Overview

overview

8

Static

static

CS兼容版.exe

windows7-x64

8

CS兼容版.exe

windows10-2004-x64

8

CS功能版.exe

windows7-x64

8

CS功能版.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CS兼容版.exe

  • Size

    4.6MB

  • MD5

    14cb1a20f3a1c80d54097b869b60be2b

  • SHA1

    4fe4df1106a3348e9af741f7299b41bae264c062

  • SHA256

    faacca39637a719dba288bc92f3be3286c9e640c732ace142622b4f5bc6a6da9

  • SHA512

    1237a9f4611ceece020a95190ad8713fae2027a8cb650be500472c723de7f4343e01305dbe0cbfa9b310cc3c215d63069312ad4b0221d1a0238ad5ce85a4c9d1

  • SSDEEP

    98304:2sQCjTMmNgva64qvAu959oE8PJBAUZLLloM59oB818a8L:ZMmNQz9zonJV/3o3

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CS兼容版.exe
    "C:\Users\Admin\AppData\Local\Temp\CS兼容版.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.csokwy.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1884 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    0dfcc192618fe0fd8b9eaab202a007d1

    SHA1

    40bfe1ed6348bfc3b6623c2721f150dbd81d89ff

    SHA256

    a58dc6430f5f0ae8110878dd053f93cdc34b5ddd7fad4a4cef362ba6ba99881a

    SHA512

    c79c65e7fa88ed8e46eb30ea0d3cd1b8f905d65507d302f7713386014321b8b788de2081a257609635eccdbab244c3f9160d29c28539683c6ec1950741fefed2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    14354a886fbbaf2db54a57c4941d86be

    SHA1

    7b9823118f19dd670ccbc49db49ebdaeb22a2920

    SHA256

    778afecbb24d0c37ed5642f5138a6e60f8cbce823fc16b35425141f7178d3af9

    SHA512

    6eb6e550771c67a88c374d9f95f8af1ff252a940bf557831885ed3ae2dd565e88c273badbe6e3d5079240e006b093bb3562c6260c1b293d1c39b854b2a5ea99e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OEK7K0GR.txt
    Filesize

    603B

    MD5

    4573d5125604879cfe1c92580c6ba4ce

    SHA1

    df5f14e1737a95a9e4547acb2968f2fcc0e243e8

    SHA256

    18d0ef5f8add688b32df6afcb317b4a671eb3b8dbd065b9f0ed7acbaf1f39730

    SHA512

    cee0e6310d3c5b5769b0bb643fdeef3f2fe411816886acf10b4f223f2a7ae267a18206bf53a551be11b60216473458d0ef131068f5e0fd9d3e41a6713b4a4807

    Download Submit
  • memory/1508-54-0x0000000074C91000-0x0000000074C93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1508-55-0x0000000002390000-0x0000000002402000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1508-56-0x0000000000400000-0x00000000008D1000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/1508-57-0x0000000002390000-0x0000000002402000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1508-58-0x0000000000400000-0x00000000008D1000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/1508-59-0x0000000000400000-0x00000000008D1000-memory.dmp
    Filesize

    4.8MB

    Download