71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733

Analysis

max time kernel
149s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe
Size

3.3MB
MD5

f1bdfc8f7724ed65d5b4a401e5cb3f5e
SHA1

cc067dbfb98419e90c6eabc659189bb285f9b4f6
SHA256

71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733
SHA512

d9300942659b366c31e3466f7a00fa5a753257b4cea71a3fd4aee2eee6455273c43180aa46ef31810f2207745489494aa188406af13979d60dbf6d0ee9354648
SSDEEP

49152:X5L8gp7MCG9XmAudwgj/FjxUZUanSd+hW5Sj+C/7ICJXaejl8eO3TKmV:dvp7MnZmndBbFj6ZU9dKBhXakZte

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

001.exereguo_30656.exeirsetup.exe

pid process

1844 001.exe
1752 reguo_30656.exe
1332 irsetup.exe

pid	process
1844	001.exe
1752	reguo_30656.exe
1332	irsetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe	upx
behavioral2/memory/1332-142-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral2/memory/1332-150-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral2/memory/1332-151-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Loads dropped DLL 11 IoCs

Processes:

reguo_30656.exeirsetup.exe

pid	process
1752	reguo_30656.exe
1752	reguo_30656.exe
1752	reguo_30656.exe
1752	reguo_30656.exe
1332	irsetup.exe
1752	reguo_30656.exe
1752	reguo_30656.exe
1752	reguo_30656.exe
1752	reguo_30656.exe
1752	reguo_30656.exe
1752	reguo_30656.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

reguo_30656.exe

description ioc process

File opened for modification \??\PhysicalDrive0 reguo_30656.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	reguo_30656.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 11 IoCs

Processes:

explorer.exereguo_30656.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	reguo_30656.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	reguo_30656.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 89d381aeaeab8b4085692dcd133168c1	reguo_30656.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

552 explorer.exe

pid	process
552	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe

pid	process
1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe
1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

reguo_30656.exe

pid process

1752 reguo_30656.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exeexplorer.exeirsetup.exe

pid	process
1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe
1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe
552	explorer.exe
552	explorer.exe
1332	irsetup.exe
1332	irsetup.exe
1332	irsetup.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe001.exe

description	pid	process	target process
PID 1296 wrote to memory of 2024	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	explorer.exe
PID 1296 wrote to memory of 2024	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	explorer.exe
PID 1296 wrote to memory of 2024	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	explorer.exe
PID 1296 wrote to memory of 1844	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	001.exe
PID 1296 wrote to memory of 1844	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	001.exe
PID 1296 wrote to memory of 1844	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	001.exe
PID 1296 wrote to memory of 1752	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	reguo_30656.exe
PID 1296 wrote to memory of 1752	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	reguo_30656.exe
PID 1296 wrote to memory of 1752	1296	71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe	reguo_30656.exe
PID 1844 wrote to memory of 1332	1844	001.exe	irsetup.exe
PID 1844 wrote to memory of 1332	1844	001.exe	irsetup.exe
PID 1844 wrote to memory of 1332	1844	001.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe
"C:\Users\Admin\AppData\Local\Temp\71b02b6fccc4e5eeb6d935d4f75123edc0ac593343e78b5e79d621e5344c9733.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
- Modifies registry class
PID:2024

C:\Users\Admin\AppData\Local\Temp\baidupack\001.exe
C:\Users\Admin\AppData\Local\Temp\baidupack\001.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\baidupack\001.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Users\Admin\AppData\Local\Temp\baidupack\reguo_30656.exe
C:\Users\Admin\AppData\Local\Temp\baidupack\reguo_30656.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\baidupack\001.exe
Filesize
852KB

MD5
6cc74c221e432635e50d0966be4b8c83

SHA1
f2d8666d67ddc134cee40a54cef6cb82140eb162

SHA256
f0885c97328a6b5f44f75b893404f6a3d5348f3a7b7e1391a647294d41437598

SHA512
c77ab3c7d74101b98c11ac1ff55f502f2ed383510a91455462e36732e946a5796a303785a12df91ff56b3202e3d43c35df697a875b62dc253472cf057ec15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\baidupack\001.exe
Filesize
852KB

MD5
6cc74c221e432635e50d0966be4b8c83

SHA1
f2d8666d67ddc134cee40a54cef6cb82140eb162

SHA256
f0885c97328a6b5f44f75b893404f6a3d5348f3a7b7e1391a647294d41437598

SHA512
c77ab3c7d74101b98c11ac1ff55f502f2ed383510a91455462e36732e946a5796a303785a12df91ff56b3202e3d43c35df697a875b62dc253472cf057ec15a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\baidupack\reguo_30656.exe
Filesize
1.8MB

