Analysis

  • max time kernel
    90s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 23:09 UTC

General

  • Target

    34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe

  • Size

    95KB

  • MD5

    0b84527ed1f757fef90372dfb2126eb1

  • SHA1

    a5cb7a767c23262ebbe13c9a5258ee37d537d817

  • SHA256

    34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

  • SHA512

    d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

  • SSDEEP

    1536:kjdUy9hWM4A+mR5qy7OYvXIxBnA+LbOxTZ0U5CGbOKMdfqj6t83ErF:eH+mRLdvXIxBntLbOxKBGbOKM383Ep

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 8 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
    "C:\Users\Admin\AppData\Local\Temp\34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\SysWOW64\98AD9.exe
      C:\Windows\system32\98AD9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "net start 98AD9"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\SysWOW64\net.exe
          net start 98AD9
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start 98AD9
            5⤵
              PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "net start 98AD9"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3428
          • C:\Windows\SysWOW64\net.exe
            net start 98AD9
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2108
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start 98AD9
              5⤵
                PID:3808
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "net start 98AD9"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Windows\SysWOW64\net.exe
            net start 98AD9
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3724
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start 98AD9
              4⤵
                PID:3408
        • C:\Windows\SysWOW64\98AD9.exe
          C:\Windows\SysWOW64\98AD9.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3372
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "net start 98AD9"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4144
            • C:\Windows\SysWOW64\net.exe
              net start 98AD9
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:176
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start 98AD9
                4⤵
                  PID:4240
            • C:\Windows\SysWOW64\4F4F8.exe
              C:\Windows\system32\4F4F8.exe eee
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4348

          Network

          • flag-us
            DNS
            www.baidu.com
            4F4F8.exe
            Remote address:
            8.8.8.8:53
            Request
            www.baidu.com
            IN A
            Response
            www.baidu.com
            IN CNAME
            www.a.shifen.com
            www.a.shifen.com
            IN CNAME
            www.wshifen.com
            www.wshifen.com
            IN A
            103.235.46.40
          • flag-hk
            GET
            http://www.baidu.com/
            4F4F8.exe
            Remote address:
            103.235.46.40:80
            Request
            GET / HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: www.baidu.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Bdpagetype: 1
            Bdqid: 0x8036514e0013e238
            Connection: keep-alive
            Content-Encoding: gzip
            Content-Type: text/html; charset=utf-8
            Date: Sat, 29 Oct 2022 01:56:03 GMT
            P3p: CP=" OTI DSP COR IVA OUR IND COM "
            P3p: CP=" OTI DSP COR IVA OUR IND COM "
            Server: BWS/1.1
            Set-Cookie: BAIDUID=0C8F27CD4AF586E6255880B83032F20B:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
            Set-Cookie: BIDUPSID=0C8F27CD4AF586E6255880B83032F20B; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
            Set-Cookie: PSTM=1667008563; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
            Set-Cookie: BAIDUID=0C8F27CD4AF586E6433F3600C3119567:FG=1; max-age=31536000; expires=Sun, 29-Oct-23 01:56:03 GMT; domain=.baidu.com; path=/; version=1; comment=bd
            Set-Cookie: BDSVRTM=41; path=/
            Set-Cookie: BD_HOME=1; path=/
            Set-Cookie: H_PS_PSSID=36545_37584_36885_34812_37624_36786_37540_37500_37575_26350; path=/; domain=.baidu.com
            Traceid: 166700856306973995629238661081047753272
            X-Frame-Options: sameorigin
            X-Ua-Compatible: IE=Edge,chrome=1
            Transfer-Encoding: chunked
          • 103.235.46.40:80
            http://www.baidu.com/
            http
            4F4F8.exe
            4.0kB
            96.3kB
            80
            78

            HTTP Request

            GET http://www.baidu.com/

            HTTP Response

            200
          • 93.184.221.240:80
            322 B
            7
          • 20.189.173.1:443
            322 B
            7
          • 87.248.202.1:80
            322 B
            7
          • 93.184.221.240:80
            322 B
            7
          • 8.8.8.8:53
            www.baidu.com
            dns
            4F4F8.exe
            59 B
            128 B
            1
            1

            DNS Request

            www.baidu.com

            DNS Response

            103.235.46.40

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\4F4F8.exe

            Filesize

            104KB

            MD5

            2b1b7cf833726f0380ec1a33222c5c1f

            SHA1

            4fd1e1241181e1c273435af2f51f2764ced2de3e

            SHA256

            e7b8b4f8157c2842ff11295f057bf37179be342ef24f036750f7e0e44a4dc82c

            SHA512

            28478d1141f9408dba2ef8116b0c63b8cd423f1eb53d91a29fffe7e6d2f3c49e74eab45f6b059eeef38794c748b2d8ad550234ff5fbaabc226cad6db6ad2ba8b

          • C:\Windows\SysWOW64\4F4F8.exe

            Filesize

            104KB

            MD5

            2b1b7cf833726f0380ec1a33222c5c1f

            SHA1

            4fd1e1241181e1c273435af2f51f2764ced2de3e

            SHA256

            e7b8b4f8157c2842ff11295f057bf37179be342ef24f036750f7e0e44a4dc82c

            SHA512

            28478d1141f9408dba2ef8116b0c63b8cd423f1eb53d91a29fffe7e6d2f3c49e74eab45f6b059eeef38794c748b2d8ad550234ff5fbaabc226cad6db6ad2ba8b

          • C:\Windows\SysWOW64\98AD9.exe

            Filesize

            95KB

            MD5

            0b84527ed1f757fef90372dfb2126eb1

            SHA1

            a5cb7a767c23262ebbe13c9a5258ee37d537d817

            SHA256

            34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

            SHA512

            d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

          • C:\Windows\SysWOW64\98AD9.exe

            Filesize

            95KB

            MD5

            0b84527ed1f757fef90372dfb2126eb1

            SHA1

            a5cb7a767c23262ebbe13c9a5258ee37d537d817

            SHA256

            34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

            SHA512

            d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

          • C:\Windows\SysWOW64\98AD9.exe

            Filesize

            95KB

            MD5

            0b84527ed1f757fef90372dfb2126eb1

            SHA1

            a5cb7a767c23262ebbe13c9a5258ee37d537d817

            SHA256

            34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

            SHA512

            d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

          • C:\Windows\SysWOW64\MSWINSCK.OCX

            Filesize

            105KB

            MD5

            9484c04258830aa3c2f2a70eb041414c

            SHA1

            b242a4fb0e9dcf14cb51dc36027baff9a79cb823

            SHA256

            bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

            SHA512

            9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          • C:\Windows\SysWOW64\MSWINSCK.OCX

            Filesize

            105KB

            MD5

            9484c04258830aa3c2f2a70eb041414c

            SHA1

            b242a4fb0e9dcf14cb51dc36027baff9a79cb823

            SHA256

            bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

            SHA512

            9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          • C:\Windows\SysWOW64\MSWINSCK.OCX

            Filesize

            105KB

            MD5

            9484c04258830aa3c2f2a70eb041414c

            SHA1

            b242a4fb0e9dcf14cb51dc36027baff9a79cb823

            SHA256

            bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

            SHA512

            9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          • memory/1324-143-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

          • memory/3372-166-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

          • memory/3372-157-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

          • memory/4896-132-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

          • memory/4896-144-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.