16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841

General

Target

16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
Size

679KB
MD5

e1c3e89e5456767475d8120da62fa2c6
SHA1

51696b6e31efe2c681741d608db53e296ed08416
SHA256

16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841
SHA512

50d47c61d6be7a02a88f590ecfa4a17b18137d41a311139e0e1a859b6fcc70c7a3c7d206d57a44ad3ee76a2db211231f1cc11b24d2753ee85742a671b41b78b6
SSDEEP

12288:OUWA3AheuswyYH7aLCJrexO9c3Zw4S9H9agB9mr6XsIcLUjY6DWkNNkleQm:OUWqistYbaLChL23ZuH9BmkHj+kNNLQm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1172	cvjsyqk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\cvjsyqk	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File opened for modification	C:\Program Files (x86)\cvjsyqk\danim.dll	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File created	C:\Program Files (x86)\cvjsyqk\mshydu.bat	cvjsyqk.exe
File created	C:\Program Files (x86)\cvjsyqk\__tmp_rar_sfx_access_check_240611015	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File created	C:\Program Files (x86)\cvjsyqk\cvjsyqk.exe	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File opened for modification	C:\Program Files (x86)\cvjsyqk\cvjsyqk.exe	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File created	C:\Program Files (x86)\cvjsyqk\dnsapi.dll	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File opened for modification	C:\Program Files (x86)\cvjsyqk\dnsapi.dll	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
File created	C:\Program Files (x86)\cvjsyqk\danim.dll	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet explorer\Main	cvjsyqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet explorer\Main	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\SearchScopes\baidu	cvjsyqk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\baidu\DisplayName = "°Ù¶ÈËÑË÷"	cvjsyqk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\baidu\URL = "http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8"	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\SearchScopes	cvjsyqk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "baidu"	cvjsyqk.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://hao.6360.info"	cvjsyqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://hao.6360.info"	cvjsyqk.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	cvjsyqk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://hao.6360.info"	cvjsyqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	cvjsyqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cvjsyqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	cvjsyqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID	cvjsyqk.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	cvjsyqk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1172	cvjsyqk.exe
1172	cvjsyqk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1172	2576	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe	84
PID 2576 wrote to memory of 1172	2576	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe	84
PID 2576 wrote to memory of 1172	2576	16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe	84
PID 1172 wrote to memory of 4648	1172	cvjsyqk.exe	88
PID 1172 wrote to memory of 4648	1172	cvjsyqk.exe	88
PID 1172 wrote to memory of 4648	1172	cvjsyqk.exe	88

C:\Users\Admin\AppData\Local\Temp\16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe
"C:\Users\Admin\AppData\Local\Temp\16b96df84b11df00d4f25af0bf084c1539d1950080860a82d95c951fecfa3841.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\cvjsyqk\cvjsyqk.exe
  "C:\Program Files (x86)\cvjsyqk\cvjsyqk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\cvjsyqk\mshydu.bat""
    3⤵
    PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\cvjsyqk\cvjsyqk.exe

Filesize
477KB

MD5
66a79bc8644f768f976d6c7920def463

SHA1
8d282fc15e1e471b496d8ea0e5dd2450256cc4f3

SHA256
bd852b389a2cb7a488bf28ff87f7e2f8e1235314879406cbc9ac8c792e4f2833

SHA512
f9e44e72d779e701fd21b945bba5f0a38797466da39f11883c51ab837191933c9e82cc1bb24c2b73ad729a653650db894f2d462b9a67b080aa3bde0d7818594e

Download Submit
C:\Program Files (x86)\cvjsyqk\cvjsyqk.exe

Filesize
477KB

MD5
66a79bc8644f768f976d6c7920def463

SHA1
8d282fc15e1e471b496d8ea0e5dd2450256cc4f3

SHA256
bd852b389a2cb7a488bf28ff87f7e2f8e1235314879406cbc9ac8c792e4f2833

SHA512
f9e44e72d779e701fd21b945bba5f0a38797466da39f11883c51ab837191933c9e82cc1bb24c2b73ad729a653650db894f2d462b9a67b080aa3bde0d7818594e

Download Submit
C:\Program Files (x86)\cvjsyqk\mshydu.bat

Filesize
128B

MD5
d8c03e41ddef8430ad7fa8253f7732bc

SHA1
3e39b29514a25b30a1a7e8dcecb1ff4a0d78ad74

SHA256
b11af1a1e5dbd3dc804fa22d0939243fe8495983fa7fedeefe80bc881d794177

SHA512
02cd61dc5a4c41008de77a132717ff09a6e235e92207667353f24b6a9c445ca7879c540ad532d4f8240f3d59ef3e5cacbdd1a3b5eb706b02e1ea63a66f423dcf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads