9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76

Analysis

max time kernel
54s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Size

123KB
MD5

749ccb3259b6efa558e944c584687d3f
SHA1

5f4e897fee3f01458bc88560dca2a7f7ddcbd0ed
SHA256

9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76
SHA512

1a54200f5cf81546e34ea61a93a110fc56b21b3b582d95716a537cbb308b02c23e3df2ef0ee62a0f991c2b3fdd932cc45acf15cf2ea24dd92af873f30c454a22
SSDEEP

3072:3JzzmNHrDy0AiscBmksERSTz+mvoEjahD4L0B/RPNqNJelf:9CZIiPEojRBV0q

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.135968.cn"	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1712	1492	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe	28
PID 1492 wrote to memory of 1712	1492	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe	28
PID 1492 wrote to memory of 1712	1492	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe	28
PID 1492 wrote to memory of 1712	1492	9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe	28

C:\Users\Admin\AppData\Local\Temp\9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe
"C:\Users\Admin\AppData\Local\Temp\9f8a6ed70540d327745935a10cffe2de6b7a81db1a09f52ab06f4950e66ccb76.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ndhhsgal.bat
  2⤵
  - Deletes itself
  PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndhhsgal.bat

Filesize
248B

MD5
95b2e5a0093162dc82a6b6f0692c7d38

SHA1
a6361f1e707cc22587aac4ec81c8ef176e067c5f

SHA256
a632be5f25c97da785949a557dd71312e385dc3605ab903acae918a4554118c3

SHA512
4c199a6baa1648482eba3fc426a07a19840993a742ee03a24a66b96a1bcdc58d1420eb0bfa88e0652c36e83f6c55dcea16f1447d8b7007507d768b3feb97de88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads