Analysis
-
max time kernel
140s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
02-10-2022 22:21
General
-
Target
14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f.exe
-
Size
2.7MB
-
MD5
6c9722cc71776d80f2c50816efdbe85e
-
SHA1
d73636f93548e96fda42ca820461c1352414412b
-
SHA256
14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f
-
SHA512
bdb1579768276fb03cde0a5e33eea7a4c009bc96f59dd656fc0f2c59ca40030b8df92555fbdb6cc03eeaa5e3343699ecedd7419ef8b81151706f112d4cb5d2a8
-
SSDEEP
49152:6ffy4NwrQq6Y0uaXxl9LC2v2UZGglxh5ozMP4NQQOSr5k/I4XTZGfDahGGrgQ:6ffyH69uM9LCC2UfYz24NQdWC/IgT9VX
Malware Config
Signatures
-
Detected phishing page
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f.exe"C:\Users\Admin\AppData\Local\Temp\14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\86on_yes.exeC:\86on_yes.exe2⤵
- Executes dropped EXE
-
C:\hahagame.exeC:\hahagame.exe /sp- /silent /norestart /verysilent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-EDPJA.tmp\hahagame.tmp"C:\Users\Admin\AppData\Local\Temp\is-EDPJA.tmp\hahagame.tmp" /SL5="$6011A,1630806,72704,C:\hahagame.exe" /sp- /silent /norestart /verysilent3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\SeFastInstall3_3261.exeC:\SeFastInstall3_3261.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?yuyanzhecn2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\86on_yes.exeFilesize
135KB
MD50175887432097d34b1d2ec4d3a3ff93f
SHA130686364ffe6ac9b782a73cd1f035d12cba3cd38
SHA2564337462d9556a4340484cb47c48318529102658469859d8a14e076b6e0022ab9
SHA512c8b21a1b5aee416ced041e4d1db9adc42902998bb9f4fe58a1d5417fff7b25d975ea262e44dacd7d24975070c29b88a58056ee2f8b748c693f63062deac88430
-
C:\SeFastInstall3_3261.exeFilesize
227KB
MD54f4507ee01a51c40fcc71d7097327883
SHA1a15eb26e219028908125a63aeb2032d99db83257
SHA25673bc7bdc659b55b762092401306ae9cf76e498e6b39950a49a5eacd288b15989
SHA51293cb8a59d95706da01cbdcd7af4604a2dce958e612bc3c6af6e1a0d060c6581504cad3cd33dd174dd3c1530b1483275aa72dc61e7061452d94ac865389bbece4
-
C:\SeFastInstall3_3261.exeFilesize
227KB
MD54f4507ee01a51c40fcc71d7097327883
SHA1a15eb26e219028908125a63aeb2032d99db83257
SHA25673bc7bdc659b55b762092401306ae9cf76e498e6b39950a49a5eacd288b15989
SHA51293cb8a59d95706da01cbdcd7af4604a2dce958e612bc3c6af6e1a0d060c6581504cad3cd33dd174dd3c1530b1483275aa72dc61e7061452d94ac865389bbece4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
1KB
MD5fc0f5f4898218ffde20450e9bed69100
SHA13f5e39ea06557af3c63b1bd05c25364f0005ab9d
SHA2569bda1c1ec867a58f9ac3c88e54fd3e70ae38465d9d60e806f8905533accfa126
SHA512ea22832eebd993047ce63b908eb652e6cbb2492d709b813e23109c7909e074dc5f3cee7276abd194fc4224f42826b0d66a674a2be599cee92d0450fa8dc2c974
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5244295b21337f4527eabe689b8b70f7c
SHA1aab8e6980f6ce2c18a876d1453584b9de286ed2b
SHA256302b4307cdbcd621119ab52f479fb06c971da63a9292b886fa54325464e66837
SHA51278f6f0a477d609d28ca49bd344a0ef536e81cf6b4c1cd54830dbc32d6bf5334b2511b74decdd63e95d059242dea9d71d7eb251dfc92cef2abfff4c59eaa6e264
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51ebaf0e456e12dee3415b95359d2c7b9
SHA1e3d1a8e8c8a28f2f40966ce7ab24df97d088b272
SHA25695237982b25f4725bc319417f7c4bc45c38a7d6189f920ba0a551e5afac568ef
SHA5129780b59871f75f04060d380d91d0f4b8e7b924829d1391987022d892e585714b19b8245be9793cef0cffba57bea53b65e811b4925de869a87a1484cdb7ffa99d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
492B
MD54787d0426d0b68dd66eab43ce2905d43
SHA1c25f3dec215de601786c33ec3a55b58108e5147d
SHA25680a3ff81a713d3fab16c61ba85f925f7fe82abda1dafecea562a5bdb4e2abdbb
SHA5127ea55717bc318b41669539dc127870836ecf4259e988d94baa59e68cbd9fa35c8ac53261f6d98d88428f85967b1c69d6c2e06dd22167999c199b0aa666e43637
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C65EA731-42C2-11ED-A20B-4279513DF160}.datFilesize
5KB
MD523c80a4026e4db5761bdd94a50cd9448
SHA17d0ca4fac189b58dea410c43f594f836abe83ac4
SHA256402580e695a260e90f7182de409dbfbd60dec5a28e54cc1c161da727e901aa01
SHA512a15cef001ff33ad2c5993c5df385414d7e29c7344676d734342f4bf6eb0c334a0c10d1f57433153e97ba3581801bd1a767953b1dd140013067c541f20f2847cf
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C65F4371-42C2-11ED-A20B-4279513DF160}.datFilesize
3KB
MD517f0bde1529c9ad1a332336e2c43f02a
SHA1153e375101b9ad69fe17e8d481ab627dcbaaed8e
SHA256b41d078b13d8a8a907a74afc060a092a7794d8921b65698626b41ab8ac65d95a
SHA512043558ca06582d96e315857d7af2138e8083a9c6f496e38e811caa968b6a8ac9de81b028ed3f86c00a2733e1d532eeadfed610c343df05239ae5d9d06febbd78
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.datFilesize
5KB
MD54d162607e44c95227cf09f152e89ca7f
SHA10fc3335e34f232906c10d5eee9798eda43903133
SHA256ece98618c83cb5c5c3595776f8a2ccde610164d10c1b2ed8473855cc1b99e6b4
SHA512455b2f0cd1998b30b61e78157b47d0fc8c46e8620c222463425923bb4a9dd8991596e1b867d800b7cc494560da3a1c8c5e9320bf06ec7b7a12a305394d356a04
-
C:\Users\Admin\AppData\Local\Temp\is-EDPJA.tmp\hahagame.tmpFilesize
682KB
MD5d0699dfc3ff2c8980f167c7ab586dfcc
SHA1c3f4aa0a542c01a0251782e48b313cbb7c5941a7
SHA25652361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175
SHA512ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69
-
C:\Users\Admin\AppData\Local\Temp\is-EDPJA.tmp\hahagame.tmpFilesize
682KB
MD5d0699dfc3ff2c8980f167c7ab586dfcc
SHA1c3f4aa0a542c01a0251782e48b313cbb7c5941a7
SHA25652361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175
SHA512ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WI37W5SF.txtFilesize
608B
MD515c6f5dca2e695d132f196a00567ba47
SHA1f2e8dd3ad70fac599fc2d3807922d2661f432795
SHA2568438339581ce2776eaf1cba4ffc3358d64193721f7e0901f49b2eac1c71136ff
SHA51272607d813ca14f1f40817d82eb423b1f35cdebac8a78a95ece537e8913fa59ee953064e400812fd10217ecca87cd2937314049c49eb71549c66d29728f3cba0e
-
C:\hahagame.exeFilesize
1.8MB
MD50b80274947513ef334429c0c666b3c53
SHA1eb8f8ea8b3dc913c361adcfa4f790935083c4bf9
SHA2564e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be
SHA51207ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213
-
C:\hahagame.exeFilesize
1.8MB
MD50b80274947513ef334429c0c666b3c53
SHA1eb8f8ea8b3dc913c361adcfa4f790935083c4bf9
SHA2564e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be
SHA51207ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213
-
\Users\Admin\AppData\Local\Temp\is-EDPJA.tmp\hahagame.tmpFilesize
682KB
MD5d0699dfc3ff2c8980f167c7ab586dfcc
SHA1c3f4aa0a542c01a0251782e48b313cbb7c5941a7
SHA25652361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175
SHA512ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69
-
\Users\Admin\AppData\Local\Temp\is-R2BEI.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-R2BEI.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/644-55-0x0000000000000000-mapping.dmp
-
memory/980-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1204-80-0x0000000000240000-0x00000000002EB000-memory.dmpFilesize
684KB
-
memory/1204-82-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/1204-68-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/1204-85-0x0000000000240000-0x00000000002EB000-memory.dmpFilesize
684KB
-
memory/1204-60-0x0000000000000000-mapping.dmp
-
memory/1496-71-0x0000000000000000-mapping.dmp
-
memory/1732-77-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1732-69-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1732-63-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1732-58-0x0000000000000000-mapping.dmp