e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310

General

Target

e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe
Size

2.5MB
MD5

2bf436c8e29751577a7ca82973b45e9c
SHA1

9b6d97b16a27524e73b386881a9aad1ee9955d18
SHA256

e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310
SHA512

54967d0f41bc67e43cc5650e5023f55f26060a1ebccd61d6fe5af296070e2c5b0dc7ccd3d933452bcedcc2e41d1c082cfb25328b3dd75638da8a261e18f777a7
SSDEEP

24576:6zQdjV66pLgbCdgMiZ9YVuL/4giORHpl/Yl02S/:6zqjBpMOdYgVdgJRHjYlc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	360sd.exe

Deletes itself 1 IoCs

pid	Process
852	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	360sd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\360sd.exe	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe
File opened for modification	C:\Windows\360sd.exe	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe
File created	C:\Windows\uninstal.bat	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-78-89-91-5a-76	360sd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{96334BC0-FAB4-40B7-95DA-51260C8C16EB}\WpadNetworkName = "Network 2"	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	360sd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{96334BC0-FAB4-40B7-95DA-51260C8C16EB}	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{96334BC0-FAB4-40B7-95DA-51260C8C16EB}\WpadDecisionReason = "1"	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{96334BC0-FAB4-40B7-95DA-51260C8C16EB}\WpadDecision = "0"	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	360sd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	360sd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	360sd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	360sd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{96334BC0-FAB4-40B7-95DA-51260C8C16EB}\WpadDecisionTime = 00aa0caaae0bd901	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-78-89-91-5a-76\WpadDecisionReason = "1"	360sd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	360sd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{96334BC0-FAB4-40B7-95DA-51260C8C16EB}\42-78-89-91-5a-76	360sd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-78-89-91-5a-76\WpadDecisionTime = 00aa0caaae0bd901	360sd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-78-89-91-5a-76\WpadDecision = "0"	360sd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe
Token: SeDebugPrivilege	1264	360sd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1264	360sd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1664 wrote to memory of 852	1664	e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe	30
PID 1264 wrote to memory of 864	1264	360sd.exe	29
PID 1264 wrote to memory of 864	1264	360sd.exe	29
PID 1264 wrote to memory of 864	1264	360sd.exe	29
PID 1264 wrote to memory of 864	1264	360sd.exe	29

C:\Users\Admin\AppData\Local\Temp\e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe
"C:\Users\Admin\AppData\Local\Temp\e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:852

C:\Windows\360sd.exe
C:\Windows\360sd.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\360sd.exe

Filesize
2.5MB

MD5
2bf436c8e29751577a7ca82973b45e9c

SHA1
9b6d97b16a27524e73b386881a9aad1ee9955d18

SHA256
e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310

SHA512
54967d0f41bc67e43cc5650e5023f55f26060a1ebccd61d6fe5af296070e2c5b0dc7ccd3d933452bcedcc2e41d1c082cfb25328b3dd75638da8a261e18f777a7

Download Submit
C:\Windows\360sd.exe

Filesize
2.5MB

MD5
2bf436c8e29751577a7ca82973b45e9c

SHA1
9b6d97b16a27524e73b386881a9aad1ee9955d18

SHA256
e94080f801ce123303d07086231156caa44cc9965f846912b37a0ec6e6ffc310

SHA512
54967d0f41bc67e43cc5650e5023f55f26060a1ebccd61d6fe5af296070e2c5b0dc7ccd3d933452bcedcc2e41d1c082cfb25328b3dd75638da8a261e18f777a7

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
dfd9253468b732afd6d9ae1c4621a7d1

SHA1
9a2d341720fcf52d9cb19af13dd2ae760ada9b13

SHA256
edda057cf6cc2ea6abcfcf659bf06b5f876beae5920ace736949fd55c4543ebc

SHA512
137832fed81bbebd090e9c114d17588b08a5db26702300b4741443f39fd3c3b826943fe939286914efba9b33b78bc2cb9c0032e6784deefaa349fc4b6ed0f65a

Download Submit
memory/1264-59-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1264-62-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1264-64-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1664-55-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/1664-56-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing