Overview

overview

10

Static

static

5

14398d1f4f...4f.exe

windows7-x64

10

14398d1f4f...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f.exe

  • Size

    2.7MB

  • MD5

    6c9722cc71776d80f2c50816efdbe85e

  • SHA1

    d73636f93548e96fda42ca820461c1352414412b

  • SHA256

    14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f

  • SHA512

    bdb1579768276fb03cde0a5e33eea7a4c009bc96f59dd656fc0f2c59ca40030b8df92555fbdb6cc03eeaa5e3343699ecedd7419ef8b81151706f112d4cb5d2a8

  • SSDEEP

    49152:6ffy4NwrQq6Y0uaXxl9LC2v2UZGglxh5ozMP4NQQOSr5k/I4XTZGfDahGGrgQ:6ffyH69uM9LCC2UfYz24NQdWC/IgT9VX

Score
10/10
bootkitpersistencephishingupx

Malware Config

Signatures

  • Detected phishing page
    phishing
  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f.exe
    "C:\Users\Admin\AppData\Local\Temp\14398d1f4fbd26cd3397efb2f4a9d0c2adc1c07dedb933b76245e8c9b57c264f.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\86on_yes.exe
      C:\86on_yes.exe
      2⤵
      • Executes dropped EXE
      PID:4436
    • C:\hahagame.exe
      C:\hahagame.exe /sp- /silent /norestart /verysilent
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Users\Admin\AppData\Local\Temp\is-KR5UC.tmp\hahagame.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-KR5UC.tmp\hahagame.tmp" /SL5="$A0050,1630806,72704,C:\hahagame.exe" /sp- /silent /norestart /verysilent
        3⤵
        • Executes dropped EXE
        PID:1236
    • C:\SeFastInstall3_3261.exe
      C:\SeFastInstall3_3261.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      PID:224
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?yuyanzhecn
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3496 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2360
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4380
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3fc 0x24c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\86on_yes.exe
    Filesize

    135KB

    MD5

    0175887432097d34b1d2ec4d3a3ff93f

    SHA1

    30686364ffe6ac9b782a73cd1f035d12cba3cd38

    SHA256

    4337462d9556a4340484cb47c48318529102658469859d8a14e076b6e0022ab9

    SHA512

    c8b21a1b5aee416ced041e4d1db9adc42902998bb9f4fe58a1d5417fff7b25d975ea262e44dacd7d24975070c29b88a58056ee2f8b748c693f63062deac88430

    Download Submit
  • C:\86on_yes.exe
    Filesize

    135KB

    MD5

    0175887432097d34b1d2ec4d3a3ff93f

    SHA1

    30686364ffe6ac9b782a73cd1f035d12cba3cd38

    SHA256

    4337462d9556a4340484cb47c48318529102658469859d8a14e076b6e0022ab9

    SHA512

    c8b21a1b5aee416ced041e4d1db9adc42902998bb9f4fe58a1d5417fff7b25d975ea262e44dacd7d24975070c29b88a58056ee2f8b748c693f63062deac88430

    Download Submit
  • C:\SeFastInstall3_3261.exe
    Filesize

    227KB

    MD5

    4f4507ee01a51c40fcc71d7097327883

    SHA1

    a15eb26e219028908125a63aeb2032d99db83257

    SHA256

    73bc7bdc659b55b762092401306ae9cf76e498e6b39950a49a5eacd288b15989

    SHA512

    93cb8a59d95706da01cbdcd7af4604a2dce958e612bc3c6af6e1a0d060c6581504cad3cd33dd174dd3c1530b1483275aa72dc61e7061452d94ac865389bbece4

    Download Submit
  • C:\SeFastInstall3_3261.exe
    Filesize

    227KB

    MD5

    4f4507ee01a51c40fcc71d7097327883

    SHA1

    a15eb26e219028908125a63aeb2032d99db83257

    SHA256

    73bc7bdc659b55b762092401306ae9cf76e498e6b39950a49a5eacd288b15989

    SHA512

    93cb8a59d95706da01cbdcd7af4604a2dce958e612bc3c6af6e1a0d060c6581504cad3cd33dd174dd3c1530b1483275aa72dc61e7061452d94ac865389bbece4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
    Filesize

    1KB

    MD5

    3d5b0265d8f2e53d77a7a1f7b69634c0

    SHA1

    7c6bf08fa231c2a8c42da103cfedfc0ef6108253

    SHA256

    5746b67da0e5329acb4a569faa0d907d0018987125d6f6121f40fc0283de8e95

    SHA512

    cb525df09ff64cc8abe90d08c507ddb429404bddb743139678926fa986596b2319d64a7d1a3790881b5aa81473b7b8ec770dfdd244841f7b0181049644128b2e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
    Filesize

    492B

    MD5

    efefb55f81a3662a8241ec8c21795e9e

    SHA1

    250e447d30f5534aa95a82a43abf1d8aa190c6d2

    SHA256

    1b7e15a610e8cf7f674f8cf24bae9ca9ae12e5f6e36fe50c6aca4e0974669ecf

    SHA512

    ee8a7dd8eec2859ce4ca545e3d601152edecb203d1d1b890599804dffce295ea602ec284956cf953da3d88f5eb023bc2907f844c4fd68f2867a6c378a4659c1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB23E54B-42C2-11ED-A0EE-567C1489C33F}.dat
    Filesize

    5KB

    MD5

    e0e62abf97f89a7fcd0ab37e4fe279ca

    SHA1

    ff51d4ea27e7eb1c4236c950663eb9c2e7f4542e

    SHA256

    390c89a6d11768f4870af719af6525a0b668d0b9da36ab0ecb1d908c4afd2bdd

    SHA512

    514c9684f258bf66f5e37d068411dd1979e70109f00a205c8ad1745f8997418d543de1b18e8f6962406e21a93dba4827159472dea3fcf13a96d52722921fb823

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB395B42-42C2-11ED-A0EE-567C1489C33F}.dat
    Filesize

    5KB

    MD5

    01436543e04351d457ca1e945b1ef488

    SHA1

    a6c9ba7c0c7485475ee13ca86d1d241668bb765c

    SHA256

    f1a3105a50e329d78fea543a113e688765a36ad3729563cee4d89277bb479c7a

    SHA512

    90f463d4179c194bf4342e881f33d5614a19016f5ea90dba7e88420743c6f7fda1c8d9639eea7eaec09b7f7466a5738e7e8cad9f3b8552c04b01ab9cc10844b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat
    Filesize

    1KB

    MD5

    e51eb49c60ba5cf52f569cbfbbd155e8

    SHA1

    600d6ae9ad546c66e1bb00899031eb22b35e5ccd

    SHA256

    a48a5b587f2b0f310afd4c80f20d71b418bf3f21fd37305f6e9ae008762115fe

    SHA512

    a628bda938a85b9773ba6fcd16692f1b4fd52017585d1146af67a1918986684833f53d843a30bec673e945e7e58748dfbd721583b3095c3a1d4a6631674b9b2d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-KR5UC.tmp\hahagame.tmp
    Filesize

    682KB

    MD5

    d0699dfc3ff2c8980f167c7ab586dfcc

    SHA1

    c3f4aa0a542c01a0251782e48b313cbb7c5941a7

    SHA256

    52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

    SHA512

    ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-KR5UC.tmp\hahagame.tmp
    Filesize

    682KB

    MD5

    d0699dfc3ff2c8980f167c7ab586dfcc

    SHA1

    c3f4aa0a542c01a0251782e48b313cbb7c5941a7

    SHA256

    52361d23cd961a2918dd0ca57306bb9d1cf9aa65f518d2b4d11147ef1f657175

    SHA512

    ea55708ba81207a55dfaf8e4ab77e837086d83b27c185942ce6b228f0844d4dc3e26cddd39cfda60ebf34a4f449e563f47ad46ba72e45a133e898e2a038fbf69

    Download Submit
  • C:\hahagame.exe
    Filesize

    1.8MB

    MD5

    0b80274947513ef334429c0c666b3c53

    SHA1

    eb8f8ea8b3dc913c361adcfa4f790935083c4bf9

    SHA256

    4e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be

    SHA512

    07ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213

    Download Submit
  • C:\hahagame.exe
    Filesize

    1.8MB

    MD5

    0b80274947513ef334429c0c666b3c53

    SHA1

    eb8f8ea8b3dc913c361adcfa4f790935083c4bf9

    SHA256

    4e9864adbc4b7c31cb8c1a81bb4a396459ab456640307d820f1f5d9f29e341be

    SHA512

    07ad09b3a021effce8cf696ac3e15be276d26e0b8d983fd64647fbac71a749a158c5b02e8399fa4c008d4a5517c2befbc3e84e02be803f0dd1f169da72fd5213

    Download Submit
  • memory/224-138-0x0000000000000000-mapping.dmp
    Download
  • memory/224-143-0x0000000000400000-0x00000000004AB000-memory.dmp
    Filesize

    684KB

    Download
  • memory/224-150-0x0000000000400000-0x00000000004AB000-memory.dmp
    Filesize

    684KB

    Download
  • memory/308-144-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/308-151-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/308-140-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/308-154-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/308-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1236-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4436-132-0x0000000000000000-mapping.dmp
    Download