MD5
c6e942b316b79e451666692414e51704

SHA1
9b4c620c3c2f6d3f80434f6fe04df786488fdc2c

SHA256
1dd3837237affba36d87769222d0e44d484cbcf5bc74a4ab153958b74fefb44c

SHA512
3595b69368b9dd57c9bdc06f1a4f5f667e28d8f71f568d3deb3676e459cf6315f4aa1ca93c712846d362a8f1aff2526a680c9658039e1a2ac9db922b161dcce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\baidupack\reguo_30656.exe
Filesize
1.8MB

MD5
c6e942b316b79e451666692414e51704

SHA1
9b4c620c3c2f6d3f80434f6fe04df786488fdc2c

SHA256
1dd3837237affba36d87769222d0e44d484cbcf5bc74a4ab153958b74fefb44c

SHA512
3595b69368b9dd57c9bdc06f1a4f5f667e28d8f71f568d3deb3676e459cf6315f4aa1ca93c712846d362a8f1aff2526a680c9658039e1a2ac9db922b161dcce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\BDMNetGetInfo.dll
Filesize
268KB

MD5
928208161b61b8c36fa1a6095c1ccfab

SHA1
958343a07c70b287d6ec72c4ee442c2f52152a72

SHA256
765003875c50f30dda584893c440ceac2ef84aa911e06e62ebe9648ae739f654

SHA512
dc4dee12fad7e1a733af341b5da7812f9d1bc4046d83cc51ab833dad0a5d2d7f58b30947c0c3e4c9009b00eb7cb7a0f9093a9bcb92aff8b7c3d5d5748c9d4e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\BDMNetGetInfo.dll
Filesize
268KB

MD5
928208161b61b8c36fa1a6095c1ccfab

SHA1
958343a07c70b287d6ec72c4ee442c2f52152a72

SHA256
765003875c50f30dda584893c440ceac2ef84aa911e06e62ebe9648ae739f654

SHA512
dc4dee12fad7e1a733af341b5da7812f9d1bc4046d83cc51ab833dad0a5d2d7f58b30947c0c3e4c9009b00eb7cb7a0f9093a9bcb92aff8b7c3d5d5748c9d4e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\BDMSkin.dll
Filesize
1.3MB

MD5
39257175ac9c90199c69aea1a7bcbda0

SHA1
6cf4a8dedf37d24ce902f34fa66120a214e1a2cc

SHA256
84d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc

SHA512
4a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\BDMSkin.dll
Filesize
1.3MB

MD5
39257175ac9c90199c69aea1a7bcbda0

SHA1
6cf4a8dedf37d24ce902f34fa66120a214e1a2cc

SHA256
84d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc

SHA512
4a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\System.dll
Filesize
18KB

MD5
1c951bbcbc780046d6be1079a04870a4

SHA1
a5bae7d838973154e6fac69b1c5ff7d2cda01906

SHA256
d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e

SHA512
62c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\dl.dll
Filesize
1.9MB

MD5
763b532d651f0ad5e135d9b57bf4fba4

SHA1
23f1302f904a67a1fe0d48e11a435c2f36336196

SHA256
50b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173

SHA512
a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\dl.dll
Filesize
1.9MB

MD5
763b532d651f0ad5e135d9b57bf4fba4

SHA1
23f1302f904a67a1fe0d48e11a435c2f36336196

SHA256
50b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173

SHA512
a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC153.tmp\tmpvqilvc.dll
Filesize
2.2MB

MD5
0f0646b72a00c92d87321ec4d249534e

SHA1
65dd3479e2415053836ce65d49ac310f72e3803b

SHA256
5fc33df64bf00db72c2bd36797239f2c4f0ad50284b3e16c239d0d170130d200

SHA512
fd186c316a7da8c5180874f9e28d8ea57624ccbf661b50888008c2f2687340fa2142e0f491b616f948a100ebf64335e83d89969e3437b14b82c560ed7820f0e4

Download Submit
C:\baidu.dll
Filesize
688KB

MD5
d7aa526aa2285ea07f3efaab18935a81

SHA1
0fb500966866116cb8d5633365e5c147322a181c

SHA256
de902196f480651d62488e2a7d106362b454689e86570cf73800237da62ba5de

SHA512
8666d111610d357b87ff95742a22aa78cabf37ebb49b171cbb4db4e62bc1f5765f80230f459ad6e877d012ace9f633cb0345090c395c2bb3d0ba1dbe3795ae44

Download Submit
memory/1332-150-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1332-151-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1332-142-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1332-137-0x0000000000000000-mapping.dmp

Download
memory/1752-147-0x00000000030E0000-0x0000000003237000-memory.dmp

Filesize
1.3MB

Download
memory/1752-154-0x0000000004B20000-0x0000000004B64000-memory.dmp

Filesize
272KB

Download
memory/1752-136-0x0000000000000000-mapping.dmp

Download
memory/1752-163-0x0000000005550000-0x000000000573D000-memory.dmp

Filesize
1.9MB

Download
memory/1844-133-0x0000000000000000-mapping.dmp

Download
memory/2024-132-0x0000000000000000-mapping.dmp

Download