50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905

Analysis

max time kernel
91s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 01:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe
Size

168KB
MD5

0cd9e8491588e9bf65d2f9c2c953cd50
SHA1

14d311aa47ebbd3eb8c72b0b289d614b365c7141
SHA256

50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905
SHA512

afbe1907bd34bddb11aaeaa4d820243577d922cea2b168aa76d2b587d04a39e66ffe4e9e5968b91dce3cbf6a09ccdd9c99b7230c6583a3cd8d2d39ff65674455
SSDEEP

3072:OTvj/t8bVdipDivEtGSK4KCIByHwntt+PNaA8tnc:OTrqJdyDHtGSK5yHa+F1gc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1708	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\common\Utility.dll	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe
File created	C:\Program Files\SogouPinyinUp.exe	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 7e003100000000006755a25a110050726f6772616d730000660008000400efbeee3a851a6755a25a2a000000bc0100000000010000000000000000003c0000000000500072006f006700720061006d007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003200000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 46003100000000006755a25a100058585800340008000400efbe6755a25a6755a25a2a000000ba440100000006000000000000000000000000000000580058005800000012000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 8200310000000000ee3a2828110053544152544d7e3100006a0008000400efbeee3a851aee3a28282a000000bb0100000000010000000000000000004000000000005300740061007200740020004d0065006e007500000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003600000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5c003100000000002155396e122050524f4752417e330000440008000400efbeee3a851a2155396e2a00000085010000000001000000000000000000000000000000500072006f006700720061006d004400610074006100000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 58003100000000002155886d14204d4943524f537e310000400008000400efbeee3a851a2155886d2a000000860100000000010000000000000000000000000000004d006900630072006f0073006f0066007400000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002155c6a3102057696e646f7773003c0008000400efbeee3a851a2155c6a32a000000b1010000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1584	1708	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe	27
PID 1708 wrote to memory of 1584	1708	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe	27
PID 1708 wrote to memory of 1584	1708	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe	27
PID 1708 wrote to memory of 1584	1708	50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe	27

C:\Users\Admin\AppData\Local\Temp\50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe
"C:\Users\Admin\AppData\Local\Temp\50c9a604d52048f4ed1dfe847d277d2c305afb710adae8f418e659bc03bfa905.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Explorer.exe
  Explorer /select,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XXX\calcx.lnk
  2⤵
  PID:1584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SogouPinyinUp.exe

Filesize
14KB

MD5
54e9f974ac4ef96572043259326b21fc

SHA1
da8deb9e6b39f00548dff9116ce426f1c1e45496

SHA256
100f3191193ff237ce9b30ba2c1985d72cad896dcacd1c9df324905893ef8227

SHA512
a71b8a526a410bcb0face2131af7d7b64f2bccdb184e72a623eaaa4a24f80f8b5a7a74041104e212fbbab51a18be71b79726ed6121cc8a04c55f396bd484fb5a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XXX\calcx.lnk

Filesize
731B

MD5
d2396c97eb4b4b1b4e6d61cd0d5c1ca8

SHA1
b03ef58301b7daf4b4f89df082289336b6cd751f

SHA256
ce277fc1ce38e21e38d5f6ecc37cc6679d98910b7c105b57424804ac85a5834e

SHA512
03e0ccd6748afe620796e2560ec55e2163a96bae42d3012376e7d9cde78d935db922b4c9dd2e0e0bf42ace50569842902c7e50d7e0cae378acb9daf1b97da6da

Download Submit
\Program Files\SogouPinyinUp.exe

Filesize
14KB

MD5
54e9f974ac4ef96572043259326b21fc

SHA1
da8deb9e6b39f00548dff9116ce426f1c1e45496

SHA256
100f3191193ff237ce9b30ba2c1985d72cad896dcacd1c9df324905893ef8227

SHA512
a71b8a526a410bcb0face2131af7d7b64f2bccdb184e72a623eaaa4a24f80f8b5a7a74041104e212fbbab51a18be71b79726ed6121cc8a04c55f396bd484fb5a

Download Submit
memory/584-59-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/584-60-0x00000000039C0000-0x00000000039D0000-memory.dmp

Filesize
64KB

Download
memory/1584-58-0x0000000074161000-0x0000000074163000-memory.dmp

Filesize
8KB

Download
memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download