c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Size

957KB
MD5

cbf3c2874ab7217eaeafbfec412b1531
SHA1

9aeec61d64ad1ef848096cf7e8dd0796a2d9505c
SHA256

c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d
SHA512

2458440cb356be5d2a1e3ae151d22bcbe733bbaeb2e24715602f6a5925cdbaafe0518b9d992b3d5988d31e76cb8916315a6d837c5bc320b095ccf6b4667f73a8
SSDEEP

24576:Lxlsi0VY5cW2qicdDJK378ZX1yYwli6ncwMJzJnZiAy:vj2Y324VJKX+JzaAy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
5056	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "ÍøÒ³ËÑË÷"	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.go2000.cn/search/?q={searchTerms}"	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\software\microsoft\internet explorer\main	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\SearchScopes	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\start page = "http://www.QQ5.com"	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe

C:\Users\Admin\AppData\Local\Temp\c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe
"C:\Users\Admin\AppData\Local\Temp\c5b923f20c601fdd412a698723b2ff41d3b7ff1892c1ce928edb2726f528b25d.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\BrandingURL.dll

Filesize
3KB

MD5
9c3488b5e9655d1837c3963ecec33f70

SHA1
f0fa9b4c29e75c6e4419c4633d09f2797aee2ef3

SHA256
05ef4beb7fab9d04c1fb251874166fa2d73a34b4a7f2b145d37a2fd00c88979a

SHA512
6af9f88d65d2279a71620f2a656062b1737b3a9a1692ed4e5887bdee891ce08d21c5c0b25ab3acbe6da9fe255dcd7f8a517c2751e73dc56add216740c945e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\InstallOptions.dll

Filesize
14KB

MD5
b18dfaded8f6d2380fdfd8f6b6969211

SHA1
969fa0e906240ab1123254feeb833c275626cf76

SHA256
747d0222b652dbfc85e0de4f8486473662d325a55e32c7eacb91e53e37ceba58

SHA512
25fb09b8657997d31e61c908f1cd08357c1a1b68bbb1ba377e87b6a3eb347a2ef96c1a771b6c4332853abb33728c55c83efa73df5da03f3dfc132f8a69a2886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\InstallOptions.dll

Filesize
14KB

MD5
b18dfaded8f6d2380fdfd8f6b6969211

SHA1
969fa0e906240ab1123254feeb833c275626cf76

SHA256
747d0222b652dbfc85e0de4f8486473662d325a55e32c7eacb91e53e37ceba58

SHA512
25fb09b8657997d31e61c908f1cd08357c1a1b68bbb1ba377e87b6a3eb347a2ef96c1a771b6c4332853abb33728c55c83efa73df5da03f3dfc132f8a69a2886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\ToolTips.dll

Filesize
4KB

MD5
9a0da2692764bb842411a8b9687ebbb7

SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd

SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb

SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEA66.tmp\ToolTips.dll

Filesize
4KB

MD5
9a0da2692764bb842411a8b9687ebbb7

SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd

SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb

SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed

Download Submit
memory/5056-137-0x00000000024F1000-0x00000000024F3000-memory.dmp

Filesize
8KB

Download
memory/5056-149-0x0000000002521000-0x0000000002523000-memory.dmp

Filesize
8KB

Download
memory/5056-146-0x00000000024F1000-0x00000000024F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads