5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa

Analysis

max time kernel
165s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe
Size

1.6MB
MD5

a628be55f6c39b5d7fe91ad5454fe4a9
SHA1

e469a83bbbac0f65936abf34e642a98ea7e92ce0
SHA256

5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa
SHA512

0a96c6176fe0ac75583dbbff154cff366ee9e3e918371b7a636c353f0ed3485dfa27942d2dc88368a0ce184a8395cf6a7ba8f9ff548599bec82778b00dceebd0
SSDEEP

24576:qc//////+b2zc5oVNTcS+NYoH5EqOHLLFQiqQLc9nCJjYmFL:qc//////G2zc5oVVclNrOehQjYmFL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
4824	Update.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdm365091123.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Mdm365091123.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Mdm365091123.dll	Update.exe
File created	C:\Windows\SysWOW64\Mdm365091123.dll	Update.exe
File created	C:\Windows\SysWOW64\Shanchume.bat	Update.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.wanqq.net = 00000000	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.mdmjpq.cn = 00000000	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.51clover.com = 00000000	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.chebaodian.com = 00000000	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.imhappi.cn = 00000000	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.imhappi.com = 00000000	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\Internet Explorer\New Windows\Allow	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	Update.exe
4824	Update.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
1912	Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 2548	3188	5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe	79
PID 3188 wrote to memory of 2548	3188	5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe	79
PID 3188 wrote to memory of 2548	3188	5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe	79
PID 3188 wrote to memory of 5012	3188	5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe	80
PID 3188 wrote to memory of 5012	3188	5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe	80
PID 3188 wrote to memory of 5012	3188	5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe	80
PID 2548 wrote to memory of 1912	2548	cmd.exe	85
PID 2548 wrote to memory of 1912	2548	cmd.exe	85
PID 2548 wrote to memory of 1912	2548	cmd.exe	85
PID 5012 wrote to memory of 4824	5012	cmd.exe	83
PID 5012 wrote to memory of 4824	5012	cmd.exe	83
PID 5012 wrote to memory of 4824	5012	cmd.exe	83
PID 4824 wrote to memory of 2616	4824	Update.exe	42
PID 4824 wrote to memory of 4772	4824	Update.exe	86
PID 4824 wrote to memory of 4772	4824	Update.exe	86
PID 4824 wrote to memory of 4772	4824	Update.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe
  "C:\Users\Admin\AppData\Local\Temp\5144a9736d4c8b7e988b437a36002bffecb4292109c409af828cca24035e61aa.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\\Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
      C:\Users\Admin\AppData\Local\Temp\\Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\\Update.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\Update.exe
      C:\Users\Admin\AppData\Local\Temp\\Update.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\Shanchume.bat
        5⤵
        
        PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
38KB

MD5
430f5f6152ba485932de9b4a4ddde863

SHA1
1da82375b3fd0d5beb0be97c30e582dd5c03df57

SHA256
c20dc4d8f9acac0f4a5e1f918c22d5c4fb1992e298fd263b13180cbdb1817630

SHA512
8b3b3d1eddc3778970e2e644b4b02bac7184042badcecfc52bcfb53ba44264943eeea01784264d5f0d70390f6cd2fc64bacd5e5b05b71da84cb48eb9312f9e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
38KB

MD5
430f5f6152ba485932de9b4a4ddde863

SHA1
1da82375b3fd0d5beb0be97c30e582dd5c03df57

SHA256
c20dc4d8f9acac0f4a5e1f918c22d5c4fb1992e298fd263b13180cbdb1817630

SHA512
8b3b3d1eddc3778970e2e644b4b02bac7184042badcecfc52bcfb53ba44264943eeea01784264d5f0d70390f6cd2fc64bacd5e5b05b71da84cb48eb9312f9e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Filesize
1.4MB

MD5
14ba711fb99948ae85dbd27d3c6e89fe

SHA1
0ca864b0d243288b8b1ee38e6ef538359f13b460

SHA256
a424434f5f19d83d7241566c6fb32cc889b196f708aae511141c9423e42111fd

SHA512
7ae3897ed629b72a860a75a58972bb9645a1b972b9cdbcff394b50fe9190503642f167858cd85523681d52380d76360efd1c9603eee8fcb55ef6df3b9e32b4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ãæ¶ÔÃæ¼ÇÅÆÆ÷.exe

Filesize
1.4MB

MD5
14ba711fb99948ae85dbd27d3c6e89fe

SHA1
0ca864b0d243288b8b1ee38e6ef538359f13b460

SHA256
a424434f5f19d83d7241566c6fb32cc889b196f708aae511141c9423e42111fd

SHA512
7ae3897ed629b72a860a75a58972bb9645a1b972b9cdbcff394b50fe9190503642f167858cd85523681d52380d76360efd1c9603eee8fcb55ef6df3b9e32b4f6

Download Submit
C:\Windows\SysWOW64\Shanchume.bat

Filesize
132B

MD5
03a34d2c48a504aae7c6a3fcbd389b4e

SHA1
e036afbe360877aa2906d435e80f0d46f6e59052

SHA256
a89afb0d9a86e4366082afa8558c9459335eae0112a2bc36074d51b1941fc59c

SHA512
b926a6507c9878429794a168067a1938161a42b6f8a81098bccb92f148ec1aa9905bd26f96f65ae53b41f312c0a3a02e7c8fa54d0d4658788e7d76b1ea71ab47

Download Submit
memory/1912-144-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1912-145-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/4824-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download