ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9

Analysis

max time kernel
151s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Size

729KB
MD5

45acd575e7b1acd77efd89949ed69fa0
SHA1

d651d529f8bb3fe4a064b212d1e3cd23697c13aa
SHA256

ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9
SHA512

6c3459fbdd1d2aa2e0f4284ce37137eeb03734c96f297107045b6ee30f37019845495290e3f174ed23e5463b9b20f661c009393d71d81f574dcce8b3864f8d64
SSDEEP

12288:0PiZktiErttOglVDEQdtHBsD3pM+l+tK81lFlmvodAKBxULEg7KdfHGvMvvZEsAP:5Z3ErttXpEQdtc3pVYTlFlmv+Aq6NKdM

Score

8^/10

upx vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1572	clientbar.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/548-57-0x0000000000400000-0x00000000005BE000-memory.dmp	upx
behavioral1/memory/548-58-0x0000000000400000-0x00000000005BE000-memory.dmp	upx
behavioral1/files/0x0006000000014baa-59.dat	upx
behavioral1/files/0x0006000000014baa-60.dat	upx
behavioral1/files/0x0006000000014baa-62.dat	upx
behavioral1/memory/548-63-0x0000000000240000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/1572-65-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1572-73-0x0000000000400000-0x0000000000407000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000600000001504f-66.dat	vmprotect
behavioral1/memory/548-71-0x0000000010000000-0x0000000010008000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

pid	Process
548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\cfghw.tmp	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\aq.qq.com\ = "107"	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "107"	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "107"	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\aq.qq.com	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe
1572	clientbar.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Token: SeSystemtimePrivilege	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Token: SeSystemtimePrivilege	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
Token: SeSystemtimePrivilege	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1572	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe	29
PID 548 wrote to memory of 1572	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe	29
PID 548 wrote to memory of 1572	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe	29
PID 548 wrote to memory of 1572	548	ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe	29
PID 1572 wrote to memory of 1008	1572	clientbar.exe	30
PID 1572 wrote to memory of 1008	1572	clientbar.exe	30
PID 1572 wrote to memory of 1008	1572	clientbar.exe	30
PID 1572 wrote to memory of 1008	1572	clientbar.exe	30
PID 1008 wrote to memory of 1544	1008	net.exe	32
PID 1008 wrote to memory of 1544	1008	net.exe	32
PID 1008 wrote to memory of 1544	1008	net.exe	32
PID 1008 wrote to memory of 1544	1008	net.exe	32

C:\Users\Admin\AppData\Local\Temp\ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
"C:\Users\Admin\AppData\Local\Temp\ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- \??\c:\windows\temp\clientbar.exe
  c:\windows\temp\clientbar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\clientbar.exe

Filesize
5KB

MD5
0ca87b75fe0cde361fba653f4c67b9f6

SHA1
95dec5649144b7fe90ac0517c6e14f369e27e0c4

SHA256
09df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3

SHA512
8725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1

Download Submit
\Windows\Temp\clientbar.exe

Filesize
5KB

MD5
0ca87b75fe0cde361fba653f4c67b9f6

SHA1
95dec5649144b7fe90ac0517c6e14f369e27e0c4

SHA256
09df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3

SHA512
8725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1

Download Submit
\Windows\Temp\clientbar.exe

Filesize
5KB

MD5
0ca87b75fe0cde361fba653f4c67b9f6

SHA1
95dec5649144b7fe90ac0517c6e14f369e27e0c4

SHA256
09df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3

SHA512
8725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1

Download Submit
\Windows\Temp\minihook.dll

Filesize
16KB

MD5
dc496987d75b5e592112605a2dbd8532

SHA1
758513f98b8765aa17219c5c4a9afd177dee2832

SHA256
e07e564b08899a594905bd503090321754df7c1c01acedc91bc3853c41c716dd

SHA512
f2949ab15b83f7448619e7b6adead063bd2d1a616249f3bc22c200133303b49d8541b53418ae993770070cd9576abf34237d21f8441b693c8d35c6107066d7f8

Download Submit
memory/548-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/548-57-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/548-58-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/548-72-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/548-63-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/548-64-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/548-71-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1572-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1572-73-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download