5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d

General

Target

5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
Size

1.5MB
MD5

69503cfbc7aab296b126eadaee54cd7a
SHA1

8f8879200f8f8fae2572e03cecc7bf0b509cf587
SHA256

5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d
SHA512

b6fcb36b25aed5783a11b99183516a20061be925dc90ee4a0d4337877d3f1eacd3ee47527b3c74dad7f2e1f1eb626b695e33219bc8df52530388e03adbf18328
SSDEEP

24576:AvRTs7KezFTuYhzpcDeesRWv6WzT6KfkEp3W8AD/Dhd+y4lqJ8QdCYDoDNKn01:AvDksYhtcDewJOisvD/DX+y4onCYDoD5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4852	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
4748	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
4748	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\hpig_WS2.dat	svchost.exe
File created	C:\Windows\my_sfc_os.dll	svchost.exe
File opened for modification	C:\Windows\my_sfc_os.dll	svchost.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3788	4748	WerFault.exe	87
32	4748	WerFault.exe	87

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
4852	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
4852	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
4852	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
4852	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
4852	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2240	1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	82
PID 1128 wrote to memory of 2240	1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	82
PID 1128 wrote to memory of 2240	1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	82
PID 1128 wrote to memory of 3160	1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	83
PID 1128 wrote to memory of 3160	1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	83
PID 1128 wrote to memory of 3160	1128	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	83
PID 3160 wrote to memory of 4852	3160	cmd.exe	86
PID 3160 wrote to memory of 4852	3160	cmd.exe	86
PID 3160 wrote to memory of 4852	3160	cmd.exe	86
PID 2240 wrote to memory of 4748	2240	cmd.exe	87
PID 2240 wrote to memory of 4748	2240	cmd.exe	87
PID 2240 wrote to memory of 4748	2240	cmd.exe	87
PID 4748 wrote to memory of 3788	4748	svchost.exe	92
PID 4748 wrote to memory of 3788	4748	svchost.exe	92
PID 4748 wrote to memory of 3788	4748	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
"C:\Users\Admin\AppData\Local\Temp\5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 424
      4⤵
      Program crash
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 424
      4⤵
      Program crash
      PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
    C:\Users\Admin\AppData\Local\Temp\\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4748 -ip 4748
1⤵
PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Filesize
656KB

MD5
9f4db558ba57fdcbfac2900a4e9843c5

SHA1
cd7f4f52f1a1ee76284d495835f71f5ac584b502

SHA256
8beb208e79d9ac394cf021f57b89c97aac198f113e03dfbe3e067ff70cff1f78

SHA512
98537373ac5ce43e9a5096b187e17b4911ce24df88248c01b40c8822587ada4311b1ea5c808b22ecdd20ee670911a38204770f0378ff40512e7e97369fff792b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Filesize
656KB

MD5
9f4db558ba57fdcbfac2900a4e9843c5

SHA1
cd7f4f52f1a1ee76284d495835f71f5ac584b502

SHA256
8beb208e79d9ac394cf021f57b89c97aac198f113e03dfbe3e067ff70cff1f78

SHA512
98537373ac5ce43e9a5096b187e17b4911ce24df88248c01b40c8822587ada4311b1ea5c808b22ecdd20ee670911a38204770f0378ff40512e7e97369fff792b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
C:\Windows\my_sfc_os.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
memory/1128-136-0x0000000002190000-0x00000000021A4000-memory.dmp

Filesize
80KB

Download
memory/1128-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1128-145-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing