9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610

Analysis

max time kernel
185s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
Size

1.8MB
MD5

7d0feed35f03c2ffefc8736652d24a11
SHA1

f30eadea0c0f1dfcaebf7689f9c2a655d5aa8bdd
SHA256

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610
SHA512

51094cad122cf48fa5cbb92e3c78131a16fa29821b23b70ebf8e81a1d57ef22ed7ffc4e3460ae9e81fdc7ff20e9f27645cf3f62ee64f794eae76ff17a9be58af

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

fracturesl.exe7654pb.exe7654llqtips.exe7654pb.exellqyptips.exeaiouniya.exe

pid process

4092 fracturesl.exe
4004 7654pb.exe
4308 7654llqtips.exe
3024 7654pb.exe
3500 llqyptips.exe
5032 aiouniya.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

fracturesl.exe

description ioc process

File opened for modification C:\Users\Admin\Desktop\desktop.ini fracturesl.exe

pid	process
4092	fracturesl.exe
4004	7654pb.exe
4308	7654llqtips.exe
3024	7654pb.exe
3500	llqyptips.exe
5032	aiouniya.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fracturesl.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exefracturesl.exe7654pb.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
File opened for modification	\??\PhysicalDrive0	fracturesl.exe
File opened for modification	\??\PhysicalDrive0	7654pb.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2568	4308	WerFault.exe	7654llqtips.exe
2312	4308	WerFault.exe	7654llqtips.exe
1752	3500	WerFault.exe	llqyptips.exe
828	3500	WerFault.exe	llqyptips.exe
3968	4004	WerFault.exe	7654pb.exe
2160	4004	WerFault.exe	7654pb.exe
1724	5032	WerFault.exe	aiouniya.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

7654pb.exefracturesl.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\7654pb.exe = "1"	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\7654pb.exe = "0"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\7654pb.exe = "0"	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fracturesl.exe = "11000"	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\7654pb.exe = "1"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\7654pb.exe = "1"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\7654pb.exe = "1"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\7654pb.exe = "1"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\7654pb.exe = "0"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\7654pb.exe = "11000"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\7654pb.exe = "1"	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\7654pb.exe = "0"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\7654pb.exe = "1"	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\7654pb.exe = "1"	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1"	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63"	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63"	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	7654pb.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\7654pb.exe = "1"	7654pb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\7654pb.exe = "0"	7654pb.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exefracturesl.exe7654pb.exe

pid	process
3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
4092	fracturesl.exe
4092	fracturesl.exe
4004	7654pb.exe
4004	7654pb.exe
4004	7654pb.exe
4004	7654pb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fracturesl.exe

pid process

4092 fracturesl.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

fracturesl.exe

pid process

4092 fracturesl.exe
4092 fracturesl.exe
4092 fracturesl.exe
4092 fracturesl.exe
4092 fracturesl.exe
4092 fracturesl.exe
4092 fracturesl.exe

pid	process
4092	fracturesl.exe

pid	process
4092	fracturesl.exe
4092	fracturesl.exe
4092	fracturesl.exe
4092	fracturesl.exe
4092	fracturesl.exe
4092	fracturesl.exe
4092	fracturesl.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe7654pb.exe

description	pid	process	target process
PID 3512 wrote to memory of 4092	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 3512 wrote to memory of 4092	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 3512 wrote to memory of 4092	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 3512 wrote to memory of 4004	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 3512 wrote to memory of 4004	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 3512 wrote to memory of 4004	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 3512 wrote to memory of 4308	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 3512 wrote to memory of 4308	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 3512 wrote to memory of 4308	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 3512 wrote to memory of 4308	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 4004 wrote to memory of 3024	4004	7654pb.exe	7654pb.exe
PID 4004 wrote to memory of 3024	4004	7654pb.exe	7654pb.exe
PID 4004 wrote to memory of 3024	4004	7654pb.exe	7654pb.exe
PID 3512 wrote to memory of 3500	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	llqyptips.exe
PID 3512 wrote to memory of 3500	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	llqyptips.exe
PID 3512 wrote to memory of 3500	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	llqyptips.exe
PID 3512 wrote to memory of 3500	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	llqyptips.exe
PID 3512 wrote to memory of 5032	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	aiouniya.exe
PID 3512 wrote to memory of 5032	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	aiouniya.exe
PID 3512 wrote to memory of 5032	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	aiouniya.exe
PID 3512 wrote to memory of 5032	3512	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	aiouniya.exe

C:\Users\Admin\AppData\Local\Temp\9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
"C:\Users\Admin\AppData\Local\Temp\9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe
C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe LXByb2plY3Q9NzY1NEJyb3dzZXIgLWtpbGxwcm9jZXNzPTYwIC1lbmFibGVob21lcGFnZXJhbmQ9MSAtT3B0aW1pemU9MjAgLURpc3BsYXlUaXRsZT03NjU0QnJvd3NlciAtd3JpdGV0Y2s9TGl2ZVVwZGF0ZTM2MCw2MzIgLXVzZXNzcG1vZGU9dHJ1ZSAtVG9wVXJsPWh0dHA6Ly9kb3duMS43NjU0YnJvd3Nlci52ZnB6bWcuY24vdHVpL21pbmluZXdzL21pbmluZXdzcGx1cy9mZnpkci5wbmcgLUFudGlNYWxpY2lvdXNDbGljaz02MC81MDAgLXBiY3V0dGl0bGVuZXdzID0tMSAtcHA9YWFmYTAyMjcxMTU4YzVjYjg2OWU5Njc2YzRiMmMxNzcgLXNob3dXZWF0aGVyPWZhbHNlIC1hbGlnbj10b3AgLWNhcHRpb25jb2xvcj0jRkZGRkZGIC1TaG93Q2xvc2VNZW51PTEgLU1heFdlYkNsaWNrQ291bnQ9MiAtQ2xhc3NOYW1lPVNvUFlfU3RhdHVzIC1UaXRsZT1maXJlZmx5ZSAtU3VwcG9ydDc2NTRCcm93c2VyPXRydWUgLU11dGV4TmFtZT1DOUNENEYzNS00QUQ2LTQ1ZDMtOEEwRS1BQzIxMUVCMUQxM0UgLUlFOVVSTD1odHRwOi8vbmV3cy43NjU0LmNvbS9taW5pX25ldzQvMDYxMy8/cWlkPSZ1aWQ9NjBGMjdEMjI5NTk3RjAwMThGNEM5MzA4MjU1QjMwMTUmZW52PTAmc2NyZWVuX2g9NzIwIC1VUkw9aHR0cDovL25ld3MuNzY1NC5jb20vbWluaV9uZXc0LzA2MTMvP3FpZD0mdWlkPTYwRjI3RDIyOTU5N0YwMDE4RjRDOTMwODI1NUIzMDE1JmVudj0wJnNjcmVlbl9oPTcyMCAtcmVwb3J0cHJlZml4PW1pbmluZXdzLTEgLXRhc2tpZD10YXNraWQubWluaW5ld3NwbHVzXzE=
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe --data=hask7934iRAC6NbcRTWMj3DWbr54mdExgJZB7kSf5DhUz322DF3ik/KUeq0KE9imDLRM9e5NgAtKDVDOAql69QaljVA867zpeak4eS6Qr9Yi+vKSksdAxIHtmekp+sopSyJ+Rzp/5QjTBiKbl9Q9dJhbeUJHoAzPOmkrgCPc+V93VryAwmwg1tRLLvqFv5Ob
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
"C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe" --type=xzdll --project=udy2cXj1nw==
3⤵
- Executes dropped EXE
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1008
3⤵
- Program crash
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1012
3⤵
- Program crash
PID:2160

C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe
C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe rGn1j5KACJfmMot8Q2oOt6EelyZu5tKIx6sPdB2VAeWTzYcKAbfWFVdugO39vqCw2X65X1+0tV8TCUu2Y566hIcNubqqRFpXymAg+Y2edLU057yYGH1/Z9wcZHwwzw0AS7vXfM5x2+BefnIl0odELOE5DftDJPizPIlYh/c8uNgbq6qk3mTfGrxbyCX/v3uU5hneixCdbcvK4+I/ykP4Qx5d/jVyt0E5Vikngy+CkeRYQ3Kq5WyfCdOnknSo6Mw0g7uwSUIFcKmf6psqNSPec1b5yHwPLe6IFGWvOquf50/vUfqMC/VLitaLpOoJXvkcoYPyuRn1HWsj3FjsF2Rqs6qrIAj/64tgfPULUMrN9c2kkc0JPOzyTWg99gKiRDtwC7bNF1fOM76G3qmenwrI5QSJfT/sl/Tx87LioquB1c+lmT25iWSscLPGQnHmoCLgEhQ6Nnuyi5d6egfFgOLccDlP5jUBdrnks/yvKLKyM6qoljZz8N+XfqNf63OWuv6m4qYbXgEoUbWuQg6lAGTZXfqLHb1xayBOQ3yOPP7hMOhXyK9J0Tm3XHaAWOM9vTrS0zE3dDPfxurGcYeWUBk60Ucxgryw0UnPf6gm1OJjzC9jruJ4TVdYYp5nQ+xamzHKGZGClxNHO5KCH9AYWi8+Tp82RSWea08sMbZ0YT15MkfTDLezAAD6v9VtImTWpY8ZkJYZ3CKq3xnkI2cxM4aSjRPzxJsAS+w0lp1iDTrTBWsJlgtmB+6ZM+0XJCilUIewofAM+L09TfHj2v/iCYgogrpRuSwFeEbMdCNNDqAmXcJNWGWFpid4KAg7vkQkTAzL0wFEgek20lxP42BvlEEyWJ4M5mrMk0m0zBvbKvRdjjdPBHWnqskUZESngPypk9XpzcMXxcfTdsxd0duRGtmu8/c9erNqwml9nGZ8YQ8OhJaG/zTmJ+6ik2UNp6n3WSNY1oxBebvuzdPwCPSsMv0bq/z3tpO3YEjn3xsIcWzVMuK/9c8fPlCYL4Yv0YEGWb+dBWeMzg3t1/+O/SE+AB97fEm0mJVnBVmghZCvZHEGXfmJAPhmAihUumgPIlxJ51MiikIpGA==
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 464
3⤵
- Program crash
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 508
3⤵
- Program crash
PID:2312

