22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e

Analysis

max time kernel
104s
max time network
109s
platform
windows10_x64
resource
win10v200217
submitted
10-03-2020 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

103KB
MD5

4a953a639593adb97eacef0e3992b818
SHA1

ecf5ae2648ec0660c82912c0fd6ecc7fbfab9df2
SHA256

f3ea4dfbb6a31ba417d3e9caa90159e0e786226743a7b5ed04701f847054366f
SHA512

ea701c6474dfa1d910c5c3abbfa01e615bab73521f841eb15b9d76488cff6e6aa33caff4c7c65bfc97f8ff47e06e17e9979cd0ff305fd18aed76729500822e3b

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

Sougou.exe

description ioc process

File created C:\progra~1\Common Files\Sogou.exe Sougou.exe

description	ioc	process
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe

Modifies service 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Sogou.exe1.exeSougou.exeSogou.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\By:»ð¸ç\Description = "Äã²ÂÕâÊÇ¸ÉÊ²Ã´µÎ£¡"	Sogou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\InitTime = "20200310"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\InitTime = "20200310"	Sogou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Version = "V1.0"	Sogou.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\InitTime = "20200310"	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Version = "V1.0"	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Group = "rj"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\InitTime = "20200310"	Sogou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Version = "V1.0"	Sogou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Group = "rj"	Sogou.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS	1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS	Sogou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Group = "rj"	Sogou.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS	Sogou.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Version = "V1.0"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Group = "rj"	Sougou.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exeSougou.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe

Drops file in System32 directory 1 IoCs

Processes:

Sogou.exe

description ioc process

File created C:\Windows\SysWOW64\Sougou.exe Sogou.exe
Suspicious behavior: RenamesItself 3 IoCs

Processes:

1.exeSogou.exeSogou.exe

pid process

4052 1.exe
2076 Sogou.exe
3668 Sogou.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

pid	process
4052	1.exe
2076	Sogou.exe
3668	Sogou.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1.exeSougou.exe

description	pid	process	target process
PID 4052 wrote to memory of 2076	4052	1.exe	Sogou.exe
PID 4052 wrote to memory of 2076	4052	1.exe	Sogou.exe
PID 4052 wrote to memory of 2076	4052	1.exe	Sogou.exe
PID 3956 wrote to memory of 3668	3956	Sougou.exe	Sogou.exe
PID 3956 wrote to memory of 3668	3956	Sougou.exe	Sogou.exe
PID 3956 wrote to memory of 3668	3956	Sougou.exe	Sogou.exe

Executes dropped EXE 1 IoCs

Processes:

Sougou.exe

pid process

3956 Sougou.exe

pid	process
3956	Sougou.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Modifies service
- Adds Run entry to start application
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4052

C:\progra~1\Common Files\Sogou.exe
"C:\progra~1\Common Files\Sogou.exe"
2⤵
- Modifies service
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
PID:2076

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Drops file in Program Files directory
- Modifies service
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3956

C:\progra~1\Common Files\Sogou.exe
"C:\progra~1\Common Files\Sogou.exe"
2⤵
- Modifies service
- Suspicious behavior: RenamesItself
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sougou.exe

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Download Submit