2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
Size

2.1MB
MD5

8ab0b7e54c5aa0674a18f16888a306c1
SHA1

5115484309463172d7dec935b5837b8c21f8d10f
SHA256

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a
SHA512

3c2963b08d386abaef7877a88b81045dfa1646589293e8096c30094d474dd17b8b6a2acbb0e64f0e3433d131d4b6c99489172e0c781da242d0b39fc329b7bad1
SSDEEP

49152:8huWMIeqinlXyhnqFZKd/vODDDDDDDDDvxr:NVIeLn1yhqzKtODDDDDDDDDvxr

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

CFjd.exee9zy.exe

pid process

3652 CFjd.exe
552 e9zy.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe

description ioc process

File opened for modification \??\PhysicalDrive0 2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe

pid	process
3652	CFjd.exe
552	e9zy.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

CFjd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\591314.org	CFjd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	CFjd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\591314.org	CFjd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\591314.org\NumberOfSubdomains = "1"	CFjd.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

e9zy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.919yi.cn/?id=49505"	e9zy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe

pid	process
2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exeCFjd.exee9zy.exe

pid	process
2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
3652	CFjd.exe
3652	CFjd.exe
3652	CFjd.exe
3652	CFjd.exe
552	e9zy.exe
552	e9zy.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe

description	pid	process	target process
PID 2124 wrote to memory of 3652	2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe	CFjd.exe
PID 2124 wrote to memory of 3652	2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe	CFjd.exe
PID 2124 wrote to memory of 3652	2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe	CFjd.exe
PID 2124 wrote to memory of 552	2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe	e9zy.exe
PID 2124 wrote to memory of 552	2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe	e9zy.exe
PID 2124 wrote to memory of 552	2124	2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe	e9zy.exe

C:\Users\Admin\AppData\Local\Temp\2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe
"C:\Users\Admin\AppData\Local\Temp\2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\CFjd.exe
C:\Users\Admin\AppData\Local\Temp\CFjd.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Users\Admin\AppData\Local\Temp\e9zy.exe
C:\Users\Admin\AppData\Local\Temp\e9zy.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
Filesize
1KB

MD5
cb0cb10bbb9c0da11030e3f26f41a79a

SHA1
b32aaf8c5f1f93c0282300a6a8658c9cc89d3853

SHA256
d35893a16a5c77e5f31d3f675c23d851c10fc4489afa04d95532bf5362b7dd34

SHA512
e5dc5e74aee3ceca34d5beabe6efb11f0f3c0600a89e5694c5dd82d7dd8627a903e4ff8ed631f8328815e7a7dbd6bef9ae183d4c48bc7f1b1798d761a5c3d8ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
Filesize
1KB

MD5
52cdaa4a13ac94a38a19bcf350ee1dad

SHA1
10fbf12f537257d923e586f6832da46a8d788eb1

SHA256
42ff02a94c0ee2bb6b5b3e868458566b988616b9b881a67b472869c3aaeefbb7

SHA512
9ab6ec2d308e61b52d8b45671dd93e3df9e5fdcd52673e773fea3179d64b499dd53fba08b075521aa7a6bf7bf6889bf0b63b2e6b17043b06cc1da8ca4c254d75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
Filesize
1KB

MD5
29bcc8b9a05b7c1881576ba7bb9a72ba

SHA1
43bb7bbaa484fc405c5e6918d265f721596eade3

SHA256
2078d4c8757b1070463a89ca19da51ef4f98bfe80e60f5ba25fc173a7f5b92ab

SHA512
76ecb9e9ba201aaf764dc8f83c6875787c60df1e2bfc6bed434d2a1b830514165d6f9ac213fe05f8ab569ddbbb89d1ed5ecb44739ce079dc680d909e2c0d15cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
Filesize
508B

MD5
e25f0901cd32f2bd090283f605da7dfc

SHA1
15dc7934ecd1278842767f3f298afd076adac185

SHA256
23bbfa4770ed78b9a8b49912e4a7cee47b2dd9503ad4eb93b8c9e7ac106dfe13

SHA512
0bf546fe4044fc4362b9ed3761092ad9f05dfb7e5389c791bcd7fa3a4fd263ff1f39f803a40a4e2f9ad4e703be6376453c4898d5b65ab79ee2369ad4e8a7c772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
Filesize
532B

MD5
b9dc6c6325bccbdd612eb2f899381b28

SHA1
7379acab1f6cd8b7f0275250871c5b91fefc583d

SHA256
c9ff59e7e7858f61073398a366b6cef69bbaa5c90c6697e8b9d3e6b08b4b7c6b

SHA512
cd748ea254e469e5d36ce38b1204d4d6652445cb3853b599bcbec6245d440c9bedbc5ea30015b7ea91d2510fed241a64817b9f1a612c338130aacb32e8e9a819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
Filesize
506B

MD5
0e1e8069c4d0e198b67e169f3ad24198

SHA1
6a168f2d487b540c5e2302a340bfb3a8a39b22fe

SHA256
418a522498becc9cd2f787f9439a6a272561b8ae9a2f6cb20ba81cc5be22ecd1

SHA512
21c9f73982544abfe0c7172d3657487877e49dcb2a4f37c01b9e72a75f1a0a295779f6bf175d4cb4d2eafdd548dd4c8b7e0065ba3091646d2f8dd1b8a6362586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
Filesize
506B

MD5
7aab3daace51f7a22f3d3caac1769eef

SHA1
3f402695985874aff84cc4f2b15f17b8b5e8f085

SHA256
6d28080a2cf595217df8a1ac007fd94144cf7825d1ebb2a73eebfe2bd8ffe90f

SHA512
68d82e853ce31bce81364ae41359d0ea9e849963565ffc0595101e31471aaf39cfb0a253dc9d14a5c91eb83ec126b88ac1704cd8f04d902b63a4b73b95b5df97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
Filesize
506B

MD5
7aab3daace51f7a22f3d3caac1769eef

SHA1
3f402695985874aff84cc4f2b15f17b8b5e8f085

SHA256
6d28080a2cf595217df8a1ac007fd94144cf7825d1ebb2a73eebfe2bd8ffe90f

SHA512
68d82e853ce31bce81364ae41359d0ea9e849963565ffc0595101e31471aaf39cfb0a253dc9d14a5c91eb83ec126b88ac1704cd8f04d902b63a4b73b95b5df97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DE4IU2BD\www.591314[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YLPV06K\2TQ9NRLH.htm
Filesize
150B

MD5
207fcba655d34e2dde514ee535c2e437

SHA1
096549699bda375254ad860fcf82e25509c70391

SHA256
a8c7bda099cd6840d0086cf99d7cc7feb4bf9dae09866f87b816edd88f405257

SHA512
a93fd9a231e011e205c6d2c7c599cfe82791bf11c6d69960926ce24510ad67e885c2093446dff8f43ea5657e840d8e34f8b56f45702a8b457fea65db527cecc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MWIURFX4\qmenu[1].png
Filesize
225B

MD5
ae1dc766a431b3eecce822e4b96a292b

SHA1
dafff6b1084db2fb0bef0eb6cd88517e260e8745

SHA256
16c8426119bd296f4aa1cc8c1b516f8f8603dde679fc97cba75c61b6a719f2ae

SHA512
027658759300a640331ac42a3606a1b376422df69b1b0673d5f13f51f0cfa0b05e7333328d47a3134989d5c837eba235437310e924efa138828c1db7f1f5f963

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFjd.exe
Filesize
656KB

MD5
f3200ad3974e618a2667b60ea84ce541

SHA1
d8358fcd4e3762122e1934e6ec387d017e7abdb3

SHA256
24ba6aab4e3342a351a54280261b3d6d80406584c4a22972789fa262a6d71fa8

SHA512
a89ff829b378d99c8d7fb3528f63e849d90aa392809db8a121f9496dff846f17f571aedbbb287cd94f271090daa81d000c90ad8d7da0b1c00cabcf5daef63bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFjd.exe
Filesize
656KB

MD5
f3200ad3974e618a2667b60ea84ce541

SHA1
d8358fcd4e3762122e1934e6ec387d017e7abdb3

SHA256
24ba6aab4e3342a351a54280261b3d6d80406584c4a22972789fa262a6d71fa8

SHA512
a89ff829b378d99c8d7fb3528f63e849d90aa392809db8a121f9496dff846f17f571aedbbb287cd94f271090daa81d000c90ad8d7da0b1c00cabcf5daef63bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9zy.exe
Filesize
564KB

MD5
cef8021ac730c92751479a3f4ba0bd88

SHA1
25bafa5b4c21352d533b0edf3ea7f0c481813e81

SHA256
434810a10b7de06957638238a3c220a6e7f2e040e91eac4577f71ac1122ac539

SHA512
4cc779816242615ad05d84cd37d11f5e3f533e439b7c10b7b2c4ee4dc88332cdd988601ca69124d9b3c8440023c190376afbe8b11361521fd276964d28c7aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9zy.exe
Filesize
564KB

MD5
cef8021ac730c92751479a3f4ba0bd88

SHA1
25bafa5b4c21352d533b0edf3ea7f0c481813e81

SHA256
434810a10b7de06957638238a3c220a6e7f2e040e91eac4577f71ac1122ac539

SHA512
4cc779816242615ad05d84cd37d11f5e3f533e439b7c10b7b2c4ee4dc88332cdd988601ca69124d9b3c8440023c190376afbe8b11361521fd276964d28c7aabe

Download Submit
memory/552-145-0x0000000000000000-mapping.dmp

Download
memory/3652-132-0x0000000000000000-mapping.dmp

Download