531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8

Analysis

max time kernel
84s
max time network
109s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Size

330KB
MD5

505c214da8ff59f03cbf27f152149173
SHA1

2e917d6cc497ed576a56a229abc6a67bd8654f85
SHA256

531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8
SHA512

bca0a0d219ed62013c602531931d40c960f4bb0397f7995d6d088e34a5104670625842a2a60635ffe265a0f6392c29183f855b2fe3599df81fd3de0155c6420f
SSDEEP

6144:Bsit+joWDgZP/D3RnKn5U/SofsIcSs2EmrHzMW:xqKz3RnKn5u99s27rT

Score

9^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001232d-61.dat	acprotect
behavioral1/files/0x000800000001232d-62.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1560	honorzone.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001232d-61.dat	upx
behavioral1/files/0x000800000001232d-62.dat	upx

Deletes itself 1 IoCs

pid	Process
1252	cmd.exe

Loads dropped DLL 17 IoCs

pid	Process
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1560	honorzone.exe
1560	honorzone.exe
1560	honorzone.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\honorzone = "\"C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzone.exe\" subcmd"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A599A91D-88AE-4561-939B-EEE293665C75}	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A599A91D-88AE-4561-939B-EEE293665C75}\ = "Honorzone SubTap"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A599A91D-88AE-4561-939B-EEE293665C75}\NoExplorer = "1"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1628	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1120	schtasks.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\honorzone_dll.DLL	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\VersionIndependentProgID\ = "honorzone_dll.honorzone_Obj"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\AppID = "{4DCE947D-3040-4F5F-9390-7C057C1BD755}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\TypeLib	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\Version = "1.0"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CLSID\ = "{A599A91D-88AE-4561-939B-EEE293665C75}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzone.dll"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\0	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\Version = "1.0"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1\CLSID	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CLSID	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CurVer	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\ = "Honorzone SubTap"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\Programmable	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\TypeLib\ = "{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\VersionIndependentProgID	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\InprocServer32\ThreadingModel = "Apartment"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\FLAGS\ = "0"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\HELPDIR	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\honorzone_dll.DLL\AppID = "{4DCE947D-3040-4F5F-9390-7C057C1BD755}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\honorzone\\honorzone.dll"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\HELPDIR\	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ = "Ihonorzone_Obj"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4DCE947D-3040-4F5F-9390-7C057C1BD755}	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\ProgID	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\ProgID\ = "honorzone_dll.honorzone_Obj.1"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\FLAGS	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1\ = "honorzone_Obj Class"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}\InprocServer32	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ = "Ihonorzone_Obj"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\ = "{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib\ = "{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\ProxyStubClsid32	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4DCE947D-3040-4F5F-9390-7C057C1BD755}\ = "honorzone_dll"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj.1\CLSID\ = "{A599A91D-88AE-4561-939B-EEE293665C75}"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\ = "honorzone_Obj Class"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\honorzone_dll.honorzone_Obj\CurVer\ = "honorzone_dll.honorzone_Obj.1"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A599A91D-88AE-4561-939B-EEE293665C75}	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\ = "honorzone_dll 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B57F0BF3-3450-40C9-BB5D-ABA8FFB75D53}\1.0\0\win32	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A6C382C-8E16-424B-B312-D29286CBAA80}\TypeLib	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
1560	honorzone.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1560	honorzone.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1560	honorzone.exe
1560	honorzone.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 1100 wrote to memory of 644	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	28
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 644 wrote to memory of 1120	644	cmd.exe	30
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1100 wrote to memory of 1560	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	31
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1560 wrote to memory of 1628	1560	honorzone.exe	33
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37
PID 1100 wrote to memory of 1252	1100	531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe	37

C:\Users\Admin\AppData\Local\Temp\531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe
"C:\Users\Admin\AppData\Local\Temp\531cd38bd4dcde299d18261a83682b2e399408541d4a274c1702851c030d4cd8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /C schtasks /Create /F /TN "Windowshonorzone" /SC ONLOGON /TR "'C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe' schcmd" /rL HIGHEST
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /TN "Windowshonorzone" /SC ONLOGON /TR "'C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe' schcmd" /rL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1120
- C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe
  "C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe" Updatecmd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\sc.exe
    sc query npf
    3⤵
    - Launches sc.exe
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
e369f9f0e77f167b37b0733f8ce0f466

SHA1
c2b7ec938fc7ca8a54be38a16270dbf06235258f

SHA256
b292b90c50d03286443808315fbe2842f812e5837b4b708b2575974b517abe35

SHA512
136abbaadc72dc237b2460e0e900a8a9045286b754634f4e36f1fa92b8d651878b56f5aa6157b80d64a1e355c69a0c0acd5afbe0e5313d4a2dfa945a1165d4b5

Download Submit
C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
C:\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\DLLWebCount.dll

Filesize
32KB

MD5
248536afcb6f59c1797f079a0da15b63

SHA1
7fa238f871b357c66168728ab1bb38addcfba3f8

SHA256
9c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f

SHA512
b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\IEKill.dll

Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\IEKill.dll

Filesize
28KB

MD5
090f0ab18996feae6c0a62d83b2149c6

SHA1
5292898561ad88630088ae22fb877dfc7146ee77

SHA256
914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d

SHA512
2fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA096.tmp\version.dll

Filesize
22KB

MD5
fbe588b15eb1bd86defade69f796b56f

SHA1
2f63cf44039addddb22c2c0497673b49e6b3ad7a

SHA256
31144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f

SHA512
e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.dll

Filesize
148KB

MD5
470f1cfa9eeb0697f667c1f71748cca3

SHA1
a47eae50c44fd64c47b3b3c9dcf8d2e2e6c11cb5

SHA256
53afd465b64b8b3b102088752d554ae477c5d9f3c18de10fe8c899b1d673a8e8

SHA512
831cd2d018d98738b7302875a696f300fc023a967a438d50fe1c03945a00f0840d9c43133244fc3a2bda73a723fd2d612cf42c9ad1585b93adee6ea57cb657ab

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
\Users\Admin\AppData\Roaming\honorzone\honorzone.exe

Filesize
384KB

MD5
c1aa3e00e95d34e7e0e44b9714d928be

SHA1
020e1c9c512b57a7c150cc8b2b9b95316f9f120a

SHA256
dc8da541f84aa684e52423f0846ee26556236b99fc6730f82aa3eb415da5a6ab

SHA512
d5efe6943a5781403e912f3e234f4508cd7de34efd699efdd7b93a3f0bb9a7503f118538323624dfa5c96332efd29c24b6b67231a2a73e2333251fa590f8947f

Download Submit
memory/1100-68-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1100-71-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1100-69-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1100-70-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1100-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download