Overview

overview

8

Static

static

URLScan

urlscan

http://cando--china....

windows10_x64

8

Resubmissions

04-05-2021 16:52

210504-l9prtg9dss 8

04-05-2021 15:05

210504-8hehzzn18x 1

Analysis

  • max time kernel
    135s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://cando--china.net

  • Sample

    210504-l9prtg9dss

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://cando--china.net
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3032
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\Ll2LxWOagynlSgJ.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\Ll2LxWOagynlSgJ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4040
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\krNzUd2Snww9hFP.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\krNzUd2Snww9hFP.exe"
      2⤵
      • Executes dropped EXE
      PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    10987a1d727697d22e9613985bf39eba

    SHA1

    d92fa559cdea14bdc068eb5388f4a8725d9d290c

    SHA256

    8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

    SHA512

    31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    9793b773c8baadb03958ede6d849ed62

    SHA1

    2f286938eaf13f450c5e3e083990c3621e5a5457

    SHA256

    a120aac7542deed3d806ef641e9e41263e917b927212d208321ea2ab0ec76bd3

    SHA512

    ad5f5608b045f302902f728ffe1a07d708f515f086bd5ff3b0b34d9221797607dfea21402aeed3c0e6148047999496c4bd63f1e488fa876bb0f9722b7ed8839d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\krNzUd2Snww9hFP.exe
    MD5

    3a52a950c96af984283d291589a1fe9f

    SHA1

    20234a4769aaf89b4dabe49b29b384a5511126c8

    SHA256

    08ba87961ea2938d658c3079b06833833e672b942a609459a21e1a6a64c5e288

    SHA512

    ee9da0ac9feb6878ab7ed51f705cb64571d74fcb7d3bd1f5f473f5fdf1a1bc9a3028e9e1fd5d1c20e7720aaa34c7f529efc8222f632003f6c3eab4283fbe7611

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\krNzUd2Snww9hFP.exe.21jez6a.partial
    MD5

    3a52a950c96af984283d291589a1fe9f

    SHA1

    20234a4769aaf89b4dabe49b29b384a5511126c8

    SHA256

    08ba87961ea2938d658c3079b06833833e672b942a609459a21e1a6a64c5e288

    SHA512

    ee9da0ac9feb6878ab7ed51f705cb64571d74fcb7d3bd1f5f473f5fdf1a1bc9a3028e9e1fd5d1c20e7720aaa34c7f529efc8222f632003f6c3eab4283fbe7611

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\Ll2LxWOagynlSgJ.exe
    MD5

    9dfaa6afc47f0bf01155b7f8253f719b

    SHA1

    0e82d1395e219ed0400959e6315675fdd03f0a54

    SHA256

    fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

    SHA512

    95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\Ll2LxWOagynlSgJ.exe.548ai6h.partial
    MD5

    9dfaa6afc47f0bf01155b7f8253f719b

    SHA1

    0e82d1395e219ed0400959e6315675fdd03f0a54

    SHA256

    fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

    SHA512

    95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WH8FNLDX.cookie
    MD5

    345da1654a5b502835fe15f016498c00

    SHA1

    3ba52f17d89dece330f311fad7650f9cefe10123

    SHA256

    6517081b6ea0be77cc56d0411b6947c4fce5d575c215fff3581f1f358cf5e0ce

    SHA512

    7187407325e66a66e40ae289ca45995f88b464b06ddefc8558730dde6b501e8df8dfe55d83b0d2ec05b84dcabeb6582484e2a033b6f87d97953b34e63836f3a8

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Z0SV5TCE.cookie
    MD5

    2c8265649bff07ae3f4b58197fa69ad3

    SHA1

    83486c1c90e54579e93c7a77816ca81ab9749c46

    SHA256

    d18feb618601527cc456803ac9f8fd50a28608d57bb94024ea60e1269d28f4f7

    SHA512

    499e7de3fc0fba53368daaba0ceccee92f55b9551067616dab23d83632b18717f1dcf196d8a76b732729d6e64c048bc261c107649d50310cc1dbf48e5de07a0f

    Download Submit
  • memory/1048-145-0x0000000005440000-0x000000000593E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1048-137-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1048-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2840-114-0x00007FFFED310000-0x00007FFFED37B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3032-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4040-130-0x0000000004D00000-0x00000000051FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4040-129-0x0000000004D00000-0x00000000051FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4040-121-0x0000000000360000-0x0000000000361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-131-0x00000000051F0000-0x00000000051FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4040-128-0x0000000004D00000-0x00000000051FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4040-127-0x0000000004F40000-0x0000000004F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4040-126-0x0000000004C00000-0x0000000004C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-125-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-124-0x0000000005200000-0x0000000005201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-123-0x0000000004C60000-0x0000000004C61000-memory.dmp
    Filesize

    4KB

    Download