1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2

General

Target

1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Size

28KB
MD5

360e9fb74d246f726fd9c65f9a0a25dc
SHA1

922bceb16e547eb30c784a37e3dd3685170de67c
SHA256

1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2
SHA512

ea394318a93659ee8475092ecd95188534b054db82597188650734372a6fc9fe75794d92f641828306b3c2707a180516f6125e5c4ec5d165ed93824fe4069bec
SSDEEP

768:EHOjv2QZ1SLXGO/r/A+0oLytMellA8C+x:EHEv2QvSXjLLdLWPC+x

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,c:\\windows\\system32\\360ST.exe"	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\360DJ.txt	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\360S.txt	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\360T.txt	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File created	C:\WINDOWS\SysWOW64\drivers\360ST.txt	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\360ST.txt	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\360DJ.txt	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe

Loads dropped DLL 1 IoCs

pid	Process
1536	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\360ST.dll	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File created	\??\c:\windows\SysWOW64\360ST.exe	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
File opened for modification	\??\c:\windows\SysWOW64\360ST.exe	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\chajianlm	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\ = "chajianlm"	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\url4	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\url5	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\tihuan5	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\url2	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\tihuan4	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\homepages = "http://"	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\url1	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\tihuan2	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\url3	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\tihuan3	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Desktop\chajianlm\tihuan1	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1152	AUDIODG.EXE
Token: 33	1152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1152	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1264	1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe	29
PID 1708 wrote to memory of 1264	1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe	29
PID 1708 wrote to memory of 1264	1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe	29
PID 1708 wrote to memory of 1264	1708	1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe	29
PID 1264 wrote to memory of 1536	1264	cmd.exe	31
PID 1264 wrote to memory of 1536	1264	cmd.exe	31
PID 1264 wrote to memory of 1536	1264	cmd.exe	31
PID 1264 wrote to memory of 1536	1264	cmd.exe	31
PID 1264 wrote to memory of 1536	1264	cmd.exe	31
PID 1264 wrote to memory of 1536	1264	cmd.exe	31
PID 1264 wrote to memory of 1536	1264	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe
"C:\Users\Admin\AppData\Local\Temp\1542700220482928fd744b1a852799d45bf68533f9067f42e0eaaea622b9c0a2.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regsvr32 /s c:\windows\system32\360ST.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s c:\windows\system32\360ST.dll
    3⤵
    - Loads dropped DLL
    PID:1536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\360ST.dll

Filesize
27KB

MD5
a4958eeceddac41bf15551af8eff8d32

SHA1
f067872a5304e69f92034e5efb023145fd34b65d

SHA256
a8dfe56722f771e6f746b9a786ad9794cfb4a5478a5bde505a22ce5c97242c32

SHA512
39eb90956a2fe28a9bb8860de8c73bf62dcdb57af4a521fcf52715e3d37cf60cf6678e15f44b46bfe107c652de37990ba469dd40b752837e12e8e0ff3e42b4e3

Download Submit
\Windows\SysWOW64\360ST.dll

Filesize
27KB

MD5
a4958eeceddac41bf15551af8eff8d32

SHA1
f067872a5304e69f92034e5efb023145fd34b65d

SHA256
a8dfe56722f771e6f746b9a786ad9794cfb4a5478a5bde505a22ce5c97242c32

SHA512
39eb90956a2fe28a9bb8860de8c73bf62dcdb57af4a521fcf52715e3d37cf60cf6678e15f44b46bfe107c652de37990ba469dd40b752837e12e8e0ff3e42b4e3

Download Submit
memory/1708-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-57-0x0000000004441000-0x00000000052ED000-memory.dmp

Filesize
14.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads