Overview

overview

9

Static

static

科威软件园.url

windows7-x64

1

科威软件园.url

windows10-2004-x64

1

�....1.exe

windows7-x64

9

�....1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    184s
  • max time network
    287s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ˸4.1.exe

  • Size

    5.1MB

  • MD5

    d4a0825e77027a47b28ac118f0975d52

  • SHA1

    fac4d04808945eda9ef71114ae715606d71bd911

  • SHA256

    87cb34ebb531cfdf2abbd61c1e10184fd17e8d92a9cebd38c3684359747ecd51

  • SHA512

    60f6f849c790865274d0d54aba241e1b7a4e2b066a2ccd894b507edc9b211921a6eead88557fb4151daa7a8a15967ad526cce9320471377a18b85329ccc6eeec

  • SSDEEP

    98304:eCv+JlCP+zYxsWUGi95aWJEz/eYqdwkLcHHOT5kJLR6HOkJvVqmFIAG2B0zx:AJloxHUG3lzGjAOdkdou8NvB0zx

Score
9/10
upxvmprotect

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\˸4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\˸4.1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe
      C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /u /s C:\Windows\system32\SuperEC_Hook.dll
        3⤵
        • Loads dropped DLL
        PID:944
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?kcassidy
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1512
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:537607 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
    Filesize

    1KB

    MD5

    a532ae425f5626c06d1073a4f6e2ce39

    SHA1

    86e22bca8bd73a714195d89f9f4578a63ddd9481

    SHA256

    4cd7bbf1de03131dcde2657c113b61b769a2bc35b731bcdabdeb2be16ba058bd

    SHA512

    dd025de9b156ac4f311918224ece28afc9421a3e62c9dfa09f42515259e58c3864b1273819a5991822077ca66f96fd6ba9b71e920c7c004066e71e5bb49f4ca4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
    Filesize

    1KB

    MD5

    c9a45ebed91b8363bfab525049dcc050

    SHA1

    a2b3329474d191255c54ae1567063a041bec39e3

    SHA256

    4eb453f585b4e58b6e52b8a4946f72160b9133dadc827fdc3ad6cd66e4e2c51c

    SHA512

    36afe96205186fdc80dced09c62037502087c41e350bdc3086fcf602723bbf9b0f01769aa968c5ec29fe52ca6bb5390032c394dee4ecf4806afa79cc1a6d0e3b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\574A9FE7B8348B82BDCAB078149F62FA
    Filesize

    599B

    MD5

    85fe7f1600c64c62d26f3d4c6b7c04da

    SHA1

    48cf79d6ce076923b1e0518e91bf81cc0153dea3

    SHA256

    a4c3ad6c71bcfb47526ef964430c3c32a3e570d0cf6a6c6e493b46c4c8047561

    SHA512

    73c51e6043fdb2a60892900de29efa6356771dbc146f294e72835369e4257c0890393facdbbbf6f4f84de63fa6af4d8f65e78b97cfd7d3550596f111aa8f9375

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
    Filesize

    1KB

    MD5

    598786b44f058fe0f85411b64ce208bb

    SHA1

    84be7645337e8f1d45cfe0809086629fe1c868a2

    SHA256

    7a929ddcf3ae1833d455678be2347df5facbf7871177b24b849970d4a8627d9d

    SHA512

    b5c0eeb8b6694c9be6826ad27f5bf1c713f0111872b63d406edea59e7a0d4e4acbb23483aeba4b158120428e7e05ffa64398b96f7e814bd4d47a0132199919dd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D
    Filesize

    1KB

    MD5

    daccf10489a2a60b33f50f1d61edb489

    SHA1

    08ce5fc440771cd8567d66e61ce52dd601f4e7d4

    SHA256

    f18d3c447d439559c5446d1549484b0523b9dded2938951aab337e012e009845

    SHA512

    cc6af00512894816f60b2046766dc4c45c1e96ec5a2a7d55bc77f9fec20bd6bb9a0788ba05dd17a6f363b8c19f3df04c126cc1d872d3d2a9a75f45c0fc26c902

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
    Filesize

    508B

    MD5

    3f14c26ee54d82a270470925f7fba6b9

    SHA1

    cb433174d557d26d368b6784b76d28c982b75d95

    SHA256

    9b24594223d2a620d4d95ba5800f675211ab4c63fc6531ee865290b922d555d2

    SHA512

    a18cad33a7796183fe9139566071f7a8f13972737065c0f2f16d0faedd2471b4e27af2399dcdfbbd1903132199a26e87bef55954bc3983515113779d2b968a03

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
    Filesize

    532B

    MD5

    6670d03fb555ca546b529807c3a4f23e

    SHA1

    d76418c00b2a6d6d079ae2a63c8d6ce77aa56ce0

    SHA256

    305d0fc8494911fb36d4fc411a80ea3fc0f28587fac7243c7a1b014743b35e29

    SHA512

    6ffcfad3bc49c3cc3dd74aa7664a4655278279077424ec93d4724e27e38953c7e7fac29dc10ab7b80e9cc9741724ad8e048405e9a41c8065d83e197fc370e4db

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\574A9FE7B8348B82BDCAB078149F62FA
    Filesize

    500B

    MD5

    004d12bd5d9019d1b54b66ca65aa8372

    SHA1

    46cc63b38676fd6260c7493429c08a468daa649e

    SHA256

    52e58bac328cb10a133483c858eab5349318640bcb4b2bb1cbcdf8c2ee73cf49

    SHA512

    4f8c0752e8d46b4c27cfc680b7977f860277836f667255faa31cf9d2597d6e8747e5aa7de67d359350d6ce244140f925dde0fef2c7abf89ae6494b03deeff6b0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1a3603d530ae2dcc343c7d6db7d29771

    SHA1

    b0116adf3e38d8ad4c66e077e928c1d17eab8518

    SHA256

    e7c5a799260f33a58295ad1c2433cd17845191a554670ca05aba8ff84e51e7ca

    SHA512

    c723e5f4a52509d2024d31b6cbc1f05d697e199abcf2f1db45bcfaf1c8646b307937a62698eba0f75874ca76e4ef087a3de93122496b445de96ad11ebdb37833

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
    Filesize

    506B

    MD5

    a90d41e401f417b28365869b981e0183

    SHA1

    96eb4322ce0a1c176165e903c6bfabf190f53679

    SHA256

    7c39dc22994fb4e7d41e4d8f1801b3e4701fbac9c6d29dfcb9e8297592416c0b

    SHA512

    b0b681d409a22040ad399a60ef9fda02834515df1935a573eec3f545c15a8360c32927701dd715491c723ec734b17c1cc18587bcc7e7ccaa5f8943657ed218ef

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D
    Filesize

    482B

    MD5

    fa6a7d65233a7acba50e35ead5eacba5

    SHA1

    8791690c73252ad798da66f062f22a7e1e415ee7

    SHA256

    4c7759dea1fa749285e716f638ae7c5873a6a9aa27f549a5044add5c875f40e1

    SHA512

    91130f05d4247152e0328ad938334673274809e09e862b647c61f9e12cfe4516097d586fdd92c3e01ea5e1bb7e2962543210e2c7b6f5c62ce0838051908a2886

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46XILC9P\style[1].css
    Filesize

    48KB

    MD5

    d545f97c1c1874a36c8b896b51b59fab

    SHA1

    ece2c079aa13b4b93e605e347df01bbcc7dddf3a

    SHA256

    6279934eb7232a166de5c0d8578a11e23ac7ce25f17a63b15b13a51ae3671eed

    SHA512

    0e8fbe0ed2cbcc743aac6d495faf4506e6bddd38858ae87ba171abdde212504514451bec35001bb116597cb8ea6acd299a6a53c2afaee3e8f24e4bcf79e9390c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV8L6YIU\jquery.min[1].js
    Filesize

    714B

    MD5

    c48bfb5700cbbbbe34992d48ca8d1e7f

    SHA1

    cb08102c86d3af19faff3361f27aeb9bd55d488c

    SHA256

    868fceec383fb95f67749fba7ef94ce6baad4080bf113bbd11a99684d459bfcd

    SHA512

    ffeef5b27109c20ba8ac3d013e0a9be1b6fc7f2d04e239cbf89c3d785a95e36b749dd7adab63ba59c806d7f996f5af628210511503a68e77e971c654da0ada76

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PFZC0YBM\72YMPOT5.htm
    Filesize

    60KB

    MD5

    62e8d3318f903011a1b7a722fdb90110

    SHA1

    b3e6dcbf7cc079e55ecfb6b90543ffb9e0bf9233

    SHA256

    5289d866f69614330bd6e7b0c2fc1da65b50e76e0d8ed36465322864be6c02f9

    SHA512

    a0d2996e875145e5e4966a871da41a6a3851f50afb9afd55134d60d66b7b2e05853194f855dd142d3c79e709aba4d307f4f11fd32488d0054b78ad2b51938dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT1AL9CX\wookmark.min[1].js
    Filesize

    8KB

    MD5

    c3025313ef46f9deaf15d8dd84afdb6f

    SHA1

    438edb9ebffbaa3af8b01f98c6a5a0d5186f9069

    SHA256

    8542c8bb4b72288ca52ca77154798417b07ef0703e9d7e4ae0508d49a2a580ba

    SHA512

    0fa908aae206ad2eb69e26136b606f9a569e3424dd22f8328442dc320a3ed6f15d962b248f2f663787fc1963c0e5edf1cabdee532f2aee1b1427b34fe5528105

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe
    Filesize

    4.5MB

    MD5

    35820cb78e5516ee20625389a67b7a5c

    SHA1

    9bbe8d20b8352c392f8d47da1b61e5894c4db585

    SHA256

    ff3719f6abade4c0604d944e90ddbb6fdd8b84c1476a7917218d76233520dd9f

    SHA512

    0e1f4687833ef9f8355e28210565baabc01af55d6cb4e47185215c1e739d6f64d7bebbe9c9ab11fb5be1f61021ccdf1d390b6c92c3049f7e4f3f8241c70cb043

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe
    Filesize

    4.5MB

    MD5

    35820cb78e5516ee20625389a67b7a5c

    SHA1

    9bbe8d20b8352c392f8d47da1b61e5894c4db585

    SHA256

    ff3719f6abade4c0604d944e90ddbb6fdd8b84c1476a7917218d76233520dd9f

    SHA512

    0e1f4687833ef9f8355e28210565baabc01af55d6cb4e47185215c1e739d6f64d7bebbe9c9ab11fb5be1f61021ccdf1d390b6c92c3049f7e4f3f8241c70cb043

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6CBRXM2P.txt
    Filesize

    596B

    MD5

    012e9848e4ec9f84aad4d44f3cda2577

    SHA1

    8c2f94264c0bdf6643e5399a698b622718b92363

    SHA256

    af15d62ad76fb410288b1147c8996f1a1375d7690840b3b2629670d21eac96fc

    SHA512

    d597df341403281f304c97025bfdac95808a36129d2f6fd27dfd7b4009b7f85843ee45fbbf029515394ac985986d7b767a0f3b4a135904c86cbf96a72eefae0d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AXYB0UV3.txt
    Filesize

    110B

    MD5

    8953bac793a78a00a82504eb7a23c53d

    SHA1

    370bb7ae3c074807ed5890767e265b1c747cb270

    SHA256

    3ec9d0ddc42997ce3663bec9ec6f933edabf89733e0339a35c3eb325934785a7

    SHA512

    913204e817ddc78686e76f0b5efe96043e8c4c15854da23a5a26201b575557d47196fb5a423ad605b21e6dc1631cf721ef6469fd5e8d374127d16ea5dd80bb23

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UFT3GU8T.txt
    Filesize

    678B

    MD5

    558cf4797a98c393eda33e7150a69d65

    SHA1

    8690000613ed8fa69d41994f51be2b95711d8feb

    SHA256

    bd9515b1f5a6f7478a60d48e24ba4a196c68452395b558e2d317beead4b7dbac

    SHA512

    b8238a94c6ff56b0d3faa4463339f47dc8f5102535e089cc49e6eca10b714025e8ae97a2e4f95811563ad7a5441b6a159e4e3c920d7d2fb8cb705a6d5a479aa5

    Download Submit
  • C:\Windows\SysWOW64\SuperEC_Hook.dll
    Filesize

    368KB

    MD5

    6446f02463634295797ff698eb7eb92e

    SHA1

    64a20417acf7c9bd67efc601236c85fa640426a8

    SHA256

    53022e175ff09af40a8569a641a261ed08dabc7331afbdde97f2f3d6f9321b33

    SHA512

    eeeb4152b92f9c4cad35d596f6fdec8d4e26b93c1a71627007ce5e490c46bd7773cc65309645ace429467b335fea5fe33cb5aac4cf507367cd9ad72a1b9efbfe

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SkinH_EL.dll
    Filesize

    86KB

    MD5

    147127382e001f495d1842ee7a9e7912

    SHA1

    92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

    SHA256

    edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

    SHA512

    97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe
    Filesize

    4.5MB

    MD5

    35820cb78e5516ee20625389a67b7a5c

    SHA1

    9bbe8d20b8352c392f8d47da1b61e5894c4db585

    SHA256

    ff3719f6abade4c0604d944e90ddbb6fdd8b84c1476a7917218d76233520dd9f

    SHA512

    0e1f4687833ef9f8355e28210565baabc01af55d6cb4e47185215c1e739d6f64d7bebbe9c9ab11fb5be1f61021ccdf1d390b6c92c3049f7e4f3f8241c70cb043

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ÄæÕ½±¯É˸¨Öú.exe
    Filesize

    4.5MB

    MD5

    35820cb78e5516ee20625389a67b7a5c

    SHA1

    9bbe8d20b8352c392f8d47da1b61e5894c4db585

    SHA256

    ff3719f6abade4c0604d944e90ddbb6fdd8b84c1476a7917218d76233520dd9f

    SHA512

    0e1f4687833ef9f8355e28210565baabc01af55d6cb4e47185215c1e739d6f64d7bebbe9c9ab11fb5be1f61021ccdf1d390b6c92c3049f7e4f3f8241c70cb043

    Download Submit
  • \Windows\SysWOW64\SuperEC_Hook.dll
    Filesize

    368KB

    MD5

    6446f02463634295797ff698eb7eb92e

    SHA1

    64a20417acf7c9bd67efc601236c85fa640426a8

    SHA256

    53022e175ff09af40a8569a641a261ed08dabc7331afbdde97f2f3d6f9321b33

    SHA512

    eeeb4152b92f9c4cad35d596f6fdec8d4e26b93c1a71627007ce5e490c46bd7773cc65309645ace429467b335fea5fe33cb5aac4cf507367cd9ad72a1b9efbfe

    Download Submit
  • memory/664-62-0x0000000010000000-0x000000001003D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/664-57-0x0000000000000000-mapping.dmp
    Download
  • memory/944-68-0x0000000016080000-0x0000000016152000-memory.dmp
    Filesize

    840KB

    Download
  • memory/944-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1516-54-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download