eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220

Analysis

max time kernel
127s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe
Size

730KB
MD5

d25f2f6605f1fa74bb3e07c72f82bc58
SHA1

6a65b74379024eef84a6904d0418f60e75e83d9d
SHA256

eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220
SHA512

25992b17bb5545740c5b24751b3ca58f25336330df35466b568f6bef2020bfc5e1ff999ec4a0e46c4e07f50bf3b7a689698e876478bc1cd65eef4bbca8e807e9
SSDEEP

12288:P5qiINR69BRWIf6sqb7CC2UVZ08uShnws4TyA7zh4fCvAaT8bd1XSkGyRA9mBirL:xDIe/+nTw8/hnws2yA7iwAy8bd1SEoOw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3528	setup.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe
File created	C:\Windows\setup.com.cn.exe	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe
File opened for modification	C:\Windows\setup.com.cn.exe	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	setup.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	setup.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	setup.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	setup.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	setup.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe
Token: SeDebugPrivilege	3528	setup.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3528	setup.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4352	3528	setup.com.cn.exe	84
PID 3528 wrote to memory of 4352	3528	setup.com.cn.exe	84
PID 2392 wrote to memory of 4592	2392	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe	87
PID 2392 wrote to memory of 4592	2392	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe	87
PID 2392 wrote to memory of 4592	2392	eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe	87

C:\Users\Admin\AppData\Local\Temp\eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe
"C:\Users\Admin\AppData\Local\Temp\eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4592

C:\Windows\setup.com.cn.exe
C:\Windows\setup.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\setup.com.cn.exe

Filesize
730KB

MD5
d25f2f6605f1fa74bb3e07c72f82bc58

SHA1
6a65b74379024eef84a6904d0418f60e75e83d9d

SHA256
eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220

SHA512
25992b17bb5545740c5b24751b3ca58f25336330df35466b568f6bef2020bfc5e1ff999ec4a0e46c4e07f50bf3b7a689698e876478bc1cd65eef4bbca8e807e9

Download Submit
C:\Windows\setup.com.cn.exe

Filesize
730KB

MD5
d25f2f6605f1fa74bb3e07c72f82bc58

SHA1
6a65b74379024eef84a6904d0418f60e75e83d9d

SHA256
eaea7b9bab3a9040d614004b1cc51c17984fc46430554195f4afefdcd22f7220

SHA512
25992b17bb5545740c5b24751b3ca58f25336330df35466b568f6bef2020bfc5e1ff999ec4a0e46c4e07f50bf3b7a689698e876478bc1cd65eef4bbca8e807e9

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
01f349e547e9c3f799a1f5e91b36039b

SHA1
09b716d8c839d58767b82cb0f1b5e70679349e7e

SHA256
bd1456712c835e90fc11a158f1b5731a75a896b3522856496a546c0dec919ca2

SHA512
cec628b010a5de50725fb0d9e2af0a262f4dcc439975533fb49ad6fd3cca7ff4fe1eddf93a3db25425d255f58c222b300fb040f8ae800b971d0007cf9076b621

Download Submit
memory/2392-141-0x00000000022B0000-0x0000000002304000-memory.dmp

Filesize
336KB

Download
memory/2392-134-0x0000000003440000-0x0000000003540000-memory.dmp

Filesize
1024KB

Download
memory/2392-132-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2392-142-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2392-133-0x00000000022B0000-0x0000000002304000-memory.dmp

Filesize
336KB

Download
memory/3528-137-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3528-138-0x0000000000F50000-0x0000000000FA4000-memory.dmp

Filesize
336KB

Download
memory/3528-139-0x00000000020F0000-0x00000000021F0000-memory.dmp

Filesize
1024KB

Download
memory/3528-144-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3528-145-0x00000000020F0000-0x00000000021F0000-memory.dmp

Filesize
1024KB

Download