB

MD5
ea4979e12d27ecdc97fd206664e3004d

SHA1
49e6d5491119f9c1b7fdcafde98e98bd87173724

SHA256
87ccdb80c9c44b71253c2f5af8a4d682821f482df9523545eb42700d9dca8986

SHA512
7e23a30765eacfde91005776e26cf8d9b5ca256cf1c82c1029a356fc9cde850965d813837d55adc023eb58039a27a70c7569bd65404ad850e13cd0f165f8c90e

Download Submit
C:\system.exe
Filesize
232KB

MD5
e333ecd9caadaf115057ace35fe0fdd4

SHA1
c41e49d6f74010275af5a1d07406d034db5a98ef

SHA256
e54fd5987e73b0e80017325e1e3ec38ad149c40c637854c7154d6861f9f7e449

SHA512
2cbf8cab9e731042cfeb370f2889c6784a5f74367f8e614ac34c2ea786c8c181672c4a131cb99df971420eee9ef3f2f783954cf48b5d4e1a5947a1c9df1c4e15

Download Submit
memory/4660-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4660-388-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download