8e56c3d8c063172bf227e1980b09c41576440a1c3edef604cf5238f7c7299e3d

General

Target

SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
Size

1.4MB
MD5

d6affe0bfbe329109f5dc3e785fce0b4
SHA1

cc340be4c3fcb28c2ad22169eb90cf12ecf017f3
SHA256

8e56c3d8c063172bf227e1980b09c41576440a1c3edef604cf5238f7c7299e3d
SHA512

40c63cfbe2c4d7ad095a871d3e9e53766c10d5f12719bc5f0e75773456807a25b9216d2647e91d3541fa105ac8e5991913d0034a91fcce13fdda6f7c15477388

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

炎黄大陆.exe

pid process

2944 炎黄大陆.exe
Loads dropped DLL 1 IoCs

Processes:

炎黄大陆.exe

pid process

2944 炎黄大陆.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2944	炎黄大陆.exe

pid	process
2944	炎黄大陆.exe

Drops file in Program Files directory 15 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe

description	ioc	process
File created	C:\Program Files (x86)\炎黄大陆\nsUninstall.dat	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\CloseFocus.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\MaxFocus.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\StoreNormal.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\skin.xml	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\MinNormal.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\StoreFocus.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\CloseNormal.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\炎黄大陆.exe	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\MaxNormal.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\MinFocus.bmp	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\SysBtn\Thumbs.db	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\Uninstall.exe	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\3.ico	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
File created	C:\Program Files (x86)\炎黄大陆\DuiLib_u.dll	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

炎黄大陆.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	炎黄大陆.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	炎黄大陆.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

炎黄大陆.exe

pid process

2944 炎黄大陆.exe
2944 炎黄大陆.exe

pid	process
2944	炎黄大陆.exe
2944	炎黄大陆.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe

description	pid	process	target process
PID 640 wrote to memory of 2944	640	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe	炎黄大陆.exe
PID 640 wrote to memory of 2944	640	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe	炎黄大陆.exe
PID 640 wrote to memory of 2944	640	SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe	炎黄大陆.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.722681.19447.23377.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:640

C:\Program Files (x86)\炎黄大陆\炎黄大陆.exe
"C:\Program Files (x86)\炎黄大陆\炎黄大陆.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\炎黄大陆\DuiLib_u.dll
MD5
71c257d2f23f788477b91b77ad810cba

SHA1
013e167637e18e7c55499e90c48681613389dee7

SHA256
bc572a6d3508e13547df69962b4d2ef6432d098d530eff03b36678f1180a7b68

SHA512
a1a37e6f08f20a23f3922ace14e8fdfbd2076ee703657f064d07846c7f53173eca8511f4e39c99ef997870d60008d967abe5fe6ec2ef104cad67fac5a4505623

Download Submit
C:\Program Files (x86)\炎黄大陆\SysBtn\CloseNormal.bmp
MD5
b42b7a9b340a3ec6236a6f743b0d4f4e

SHA1
7ed5bf1ae6f94713b8d3e0bd8815953511ee5d41

SHA256
feda0ac7132fcbf18c34494a3bafba8c3b1b7734f535a048bc36898fea6657c2

SHA512
eb27e2647574d57a1ae939443447407920854870ebae89af4e54f27d709f517d3baa1db66e4def61f058d3e705c712293ec9e10dfb9ff0f082435fb88c0dd63a

Download Submit
C:\Program Files (x86)\炎黄大陆\SysBtn\MaxNormal.bmp
MD5
683aea1c1a26b82d973856c514611fc5

SHA1
8df8877646cca46794c074650f3981c405f38e17

SHA256
2b0381207cedcf7db3ea7c627d8f7c4ae3f1ee2d925d1d0b13e561b9865638ae

SHA512
ee22760c730f3677707c7a249c356e9c60e4cac36bfba8dd824e8ff929b2da7d5c8a247b510cdcdbbda479b0d2f65c7b2e3579974ea7dd0ac0eae5e64c42b9a6

Download Submit
C:\Program Files (x86)\炎黄大陆\SysBtn\MinNormal.bmp
MD5
8da0eabf9759ad1f7f15fbb9738b73e4

SHA1
fa3c1924075f48b4d0d0c0b237b73682ed18f074

SHA256
f1d3a21c9b966030bac4b79b4e41c51315baedc7428ad48e2b5c01a77ac544b5

SHA512
fbc461acc666b167832deeee114a28e99e616af147db02fb253557123aa883320416cf1681f25060e4534945a116ad1866aaf832f06ee9827714d59d86780c07

Download Submit
C:\Program Files (x86)\炎黄大陆\skin.xml
MD5
14659a10080ea49ae1a85ba2f8bb60bc

SHA1
e45b090118ea27b778bb5828a7994b80111ca3b2

SHA256
7fe2e4a6954071504712f0d8163e4f6b24c4900e6f3ea844b8e246978dc80d1d

SHA512
99a5c7a53675a4de24196598a7cc72b21622cdcd2333ca5cc82d27e6d9bced3a6eac11f94813ff344322faf2d57b38e9c01e513474a31c4e782a7778814cfcad

Download Submit
C:\Program Files (x86)\炎黄大陆\炎黄大陆.exe
MD5
38368601612714a437a3d89a95c8ac91

SHA1
6e719bb04a623b141c4726f2f5c71b7833419eac

SHA256
ea36a9c8034cbea2a143c4ea91bc483bbe608c2dcabd6dba91a804a2f3e01a09

SHA512
6f474881ea4fd95f4acdfc3619ac1153f91efbbc7840dd60be6b686577f1c0dc2bd36b5452d4f3e987e11491eaea6931db8cfbe905676ebc0059a940d5653712

Download Submit
C:\Program Files (x86)\炎黄大陆\炎黄大陆.exe
MD5
38368601612714a437a3d89a95c8ac91

SHA1
6e719bb04a623b141c4726f2f5c71b7833419eac

SHA256
ea36a9c8034cbea2a143c4ea91bc483bbe608c2dcabd6dba91a804a2f3e01a09

SHA512
6f474881ea4fd95f4acdfc3619ac1153f91efbbc7840dd60be6b686577f1c0dc2bd36b5452d4f3e987e11491eaea6931db8cfbe905676ebc0059a940d5653712

Download Submit
\Program Files (x86)\炎黄大陆\DuiLib_u.dll
MD5
71c257d2f23f788477b91b77ad810cba

SHA1
013e167637e18e7c55499e90c48681613389dee7

SHA256
bc572a6d3508e13547df69962b4d2ef6432d098d530eff03b36678f1180a7b68

SHA512
a1a37e6f08f20a23f3922ace14e8fdfbd2076ee703657f064d07846c7f53173eca8511f4e39c99ef997870d60008d967abe5fe6ec2ef104cad67fac5a4505623

Download Submit
memory/2944-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads