71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610

General

Target

71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe
Size

1.7MB
MD5

ed441e1404e851157e773fdff2cae40a
SHA1

957462aa7591a09e1a8a9f4d30b22a7ce203c6f8
SHA256

71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610
SHA512

39be9a4bfd720ee70f5024729edd8e49067fc2670bd58a617ac1381c30aa06a19ddcce0bc459b6a04bd33128d732c10185ae7bd98fe6354db69f72688f08045c
SSDEEP

24576:xArHVljSWEnPFYByxQxGBqBRrdklDdMAdUC+50WKl9IlJdneeIhhIrQedTVSZ1NQ:SqYB2QxGBQpkz+A9UZcqQexmeCqHT9

Score

8^/10

adware evasion stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1280	attrib.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regini.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions	regini.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?kuujswsa"	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.2345.com/?kuujswsa"	regini.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1692	regedit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1472	1948	71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe	28
PID 1948 wrote to memory of 1472	1948	71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe	28
PID 1948 wrote to memory of 1472	1948	71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe	28
PID 1948 wrote to memory of 1472	1948	71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe	28
PID 1472 wrote to memory of 580	1472	WScript.exe	29
PID 1472 wrote to memory of 580	1472	WScript.exe	29
PID 1472 wrote to memory of 580	1472	WScript.exe	29
PID 1472 wrote to memory of 580	1472	WScript.exe	29
PID 580 wrote to memory of 1280	580	cmd.exe	31
PID 580 wrote to memory of 1280	580	cmd.exe	31
PID 580 wrote to memory of 1280	580	cmd.exe	31
PID 580 wrote to memory of 1280	580	cmd.exe	31
PID 580 wrote to memory of 1692	580	cmd.exe	32
PID 580 wrote to memory of 1692	580	cmd.exe	32
PID 580 wrote to memory of 1692	580	cmd.exe	32
PID 580 wrote to memory of 1692	580	cmd.exe	32
PID 580 wrote to memory of 1780	580	cmd.exe	33
PID 580 wrote to memory of 1780	580	cmd.exe	33
PID 580 wrote to memory of 1780	580	cmd.exe	33
PID 580 wrote to memory of 1780	580	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe
"C:\Users\Admin\AppData\Local\Temp\71ff9c86c90f515d38e9bf67e55c8d8f87cd65b8fdeb9c18daf8b333c288d610.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\local settings\Application Data\liebao.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\Local Settings\Application Data\liebao.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\local settings\Application Data\liebao\User Data\Default\Preferences" +r +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1280
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s ie.reg
      4⤵
      Modifies registry class
      Runs .reg file with regedit
      PID:1692
  - - C:\Windows\SysWOW64\regini.exe
      regini temp.ini
      4⤵
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp.ini

Filesize
731B

MD5
a88df8bc85a16b1816650180268048c6

SHA1
e9deb6eecc891d3239958fcf7ca768fa867e7f00

SHA256
f347d452573bd51eeb0a97212b32e5a31416a0b70e75a28355e7365e363c7aac

SHA512
037429c201be67acaa607a87d367032482f1e445f16332f8f811e7bfe7727aecddc9d6ae552dd2f25a33b5511c2ff090e0a1bbb07aa133c3e6567d8e8fa5a0f6

Download Submit
C:\Users\Admin\Local Settings\Application Data\liebao.bat

Filesize
1KB

MD5
5a7b5c6e162db43ec1d4fe29d66fb74a

SHA1
74d5d9e0e2343ca792ed7c2cbe7adf714edd36d2

SHA256
b56921752801026a1ff7f143a132c9f766b8c83ae7debfdd7bc8ab2e683e4992

SHA512
4606cfe2e2bad86b97411e3beb646e36347cc3aedcac56720c07dcfdc1f87f27b857a047ee9aced99ee13c3d93378c60825cf0016b51e439ac613d5794a92a2d

Download Submit
C:\Users\Admin\local settings\Application Data\ie.reg

Filesize
218B

MD5
f30321688bc7b720bb9e6fe8d0336b2e

SHA1
9bfe1f7cec5f15a1a3f49628489fe0e471e51cad

SHA256
d859d3541f783a8a353a06f0ef87f18daf94ac21a42bd6fcfcd07ae6d10c650a

SHA512
c5d672413e8e83a056316bc3510a09c0c93f7a84334e418b9490fe7978ed564205f4853f370db636fa0edcf414a4be50a7d6792a56d874a55cc7ea2f9df1c0d4

Download Submit
C:\Users\Admin\local settings\Application Data\liebao.vbs

Filesize
189B

MD5
6ae0dd01a0eabc4e084c810d470d58b5

SHA1
8afb04784103a8847d2965a6257681e9b628a931

SHA256
8be0e5323ba7e08b70417c6378ad76dd7ddda35172f9d294bd48989d0a257471

SHA512
d9dddf2568199b952f6ffe192c65286498dab7c14540b3df841bbbde169597d8c9e049fb2c6f9c4f1480acadeb982ffec2cbab540ab6779e8c26605eda206a73

Download Submit
C:\Users\Admin\local settings\Application Data\liebao\User Data\Default\Preferences

Filesize
10KB

MD5
85f00ee97539bf3d29eeb56d091a169d

SHA1
73ecd04e400a8ac7a188f89ea71834182db6947a

SHA256
bf9f36a1c4140f1bbf9cf46dd63df2091cc68407ff3207c4a4148fcc69ae4a12

SHA512
2dda935b2b824e5663623429dd14170e0c81f2f922af3345f6233de5c1e2322db8a336d1f71eeb4373a69e638a932cae51d6e4985d42f47ff3942168ac8f2c5d

Download Submit
memory/1948-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads