Overview
overview
10Static
static
803ff897da4...b3.exe
windows7_x64
703ff897da4...b3.exe
windows10_x64
710493d98a6...41.exe
windows7_x64
710493d98a6...41.exe
windows10_x64
711747d3247...67.exe
windows7_x64
711747d3247...67.exe
windows10_x64
San11 Tc/D...eg.htm
windows7_x64
1San11 Tc/D...eg.htm
windows10_x64
1San11 Tc/DrvMgt.dll
windows7_x64
1San11 Tc/DrvMgt.dll
windows10_x64
1San11 Tc/L...es.exe
windows7_x64
1San11 Tc/L...es.exe
windows10_x64
1San11 Tc/S...er.exe
windows7_x64
1San11 Tc/S...er.exe
windows10_x64
1San11 Tc/S...er.exe
windows7_x64
1San11 Tc/S...er.exe
windows10_x64
1San11 Tc/S...YS.exe
windows7_x64
San11 Tc/S...YS.exe
windows10_x64
San11 Tc/San11.exe
windows7_x64
8San11 Tc/San11.exe
windows10_x64
8San11 Tc/san11pk.exe
windows7_x64
3San11 Tc/san11pk.exe
windows10_x64
1San11 Tc/�...��.exe
windows7_x64
3San11 Tc/�...��.exe
windows10_x64
1023c9e16cc6...7b.exe
windows7_x64
523c9e16cc6...7b.exe
windows10_x64
536a18ae31f...d0.exe
windows7_x64
736a18ae31f...d0.exe
windows10_x64
74109a062b3...d4.exe
windows7_x64
84109a062b3...d4.exe
windows10_x64
8CW3.exe
windows7_x64
1CW3.exe
windows10_x64
1Analysis
-
max time kernel
126s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 15:32
Static task
static1
Behavioral task
behavioral1
Sample
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral2
Sample
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral3
Sample
10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral4
Sample
10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral5
Sample
11747d3247254b7db3fb7d6b8c0b47d21546b208b1573a73ae20f46ca4131e67.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral6
Sample
11747d3247254b7db3fb7d6b8c0b47d21546b208b1573a73ae20f46ca4131e67.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral7
Sample
San11 Tc/Doc/Reg/san11_reg.htm
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral8
Sample
San11 Tc/Doc/Reg/san11_reg.htm
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral9
Sample
San11 Tc/DrvMgt.dll
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral10
Sample
San11 Tc/DrvMgt.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral11
Sample
San11 Tc/LinkSan11Res.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral12
Sample
San11 Tc/LinkSan11Res.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral13
Sample
San11 Tc/S11Launcher.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral14
Sample
San11 Tc/S11Launcher.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral15
Sample
San11 Tc/S11PKLauncher.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral16
Sample
San11 Tc/S11PKLauncher.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral17
Sample
San11 Tc/SECDRV.SYS.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral18
Sample
San11 Tc/SECDRV.SYS.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral19
Sample
San11 Tc/San11.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral20
Sample
San11 Tc/San11.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral21
Sample
San11 Tc/san11pk.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral22
Sample
San11 Tc/san11pk.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral23
Sample
San11 Tc/开始游戏.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral24
Sample
San11 Tc/开始游戏.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral25
Sample
23c9e16cc6549ca05d349e7d04805309171cfe8a8426cdb7376f2a41b757a67b.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral26
Sample
23c9e16cc6549ca05d349e7d04805309171cfe8a8426cdb7376f2a41b757a67b.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral27
Sample
36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral28
Sample
36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral29
Sample
4109a062b38d66ee7222cd984120e056acd0f5dad490c623f411c8abb18796d4.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral30
Sample
4109a062b38d66ee7222cd984120e056acd0f5dad490c623f411c8abb18796d4.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral31
Sample
CW3.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral32
Sample
CW3.exe
Resource
win10-en-20210920
windows10_x64
General
-
Target
San11 Tc/Doc/Reg/san11_reg.htm
-
Size
8KB
-
MD5
2442dfcffec83a50ba70c60628511e56
-
SHA1
a8714bd7625ad524cf0983433a76550c01fa5e0a
-
SHA256
654ba8d56ca8193ac04928965a8f534fb088202b89bb61dfb5d557e0dad9e1d0
-
SHA512
7011f357a172307e3fd7cc5b71ee78c6f21c037483b71c72e6d84294b5fc28a6b5ee8c53ed05456bd50c818e0c55760913e5eead481530ab8bce606727c20672
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80665092c9c5d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2B52780-31BC-11EC-8001-4AF1F2078875} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a60000000002000000000010660000000100002000000030a973f7e59228c2c68d85ebfd60ef3cc239adc1f5d933fe3665be30d043ffbd000000000e800000000200002000000070cbe1406d2b20dbc71a977cd157855eefa7431715911711ea40b046120e07c190000000cb4f5229cb284e078dc3a161b8995eb2dc66d06bd823da2d7a86fe43e7064e45251940a1d9f1a604af60f27a64d060641739ba8e6c30d6e629de34d778120ec823f936fc0bbf86ad9aedb9fe9f17025d19b8a2334ec97cf0c58e535ac5ef214952189fc0ba86e3428df855d93e9153d0b2a03ebaea22a9ec68639225925c901c547a482f4d4c83afb7c1f553676b7fd540000000fa6babe242f13d5d230cf377f793f20ab64cd314ebfcaca275d9a292e7c8823c7c279baac8d6cb2d4d711c21b23b38cc78a32d01e1da9c9cde310c00c06bdd87 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000d2c436b451443a1115f14b99ad54d53e78bf1bc02c6f66031156b99ba6656fb7000000000e8000000002000020000000d76a25f8d964f9704fb88af4105e2e346b7f8dcc069a39410e90eb768cffbef5200000005736936b4fa8096501c98c1e5744c3597ac66572a9f6d7e2722d17bc44e295e4400000009e784adff99be4298466930c5826128e034056cc58560c8a7d27025edfdd0271cea7b62fbf8a2d58f0f8ea63ced78ab06837e3aa6e4e2ab8c5170386ad6fe39a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341509687" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1044 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1044 iexplore.exe 1044 iexplore.exe 908 IEXPLORE.EXE 908 IEXPLORE.EXE 908 IEXPLORE.EXE 908 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid process target process PID 1044 wrote to memory of 908 1044 iexplore.exe IEXPLORE.EXE PID 1044 wrote to memory of 908 1044 iexplore.exe IEXPLORE.EXE PID 1044 wrote to memory of 908 1044 iexplore.exe IEXPLORE.EXE PID 1044 wrote to memory of 908 1044 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\San11 Tc\Doc\Reg\san11_reg.htm"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1044 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2OAK3K9C.txtMD5
620f057be52f3569909859b50f4aa241
SHA1380685cc793c44a257d1318d245a1154bc6714c8
SHA256a274610348732b628f77d8fded33235bfed2b3fef7bd504cd70a2897ad631634
SHA5125479c10465f2392056fa00cd62238aec82d7f2657aed6509c4b7f10cedebd3894ad6516030d6bc81e23fe492a759f3512cbb55f4843595649e6b7e057da7aecb
-
memory/908-54-0x0000000000000000-mapping.dmp