cf817584e077a538f32e3208aa09ce3bc004458952dbf41bce109cec69acbb52

General

Target

小零CF刷枪软件.exe
Size

2.9MB
MD5

d616505f7137307a82f5ef6898d86aa5
SHA1

1711aec7d7c2bc1203221d7f7673c10d3d555cac
SHA256

b9676044c94b5efd97f0acf5ad73630000727c81ff18739b918cee784d4266cb
SHA512

71583fbb779af554022ff298325d412fcfc37ea5ff95409f6f4823a2cc059aa9c637534b92e8917b3baa189a574ddc31d651a961fff735680de60ccf9cda0c4b
SSDEEP

49152:4/P27NMFsI10AYF5vC7iMb1yaQSQZ8VwSyv:ae5MFufvCuaQS7VwS8

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/3304-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-147-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-149-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-151-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-155-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-157-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-159-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-161-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-163-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-165-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-167-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-177-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/3304-178-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	小零CF刷枪软件.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com	小零CF刷枪软件.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	小零CF刷枪软件.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	小零CF刷枪软件.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	小零CF刷枪软件.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	小零CF刷枪软件.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	小零CF刷枪软件.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	小零CF刷枪软件.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3304	小零CF刷枪软件.exe
3304	小零CF刷枪软件.exe
3304	小零CF刷枪软件.exe
3304	小零CF刷枪软件.exe
3304	小零CF刷枪软件.exe

C:\Users\Admin\AppData\Local\Temp\小零CF刷枪软件.exe
"C:\Users\Admin\AppData\Local\Temp\小零CF刷枪软件.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3304-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-147-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-149-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-151-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-155-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-157-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-159-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-161-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-163-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-165-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-177-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3304-178-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing