Analysis
-
max time kernel
186s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:02
Static task
static1
Behavioral task
behavioral1
Sample
搜狗导航增值机.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
搜狗导航增值机.exe
Resource
win10v2004-20221111-en
General
-
Target
搜狗导航增值机.exe
-
Size
532KB
-
MD5
74c6e0df472160ebb8482729aaa1baee
-
SHA1
6e1634bb00213a7e557591c3d451baf56291e9de
-
SHA256
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3
-
SHA512
05e403abe730dbc7079e3e3cce5d9e6a797542aaec81c917ed84445e324421c725dc208d1af286234e72241a725b0e89e0e224cdfc67d813861422516835d345
-
SSDEEP
12288:+K2mhAMJ/cPlizen8lwBx7EshSpwreE+/8gfxsdjY9NhEi7D:v2O/Gliquw4P5E+/8gfxsFAEo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
手机验证码接收系统.exeKINSTALLERS_66_4538.exe官方.exe淘宝客PID劫持器.exeKINSTALLERS_66_4538.exepid process 3260 手机验证码接收系统.exe 4944 KINSTALLERS_66_4538.exe 3600 官方.exe 224 淘宝客PID劫持器.exe 2896 KINSTALLERS_66_4538.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\官方.exe upx C:\Users\Admin\AppData\Local\Temp\官方.exe upx behavioral2/memory/3600-146-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3600-153-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe upx C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe upx behavioral2/memory/2896-157-0x0000000000400000-0x0000000000575000-memory.dmp upx behavioral2/memory/2896-159-0x0000000000400000-0x0000000000575000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
官方.execmd.exe搜狗导航增值机.exe手机验证码接收系统.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 官方.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 搜狗导航增值机.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 手机验证码接收系统.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
KINSTALLERS_66_4538.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KINSTALLERS_66_4538.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
KINSTALLERS_66_4538.exedescription ioc process File opened for modification \??\PhysicalDrive0 KINSTALLERS_66_4538.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 17 IoCs
Processes:
KINSTALLERS_66_4538.exe手机验证码接收系统.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories KINSTALLERS_66_4538.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" KINSTALLERS_66_4538.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} KINSTALLERS_66_4538.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories KINSTALLERS_66_4538.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node KINSTALLERS_66_4538.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} KINSTALLERS_66_4538.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "9ynct9wsprhhst8c5hhlyn2xkgzw" KINSTALLERS_66_4538.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "2269779082" KINSTALLERS_66_4538.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 手机验证码接收系统.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "d2237461a2106a90ab08727c0cd4dbcf" KINSTALLERS_66_4538.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "9ynct9wsprhhst8c5hhlyn2xkgzw" KINSTALLERS_66_4538.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} KINSTALLERS_66_4538.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\mid = "2269779082" KINSTALLERS_66_4538.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID KINSTALLERS_66_4538.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} KINSTALLERS_66_4538.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "0" KINSTALLERS_66_4538.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
淘宝客PID劫持器.exepid process 224 淘宝客PID劫持器.exe 224 淘宝客PID劫持器.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
搜狗导航增值机.exe手机验证码接收系统.exe官方.execmd.exeKINSTALLERS_66_4538.exedescription pid process target process PID 1492 wrote to memory of 3260 1492 搜狗导航增值机.exe 手机验证码接收系统.exe PID 1492 wrote to memory of 3260 1492 搜狗导航增值机.exe 手机验证码接收系统.exe PID 1492 wrote to memory of 3260 1492 搜狗导航增值机.exe 手机验证码接收系统.exe PID 1492 wrote to memory of 4944 1492 搜狗导航增值机.exe KINSTALLERS_66_4538.exe PID 1492 wrote to memory of 4944 1492 搜狗导航增值机.exe KINSTALLERS_66_4538.exe PID 1492 wrote to memory of 4944 1492 搜狗导航增值机.exe KINSTALLERS_66_4538.exe PID 3260 wrote to memory of 3600 3260 手机验证码接收系统.exe 官方.exe PID 3260 wrote to memory of 3600 3260 手机验证码接收系统.exe 官方.exe PID 3260 wrote to memory of 3600 3260 手机验证码接收系统.exe 官方.exe PID 3260 wrote to memory of 224 3260 手机验证码接收系统.exe 淘宝客PID劫持器.exe PID 3260 wrote to memory of 224 3260 手机验证码接收系统.exe 淘宝客PID劫持器.exe PID 3260 wrote to memory of 224 3260 手机验证码接收系统.exe 淘宝客PID劫持器.exe PID 3600 wrote to memory of 752 3600 官方.exe cmd.exe PID 3600 wrote to memory of 752 3600 官方.exe cmd.exe PID 3600 wrote to memory of 752 3600 官方.exe cmd.exe PID 3260 wrote to memory of 4376 3260 手机验证码接收系统.exe WScript.exe PID 3260 wrote to memory of 4376 3260 手机验证码接收系统.exe WScript.exe PID 3260 wrote to memory of 4376 3260 手机验证码接收系统.exe WScript.exe PID 752 wrote to memory of 3328 752 cmd.exe PING.EXE PID 752 wrote to memory of 3328 752 cmd.exe PING.EXE PID 752 wrote to memory of 3328 752 cmd.exe PING.EXE PID 752 wrote to memory of 1244 752 cmd.exe WScript.exe PID 752 wrote to memory of 1244 752 cmd.exe WScript.exe PID 752 wrote to memory of 1244 752 cmd.exe WScript.exe PID 4944 wrote to memory of 2896 4944 KINSTALLERS_66_4538.exe KINSTALLERS_66_4538.exe PID 4944 wrote to memory of 2896 4944 KINSTALLERS_66_4538.exe KINSTALLERS_66_4538.exe PID 4944 wrote to memory of 2896 4944 KINSTALLERS_66_4538.exe KINSTALLERS_66_4538.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\搜狗导航增值机.exe"C:\Users\Admin\AppData\Local\Temp\搜狗导航增值机.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe"C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\官方.exe"C:\Users\Admin\AppData\Local\Temp\官方.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\376B.tmp\setup.bat" "4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"5⤵
