5825312c6629f85d095b46a00aa8d4415516881752a5703d8f7039fae542b532

Analysis

max time kernel
153s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4399洛克王国东哥辅助v6.3/洛克王国.exe
Size

2.1MB
MD5

8ab0b7e54c5aa0674a18f16888a306c1
SHA1

5115484309463172d7dec935b5837b8c21f8d10f
SHA256

2681f978a4f13d6b1f008a884870c3c31273d342dd1fce101a2f6071af30048a
SHA512

3c2963b08d386abaef7877a88b81045dfa1646589293e8096c30094d474dd17b8b6a2acbb0e64f0e3433d131d4b6c99489172e0c781da242d0b39fc329b7bad1
SSDEEP

49152:8huWMIeqinlXyhnqFZKd/vODDDDDDDDDvxr:NVIeLn1yhqzKtODDDDDDDDDvxr

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

CFjd.exee9zy.exe

pid process

1300 CFjd.exe
3560 e9zy.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

洛克王国.exe

description ioc process

File opened for modification \??\PhysicalDrive0 洛克王国.exe

pid	process
1300	CFjd.exe
3560	e9zy.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	洛克王国.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

洛克王国.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\591314.org	洛克王国.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\591314.org\NumberOfSubdomains = "1"	洛克王国.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\591314.org	洛克王国.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	洛克王国.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

e9zy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.919yi.cn/?id=49505"	e9zy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

洛克王国.exe

pid process

4568 洛克王国.exe
4568 洛克王国.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

洛克王国.exeCFjd.exee9zy.exe

pid	process
4568	洛克王国.exe
4568	洛克王国.exe
4568	洛克王国.exe
4568	洛克王国.exe
1300	CFjd.exe
1300	CFjd.exe
1300	CFjd.exe
1300	CFjd.exe
3560	e9zy.exe
3560	e9zy.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

洛克王国.exe

description	pid	process	target process
PID 4568 wrote to memory of 1300	4568	洛克王国.exe	CFjd.exe
PID 4568 wrote to memory of 1300	4568	洛克王国.exe	CFjd.exe
PID 4568 wrote to memory of 1300	4568	洛克王国.exe	CFjd.exe
PID 4568 wrote to memory of 3560	4568	洛克王国.exe	e9zy.exe
PID 4568 wrote to memory of 3560	4568	洛克王国.exe	e9zy.exe
PID 4568 wrote to memory of 3560	4568	洛克王国.exe	e9zy.exe

C:\Users\Admin\AppData\Local\Temp\4399洛克王国东哥辅助v6.3\洛克王国.exe
"C:\Users\Admin\AppData\Local\Temp\4399洛克王国东哥辅助v6.3\洛克王国.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\CFjd.exe
C:\Users\Admin\AppData\Local\Temp\CFjd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Users\Admin\AppData\Local\Temp\e9zy.exe
C:\Users\Admin\AppData\Local\Temp\e9zy.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:3560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CFjd.exe
Filesize
656KB

MD5
f3200ad3974e618a2667b60ea84ce541

SHA1
d8358fcd4e3762122e1934e6ec387d017e7abdb3

SHA256
24ba6aab4e3342a351a54280261b3d6d80406584c4a22972789fa262a6d71fa8

SHA512
a89ff829b378d99c8d7fb3528f63e849d90aa392809db8a121f9496dff846f17f571aedbbb287cd94f271090daa81d000c90ad8d7da0b1c00cabcf5daef63bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFjd.exe
Filesize
656KB

MD5
f3200ad3974e618a2667b60ea84ce541

SHA1
d8358fcd4e3762122e1934e6ec387d017e7abdb3

SHA256
24ba6aab4e3342a351a54280261b3d6d80406584c4a22972789fa262a6d71fa8

SHA512
a89ff829b378d99c8d7fb3528f63e849d90aa392809db8a121f9496dff846f17f571aedbbb287cd94f271090daa81d000c90ad8d7da0b1c00cabcf5daef63bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9zy.exe
Filesize
564KB

MD5
cef8021ac730c92751479a3f4ba0bd88

SHA1
25bafa5b4c21352d533b0edf3ea7f0c481813e81

SHA256
434810a10b7de06957638238a3c220a6e7f2e040e91eac4577f71ac1122ac539

SHA512
4cc779816242615ad05d84cd37d11f5e3f533e439b7c10b7b2c4ee4dc88332cdd988601ca69124d9b3c8440023c190376afbe8b11361521fd276964d28c7aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9zy.exe
Filesize
564KB

MD5
cef8021ac730c92751479a3f4ba0bd88

SHA1
25bafa5b4c21352d533b0edf3ea7f0c481813e81

SHA256
434810a10b7de06957638238a3c220a6e7f2e040e91eac4577f71ac1122ac539

SHA512
4cc779816242615ad05d84cd37d11f5e3f533e439b7c10b7b2c4ee4dc88332cdd988601ca69124d9b3c8440023c190376afbe8b11361521fd276964d28c7aabe

Download Submit
memory/1300-132-0x0000000000000000-mapping.dmp

Download
memory/3560-135-0x0000000000000000-mapping.dmp

Download