5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
Size

917KB
MD5

62de4ed42a1dba41ba9e8366cf0613c5
SHA1

4610df0a1e9a02749c5fdb26301f172b0e17a83e
SHA256

5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf
SHA512

32c25c8f558370824da5722aea81cac8be595a9ccf3dab03728a0972c6629ec21c1d03d6377e87f27d5ed85faecba06fba284a58208a3322d5029a27818b6da2
SSDEEP

24576:wIa7MvMoIceaNc+IBDnlggZhefKsZKnOIu:wg0GepGZKnfu

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/364-55-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/364-68-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/files/0x0006000000014294-70.dat	upx

Deletes itself 1 IoCs

pid	Process
1764	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\Ð¡ÓÎÏ·.ico	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RtkSYUdp.exe	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe

Runs regedit.exe 3 IoCs

pid	Process
1416	regedit.exe
1120	regedit.exe
904	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1416	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	27
PID 364 wrote to memory of 1416	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	27
PID 364 wrote to memory of 1416	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	27
PID 364 wrote to memory of 1416	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	27
PID 364 wrote to memory of 1120	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	29
PID 364 wrote to memory of 1120	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	29
PID 364 wrote to memory of 1120	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	29
PID 364 wrote to memory of 1120	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	29
PID 364 wrote to memory of 2004	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	30
PID 364 wrote to memory of 2004	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	30
PID 364 wrote to memory of 2004	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	30
PID 364 wrote to memory of 2004	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	30
PID 364 wrote to memory of 904	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	32
PID 364 wrote to memory of 904	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	32
PID 364 wrote to memory of 904	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	32
PID 364 wrote to memory of 904	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	32
PID 364 wrote to memory of 1764	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	33
PID 364 wrote to memory of 1764	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	33
PID 364 wrote to memory of 1764	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	33
PID 364 wrote to memory of 1764	364	5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe	33
PID 1764 wrote to memory of 2028	1764	cmd.exe	35
PID 1764 wrote to memory of 2028	1764	cmd.exe	35
PID 1764 wrote to memory of 2028	1764	cmd.exe	35
PID 1764 wrote to memory of 2028	1764	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe
"C:\Users\Admin\AppData\Local\Temp\5e1d1795787a1fb0ed8b350e440a6259a94b7dc602186a41a5be6316555e51cf.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp
  2⤵
  - Modifies registry class
  - Runs regedit.exe
  PID:1416
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\$10943.tmp
  2⤵
  - Runs regedit.exe
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
  2⤵
  PID:2004
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
  2⤵
  - Modifies registry class
  - Runs regedit.exe
  PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
    3⤵
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
665B

MD5
c017f016da2cb42e8a9097346cdc1d73

SHA1
bb053fdae15f90019c1e81f0150186c4d9e4d8e3

SHA256
f6a0a214e1165c6234925eb29591995c6ca494a155cddce56b9f68599d508099

SHA512
9038222b582d0543b642c691a243df4ea469af43181a67c9ed234657096e7b1cd141d7412766211b189e56cf07c01c1a75ae04abe28e84a01663da1b92ab4877

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

Filesize
1KB

MD5
f9ce5c8a3059991babf4084151caa492

SHA1
26567f89a885b0e69f24309c3e5c58e8e938f841

SHA256
e82c214f33cad1b25146758e22fd887b15f63b1a7a8d716b358c50dc5c3d4e96

SHA512
cce48827588aa5968453a8a69baeab8435083dca1d625d079b01d4f9292c7bcb85ab1217f1cf96ea301eef49b7a96a76b58413d4496f1c35e234df7c7e5c9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
3KB

MD5
25db315b7c4e03440fc39a45d0e696f4

SHA1
e676a65ddced682543871402c65745615866813b

SHA256
afebbcbfd45e044083133fd2f575f9cee59dbff403ae376b2d2307a89b97a26c

SHA512
d10afe733da4f6c33e2859078ca307e40cf15c0e2ddde9e48b8cb3962491cc73e6b47d2fb98c56d233bef268cf1d45ac68d5835885a8b5395ee4b0c6dd0ad3d4

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/364-55-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/364-68-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download