-
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe"C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"3⤵
-
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe"C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe"C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exe" /s3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.VBSFilesize
398B
MD5b3515d5ceabbcf4ae352adf668e4aa26
SHA1cef8001c51225008419dcf98553ce4c8e693bb48
SHA256220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf
SHA51259db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5
-
C:\Users\Admin\AppData\Local\Temp\123.VBSFilesize
398B
MD5b3515d5ceabbcf4ae352adf668e4aa26
SHA1cef8001c51225008419dcf98553ce4c8e693bb48
SHA256220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf
SHA51259db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5
-
C:\Users\Admin\AppData\Local\Temp\376B.tmp\setup.batFilesize
34B
MD5e1b9eb7f7d775d0d49d8ace123a88fc7
SHA1a97bd323f7ba1d85fa53360e85137fc16a4de204
SHA25611d81cc1aeebb5ef06dcf2b90bfdbec35d689a4776838882410f2aca3b00b101
SHA51250ab4c7295ece4f6712bc488fffea83fa24a296c6d6538a554a4bedc2a90f54f359e304f3bf3975a27157c41cb45132b839e1efcb1e930e7fbd2fe16d21b65b2
-
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exeFilesize
58KB
MD5f729d886356835c780a1ec4486f60576
SHA140fafe8a61965919a4cc32a079ec5747fdddcd3e
SHA2567ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e
SHA512fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8
-
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exeFilesize
58KB
MD5f729d886356835c780a1ec4486f60576
SHA140fafe8a61965919a4cc32a079ec5747fdddcd3e
SHA2567ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e
SHA512fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8
-
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exeFilesize
30.1MB
MD5cc8ff25a6404a2a99af9c515850ab0d6
SHA19b1b235cf30cf848c257cb3a0199ae6be3f968c5
SHA256336493f13f3b205c1ec7898a0393cfe2765305dfedf1e90366cef185be1d9d03
SHA5122db0f4dada8fd8294ce12b9c795593a8da5a69507114650f5c8c2ec070c00b849bbb89e13976b8f52e544877b424c191cd87321ca7e31700d8e5471f571b6f93
-
C:\Users\Admin\AppData\Local\Temp\kingsoftkonline\KINSTALLERS_66_4538.exeFilesize
30.1MB
MD5cc8ff25a6404a2a99af9c515850ab0d6
SHA19b1b235cf30cf848c257cb3a0199ae6be3f968c5
SHA256336493f13f3b205c1ec7898a0393cfe2765305dfedf1e90366cef185be1d9d03
SHA5122db0f4dada8fd8294ce12b9c795593a8da5a69507114650f5c8c2ec070c00b849bbb89e13976b8f52e544877b424c191cd87321ca7e31700d8e5471f571b6f93
-
C:\Users\Admin\AppData\Local\Temp\官方.exeFilesize
21KB
MD55a76883d66f3d880ca3e6a69ad693013
SHA1d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6
SHA25668d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5
SHA512dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02
-
C:\Users\Admin\AppData\Local\Temp\官方.exeFilesize
21KB
MD55a76883d66f3d880ca3e6a69ad693013
SHA1d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6
SHA25668d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5
SHA512dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02
-
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exeFilesize
456KB
MD5653564b090dac7f2896856c54dc17312
SHA17d1c31329d59ceb766e45c340b21985ea8d149b5
SHA256d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc
SHA512c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a
-
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exeFilesize
456KB
MD5653564b090dac7f2896856c54dc17312
SHA17d1c31329d59ceb766e45c340b21985ea8d149b5
SHA256d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc
SHA512c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a
-
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exeFilesize
772KB
MD513e8c8ed061b041e160c496fe8eb4ff2
SHA1cf65914ea3c6743b4d1c916c402c0f95f21498f4
SHA25652a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25
SHA512c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de
-
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exeFilesize
772KB
MD513e8c8ed061b041e160c496fe8eb4ff2
SHA1cf65914ea3c6743b4d1c916c402c0f95f21498f4
SHA25652a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25
SHA512c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de
-
memory/224-142-0x0000000000000000-mapping.dmp
-
memory/224-147-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/224-158-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/752-145-0x0000000000000000-mapping.dmp
-
memory/1244-152-0x0000000000000000-mapping.dmp
-
memory/2896-157-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/2896-159-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/2896-154-0x0000000000000000-mapping.dmp
-
memory/3260-132-0x0000000000000000-mapping.dmp
-
memory/3328-151-0x0000000000000000-mapping.dmp
-
memory/3600-146-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3600-153-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3600-138-0x0000000000000000-mapping.dmp
-
memory/4376-150-0x0000000000000000-mapping.dmp
-
memory/4944-135-0x0000000000000000-mapping.dmp