C:\Users\Admin\AppData\Roaming\Roaming\7654liulanqi\7654llqyptips\llqyptips.exe
C:\Users\Admin\AppData\Roaming\Roaming\7654liulanqi\7654llqyptips\llqyptips.exe fWx/zaPyC+QkBvFot8Ii5W4GyHUfljPLdhyG0qnUh8qGWYkv88KGSP/EkchHGSBHkFqxI0mHV0U8s9zlSxx9lCMOaJ1OFYp8B3VBEjp15S+EdwSd25FallCQm0gN+AWboGQ0MeRbrnNlHlo25YijVpOqNl9Kj4UoGG/KVhSQGyWY/adGph9sh2q1AsaShzgL4A5iJ7cKAA+bwA+RIdD6UNDz7iZZgGfqRUYGdSDkqSD7GEbww4D8yZ/tlc3ljtBRPdIhDJaw9rWT9rnF6JFVmBzMeAn3B2f35egSoxjHlV/3V3tfDNgd4HWmiBid964b8EPo8IpZnwpKWAkniXBWz8OhGzDPDiLqiSUrPr/Y6/vk5KY3C2+vO/fkDQt5XP+11Qio8iwoO5tHCabTrB4Bh3J8H5NGWh1+es4XGX+paqVp3fQFtzeDit+U+vFz6aRF6+a6a+VAcR6HmM4CsU9lJMUmyXS9FH/+mXlZeo0S4W6lqnUM27Sg3SiAAK9Y02Nno60J8DA=
2⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 468
3⤵
- Program crash
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 488
3⤵
- Program crash
PID:828

C:\Users\Admin\AppData\Roaming\llq\12all-allall\aiouniya.exe
C:\Users\Admin\AppData\Roaming\llq\12all-allall\aiouniya.exe T9ToxVhaBp0VzGfqwSVMPGNbTOfQEhLvICOZqezcecdyS25V+RbEkygW1RzSM/xCYF+JXMZ1TZDcY8R405BPximtgdbNqJ3CGS2uiP0aXmEwd5p0/wlKNbYxuaSKB0DxmoMCsYLSjwytx7JMglj2Y1/da7FUXnb822zT5UCMVNAD0P1pzE5Bpb8BQahYtgDY5qoRUjdZ6AHLQSk9MgRhclj+aYhXkOs7y/qal2E2Gjid++zzoSQk8kWMH2gHoUKKTycwTXpJv7oUBTm/bC0IKbNO9hdvlWpIYfSJqvcmfD2IKz74TTjV254nySsqa175e38ztFT1v1Nj4tJKPAjcO5csqC/XbHRdUD0K4hKiWrTfEpiLW7xzcYDkDx7WJn29iUvLlitXJdUfz4fJ5HIO4fQ9zRVpRxHv3d1yjYPDEu03tj/J8Up09uLeD7/czCP9/uVDQmcjEtnS8Cqw4Y6qYBssLnHybHf+NsXB0xJo9ZmYAd0OgTK4JNu0nXjDKNWLcL0FIZuiYifZHP+N7V/UGYl6j/eZJy06lhx1T6KKWo+bjG+pV26RXZFI3KXUSkodi+FaX2tThcGyXZ4/YeSvaW/tCP5V1sWI9+ahOb2RV5CSpSURP0ZyJztBQyKChoKMo3rzu1Cij6J5yVTZXmwd6hXa4dc/mbmEjm3pHnwrFP6dfFq84MuddsH+amTyrpSb/9usqNRRc2Ngj/IihRUhupK56Gp1X/NWt5KxZMf7us41WO0CkRw0otNBT6HCfwQ2RGorNiXd/iGKDOLbmtfpcKjnV+T0Wue9EzmrvXGB4K7+3SW+xoNVHFfJsgtEGV68un5c8c6CUp3RYHbJXKXSz2ZIM3cV2gWinc1lwGrhEFAFcy46guglhmSd9tg=
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 464
3⤵
- Program crash
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4308 -ip 4308
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4308 -ip 4308
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3500 -ip 3500
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3500 -ip 3500
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4004 -ip 4004
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4004 -ip 4004
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5032 -ip 5032
1⤵
PID:4276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe
Filesize
1.5MB

MD5
6ef1eccbf62aced571ee538de3b1296d

SHA1
e7b80773ccfc100b559f73be6aaa3e5d6b5fe6bb

SHA256
3bf476b8234303c920bd504c146344b2ce8889c6ca27622b34e3245aee1b032f

SHA512
d83495d30fc39c3eabb4d10dd96fb2a78cd4bff4eead1ccf69be4d711585eb1c37f522ca996c4936a3887198a656c2d37838f548c3c5ec6c4b20e1a9ea9c4e2d

Download Submit
C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe
Filesize
1.5MB

MD5
6ef1eccbf62aced571ee538de3b1296d

SHA1
e7b80773ccfc100b559f73be6aaa3e5d6b5fe6bb

SHA256
3bf476b8234303c920bd504c146344b2ce8889c6ca27622b34e3245aee1b032f

SHA512
d83495d30fc39c3eabb4d10dd96fb2a78cd4bff4eead1ccf69be4d711585eb1c37f522ca996c4936a3887198a656c2d37838f548c3c5ec6c4b20e1a9ea9c4e2d

Download Submit
C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe
Filesize
2.4MB

MD5
e80dd70a1d1c8f1c94470533f0621020

SHA1
405533497334ea40da9640fddd309058452a96c3

SHA256
bcf14991cb03bf0570f6f1ee5a2fb0399a1054074c72f815d28e3f536b30636c

SHA512
f6800abf1156b02cd4b2f1218d676e3377c36e9122f2df8ce4f5fdd476312926f4729ee7da1e4b72f170754e2ff76b869ecbac516226e3af7f4f85926677ea56

Download Submit
C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe
Filesize
2.4MB

MD5
e80dd70a1d1c8f1c94470533f0621020

SHA1
405533497334ea40da9640fddd309058452a96c3

SHA256
bcf14991cb03bf0570f6f1ee5a2fb0399a1054074c72f815d28e3f536b30636c

SHA512
f6800abf1156b02cd4b2f1218d676e3377c36e9122f2df8ce4f5fdd476312926f4729ee7da1e4b72f170754e2ff76b869ecbac516226e3af7f4f85926677ea56

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654liulanqi\7654llqyptips\llqyptips.exe
Filesize
2.4MB

MD5
65b133e83d6c346c5ce4f74f608da627

SHA1
9cb2485d14a8355862991f27e4938337ea4914d0

SHA256
efb4b1deed125e16f74edae35311519167b925b3dd7d1eef60ea496e3b077b98

SHA512
c04da34d3aa0bc4b9a8d4944ce8b1fbd93b24331e12f18bb3fa7035f4ea1dbf79b3da07411c9daa2d732b41209be7c7e26ed9fc1f3d98d75208e42536664eac1

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654liulanqi\7654llqyptips\llqyptips.exe
Filesize
2.4MB

MD5
65b133e83d6c346c5ce4f74f608da627

SHA1
9cb2485d14a8355862991f27e4938337ea4914d0

SHA256
efb4b1deed125e16f74edae35311519167b925b3dd7d1eef60ea496e3b077b98

SHA512
c04da34d3aa0bc4b9a8d4944ce8b1fbd93b24331e12f18bb3fa7035f4ea1dbf79b3da07411c9daa2d732b41209be7c7e26ed9fc1f3d98d75208e42536664eac1

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
Filesize
7.0MB

MD5
4dd01e3c7942640a8caa7f5b3bc659dc

SHA1
f59c4d3bc7b6e78d3856ce1ae7adc07564489f03

SHA256
b16f35f3146dade9799eafbb34cc11da84b303d24fcdea513363e601303bbcb3

SHA512
b5b8c160aab969a2cee83625d6fef8221dbb86b467a4069e82092fbe25da4a4eb4d364d9d9832b9ad80c7a8cdc7b8256c5464d5566ff1c43822ef1dceee69dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
Filesize
7.0MB

MD5
4dd01e3c7942640a8caa7f5b3bc659dc

SHA1
f59c4d3bc7b6e78d3856ce1ae7adc07564489f03

SHA256
b16f35f3146dade9799eafbb34cc11da84b303d24fcdea513363e601303bbcb3

SHA512
b5b8c160aab969a2cee83625d6fef8221dbb86b467a4069e82092fbe25da4a4eb4d364d9d9832b9ad80c7a8cdc7b8256c5464d5566ff1c43822ef1dceee69dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
Filesize
7.0MB

MD5
4dd01e3c7942640a8caa7f5b3bc659dc

SHA1
f59c4d3bc7b6e78d3856ce1ae7adc07564489f03

SHA256
b16f35f3146dade9799eafbb34cc11da84b303d24fcdea513363e601303bbcb3

SHA512
b5b8c160aab969a2cee83625d6fef8221dbb86b467a4069e82092fbe25da4a4eb4d364d9d9832b9ad80c7a8cdc7b8256c5464d5566ff1c43822ef1dceee69dc2

Download Submit
C:\Users\Admin\AppData\Roaming\ScreenSaver\dll\57164693130ADC13873AF982DA04ECE1
Filesize
3.6MB

MD5
57164693130adc13873af982da04ece1

SHA1
ca66bd3319912e58a17ff878ec42c27203b26673

SHA256
5845e0d1d46fbffe28eb2bb8cb6469ca09a35e9bbc9a481e4335352bca7ed923

SHA512
83d8b81654514a9f37c6a5aed996f8cc102bac480a5af883037d991ac79ee9b1b55cca4b0cfa1ac9cd20bbe50dbe8937abaa23f25080802d14ed9bc86dc79a31

Download Submit
C:\Users\Admin\AppData\Roaming\llq\12all-allall\aiouniya.exe
Filesize
2.4MB

MD5
b6a5a08a0e2884ff6f607f427462c2c0

SHA1
7c07388a71cb7b2fcad41f3c8fb7f43c2bf0a221

SHA256
5e41bc0a8973bd4c70630dca736b3b07daec646b80b7ef63ad2cc96760742261

SHA512
120c0d1c7216d1084b63b97de8385258573b4c109a246e7dee18add780c97c677f6d1e09a0643030648f17d2e78924ff2da9ccb09156b4b9a32cb67edc3a0b46

Download Submit
C:\Users\Admin\AppData\Roaming\llq\12all-allall\aiouniya.exe
Filesize
2.4MB

MD5
b6a5a08a0e2884ff6f607f427462c2c0

SHA1
7c07388a71cb7b2fcad41f3c8fb7f43c2bf0a221

SHA256
5e41bc0a8973bd4c70630dca736b3b07daec646b80b7ef63ad2cc96760742261

SHA512
120c0d1c7216d1084b63b97de8385258573b4c109a246e7dee18add780c97c677f6d1e09a0643030648f17d2e78924ff2da9ccb09156b4b9a32cb67edc3a0b46

Download Submit
memory/3024-157-0x0000000000000000-mapping.dmp

Download
memory/3500-169-0x0000000001170000-0x00000000013C6000-memory.dmp

Filesize
2.3MB

Download
memory/3500-165-0x0000000000000000-mapping.dmp

Download
memory/3500-168-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/3512-135-0x0000000003490000-0x000000000369C000-memory.dmp

Filesize
2.0MB

Download
memory/3512-130-0x0000000010000000-0x0000000010198000-memory.dmp

Filesize
1.6MB

Download
memory/4004-159-0x0000000010000000-0x00000000105F7000-memory.dmp

Filesize
6.0MB

Download
memory/4004-172-0x0000000004400000-0x00000000045C7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-147-0x0000000000000000-mapping.dmp

Download
memory/4092-144-0x0000000010000000-0x0000000010102000-memory.dmp

Filesize
1.0MB

Download
memory/4092-141-0x0000000000000000-mapping.dmp

Download
memory/4308-150-0x0000000000000000-mapping.dmp

Download
memory/4308-154-0x0000000000A50000-0x0000000000CA7000-memory.dmp

Filesize
2.3MB

Download
memory/4308-153-0x0000000010000000-0x0000000010260000-memory.dmp

Filesize
2.4MB

Download
memory/5032-176-0x0000000000000000-mapping.dmp

Download
memory/5032-179-0x0000000010000000-0x000000001025A000-memory.dmp

Filesize
2.4MB

Download
memory/5032-182-0x0000000000FB0000-0x0000000001202000-memory.dmp

Filesize
2.3MB

Download