199a9db468c3123419d52a146cce1fd4e383389512eded1d6cda7dff91f326e9

General

Target

等待YY帐号全自动注册机v3.4.exe
Size

1.4MB
MD5

9a990a05d06e3bbb67c5cf2652ac8206
SHA1

2cac7cb8943a5d7a8c194d2bc1b8ee1c8c48a354
SHA256

8a1fed3cf0ef659839dc1520df2e78735036652b691c44b07f8ab572cefd7143
SHA512

bc0f9f1c8beba7fef4ba74b698935086ebe139603f2aef48ad19c6c7c6c3f483b39c43cd1e64bde060a95e9235643fad55a2877952a54244dd66b9da923955a3
SSDEEP

24576:My5BswmjxTojBXfKrP4Nbko+QY+PCyZUya+CprkybKvS:MyDh06BP049kP+RK4eP

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1572-132-0x0000000000400000-0x0000000000755000-memory.dmp	upx
behavioral2/memory/1572-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-147-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-149-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-176-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1572-179-0x0000000000400000-0x0000000000755000-memory.dmp	upx
behavioral2/memory/1572-180-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1572	等待YY帐号全自动注册机v3.4.exe
1572	等待YY帐号全自动注册机v3.4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	等待YY帐号全自动注册机v3.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	等待YY帐号全自动注册机v3.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	等待YY帐号全自动注册机v3.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	等待YY帐号全自动注册机v3.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	等待YY帐号全自动注册机v3.4.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1572	等待YY帐号全自动注册机v3.4.exe
1572	等待YY帐号全自动注册机v3.4.exe
1572	等待YY帐号全自动注册机v3.4.exe
1572	等待YY帐号全自动注册机v3.4.exe
1572	等待YY帐号全自动注册机v3.4.exe

C:\Users\Admin\AppData\Local\Temp\等待YY帐号全自动注册机v3.4.exe
"C:\Users\Admin\AppData\Local\Temp\等待YY帐号全自动注册机v3.4.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll

Filesize
1.3MB

MD5
dc9a72042df8c01872be8f95e070113e

SHA1
6c72d8aa5d5bb78675f358cb669833a10e30f704

SHA256
978cf5d25f9255977aa0eb7a3cc5e36873063ee87a9a0ac2a36df2cf80cdee04

SHA512
0a0d1d41675cdf240af59434e18ef1f9f020682ab9d2605c055c52563a5026370f6b598747b3c0fc200b8d0afc9a4eecbc1cb9c810e85961d56059c7fe6d0e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUWiseHelper.dll

Filesize
159KB

MD5
ab250ee54abc6c32975a544e9aafd661

SHA1
be850caea2e01544ed948b66d62785f4215cb0d8

SHA256
8eb01061f3815509a7e5d4d9010ace0e35fdd75597f22bb477e6caac6cd7d7d4

SHA512
54a58ccd07191018c3c3f6c06098e59dfe23b5a39347b9252710003e4f4296ff04a8905e05779e0e26b04f448945b2fb5168f1c24a3d250062f81e599db2c399

Download Submit
memory/1572-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-147-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-149-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-180-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-176-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-179-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1572-132-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing