0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34

General

Target

0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe
Size

340KB
MD5

097be9ccdaf9e6fbb03d420a41c6ae11
SHA1

f5e1fe23d86eedcf576b18310b57fcbd230aaea6
SHA256

0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34
SHA512

261e8b6155543504a9a0238dfcfddc98c9255cd8044746d7ff074357ab85d212721d25f2e9269c9d78f535079dc71779eafd385120f95c4c43aaf2474c717374
SSDEEP

6144:aIQ/RHVs4LWzfte7s4bN9/fAbB1qJzEXXz4TOLiCjvSJhFSZH:aIQ/BVh4fteA4zYbB1MAnyehWFCH

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CFTHKQWTN\Parameters\ServiceDll = "C:\\Windows\\system32\\EMRVbeijoqtwID34.DLL"	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe

Loads dropped DLL 3 IoCs

pid	Process
2816	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe
2816	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe
4304	svchost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\wbem\ccdiv.drv	svchost.exe
File created	C:\Windows\SysWOW64\qsvydgilprtw	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\6543ÍøÖ·µ¼º½.lnk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ljfsdfs32.uut	svchost.exe
File created	C:\Windows\SysWOW64\EMRVbeijoqtwID34.DLL	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe
File opened for modification	C:\Windows\SysWOW64\EMRVbeijoqtwID34.DLL	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe
File created	C:\windows\SysWOW64\uafdafuu.dll	svchost.exe
File opened for modification	C:\windows\SysWOW64\uafdafuu.dll	svchost.exe
File created	C:\Windows\SysWOW64\wbem\ljfsdfs32.uut	svchost.exe
File created	C:\windows\SysWOW64\uafdafuu.dll.tmp	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\DelSelf.bat	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\Buttontext = "6543ÍøÖ·µ¼º½"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\Default Visible = "Yes"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\HotIcon = "C:\\Windows\\system32\\qsvydgilprtw"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\Icon = "C:\\Windows\\system32\\qsvydgilprtw"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\Exec = "http://www.6543wz.cn"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C93681FE-E154-4734-82E6-236AF3F4FB7B}\MenuText = "6543ÍøÖ·µ¼º½"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\HotIcon = "C:\\Windows\\system32\\qsvydgilprtw"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2040	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 5084	2816	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe	84
PID 2816 wrote to memory of 5084	2816	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe	84
PID 2816 wrote to memory of 5084	2816	0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe	84
PID 5084 wrote to memory of 2040	5084	cmd.exe	86
PID 5084 wrote to memory of 2040	5084	cmd.exe	86
PID 5084 wrote to memory of 2040	5084	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe
"C:\Users\Admin\AppData\Local\Temp\0e476a9c599635ddbfffc15ac219d65daf35aa1767ec5332ff0d9ce6d16d1c34.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\\DelSelf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k XYYFQTFYS -s CFTHKQWTN
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DelSelf.bat

Filesize
285B

MD5
49f58a8b896c30ad7fffc9fd770b4c5e

SHA1
9843867ea3623c75a658761a5d0b4ff4d63cd34d

SHA256
61a193d2895ba0c731ae2cb8e218b306ff410bae8b1c6de90646d40adc7fbfb3

SHA512
89f8ac16991cbeb8c9c013f05832d461174e1e2a4251446aedead166c5a7c0010471f1cf8e80d8083d113249be02cb554a4909359d2d079b3ebb8bb3bfaa7c28

Download Submit
C:\Windows\SysWOW64\EMRVbeijoqtwID34.DLL

Filesize
650KB

MD5
402e52d2a1875ed7e42fbdc139a7635c

SHA1
c46d9a8aa85b10bee719c376134ba0d8b196cab7

SHA256
63eed34e87f30e633a0f07a2813bd944a7565a766714f4109fb5279019c87e5a

SHA512
0a6f87adc3aeb4b0afa97150af1bc52ec3ffd7e7b021f7bacea8fc32527026f0b813a342046b2637dde9f681a7b3a178baae3a734911ca562caa1cc1cd785c9e

Download Submit
C:\Windows\SysWOW64\EMRVbeijoqtwID34.DLL

Filesize
650KB

MD5
402e52d2a1875ed7e42fbdc139a7635c

SHA1
c46d9a8aa85b10bee719c376134ba0d8b196cab7

SHA256
63eed34e87f30e633a0f07a2813bd944a7565a766714f4109fb5279019c87e5a

SHA512
0a6f87adc3aeb4b0afa97150af1bc52ec3ffd7e7b021f7bacea8fc32527026f0b813a342046b2637dde9f681a7b3a178baae3a734911ca562caa1cc1cd785c9e

Download Submit
C:\Windows\SysWOW64\EMRVbeijoqtwID34.DLL

Filesize
650KB

MD5
402e52d2a1875ed7e42fbdc139a7635c

SHA1
c46d9a8aa85b10bee719c376134ba0d8b196cab7

SHA256
63eed34e87f30e633a0f07a2813bd944a7565a766714f4109fb5279019c87e5a

SHA512
0a6f87adc3aeb4b0afa97150af1bc52ec3ffd7e7b021f7bacea8fc32527026f0b813a342046b2637dde9f681a7b3a178baae3a734911ca562caa1cc1cd785c9e

Download Submit
\??\c:\windows\SysWOW64\emrvbeijoqtwid34.dll

Filesize
650KB

MD5
402e52d2a1875ed7e42fbdc139a7635c

SHA1
c46d9a8aa85b10bee719c376134ba0d8b196cab7

SHA256
63eed34e87f30e633a0f07a2813bd944a7565a766714f4109fb5279019c87e5a

SHA512
0a6f87adc3aeb4b0afa97150af1bc52ec3ffd7e7b021f7bacea8fc32527026f0b813a342046b2637dde9f681a7b3a178baae3a734911ca562caa1cc1cd785c9e

Download Submit
memory/2816-134-0x00000000023A0000-0x0000000002448000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads