2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111

Analysis

max time kernel
128s
max time network
127s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24/05/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe
Size

5.7MB
MD5

d8d63bc9bb399c5a9d7500e443bc5b6a
SHA1

bc9cdf0ce27a4cadba2d031776ef77ac08933a9c
SHA256

2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111
SHA512

ab40600d5d831768a84bd3f0f6cd0e2d66e0fbbd125192ce9048494a0a1a8a189d05c0396cb29cf487bb7dff604ec5d9333b09f88fe8edee9914f186b6b92317
SSDEEP

98304:wpch+nkYc5bKbe/RYPIUDwmz9jiTo6FQcg7jgnokdaSfZ7VGE5uDBENxFFUMfX3t:wpcIkr5jmtDvJgFQ1gVda8hVGEYDBENZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	打印机驱动安装.exe

Loads dropped DLL 1 IoCs

pid	Process
848	2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	打印机驱动安装.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	打印机驱动安装.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	打印机驱动安装.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	打印机驱动安装.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	打印机驱动安装.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
848	2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1708	打印机驱动安装.exe
1708	打印机驱动安装.exe
1708	打印机驱动安装.exe
1708	打印机驱动安装.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1708	848	2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe	27
PID 848 wrote to memory of 1708	848	2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe	27
PID 848 wrote to memory of 1708	848	2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe	27
PID 848 wrote to memory of 1708	848	2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe	27
PID 1708 wrote to memory of 1636	1708	打印机驱动安装.exe	28
PID 1708 wrote to memory of 1636	1708	打印机驱动安装.exe	28
PID 1708 wrote to memory of 1636	1708	打印机驱动安装.exe	28
PID 1708 wrote to memory of 1636	1708	打印机驱动安装.exe	28
PID 1708 wrote to memory of 984	1708	打印机驱动安装.exe	29
PID 1708 wrote to memory of 984	1708	打印机驱动安装.exe	29
PID 1708 wrote to memory of 984	1708	打印机驱动安装.exe	29
PID 1708 wrote to memory of 984	1708	打印机驱动安装.exe	29
PID 1708 wrote to memory of 2044	1708	打印机驱动安装.exe	31
PID 1708 wrote to memory of 2044	1708	打印机驱动安装.exe	31
PID 1708 wrote to memory of 2044	1708	打印机驱动安装.exe	31
PID 1708 wrote to memory of 2044	1708	打印机驱动安装.exe	31
PID 1708 wrote to memory of 1928	1708	打印机驱动安装.exe	33
PID 1708 wrote to memory of 1928	1708	打印机驱动安装.exe	33
PID 1708 wrote to memory of 1928	1708	打印机驱动安装.exe	33
PID 1708 wrote to memory of 1928	1708	打印机驱动安装.exe	33
PID 984 wrote to memory of 1632	984	net.exe	39
PID 984 wrote to memory of 1632	984	net.exe	39
PID 984 wrote to memory of 1632	984	net.exe	39
PID 984 wrote to memory of 1632	984	net.exe	39
PID 1928 wrote to memory of 1340	1928	net.exe	38
PID 1928 wrote to memory of 1340	1928	net.exe	38
PID 1928 wrote to memory of 1340	1928	net.exe	38
PID 1928 wrote to memory of 1340	1928	net.exe	38
PID 2044 wrote to memory of 2040	2044	net.exe	37
PID 2044 wrote to memory of 2040	2044	net.exe	37
PID 2044 wrote to memory of 2040	2044	net.exe	37
PID 2044 wrote to memory of 2040	2044	net.exe	37
PID 1636 wrote to memory of 1172	1636	net.exe	36
PID 1636 wrote to memory of 1172	1636	net.exe	36
PID 1636 wrote to memory of 1172	1636	net.exe	36
PID 1636 wrote to memory of 1172	1636	net.exe	36

C:\Users\Admin\AppData\Local\Temp\2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe
"C:\Users\Admin\AppData\Local\Temp\2b1e999cfe34313e80ecf20d81f69bf424c73607cbeed381eb5feceaaabde111.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\XPrinter_58_76_Drv\打印机驱动安装.exe
  "C:\Users\Admin\AppData\Local\Temp\XPrinter_58_76_Drv\打印机驱动安装.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\net.exe
    net start spooler
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start spooler
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\net.exe
    net start stisvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start stisvc
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\net.exe
    net start DeviceInstall
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start DeviceInstall
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\net.exe
    net start DsmSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start DsmSvc
      4⤵
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XPrinter_58_76_Drv\config.ini

Filesize
280B

MD5
8a0fa7b64d892e20a1545c66f9983db2

SHA1
b7fc646472a3f62927cde24ac8dcd2d8625dda85

SHA256
d2946a918dff1eb6f789bb60a42136d62ebc9aa32ef5cbc66ff7835a67b294d1

SHA512
deed86c7ef7bf1cfea3917d7c2264990b9166ca13620525efe8cdd1d627996425b0aaa1cb93a736f01961a7e6200ae74e4722851887f406cc1bb87a7d8f6c451

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPrinter_58_76_Drv\打印机驱动安装.exe

Filesize
1.2MB

MD5
60741dfbb32a6f407bfdc187656a2696

SHA1
ffbc58973fcf5e141eae966cb8a0a56098211366

SHA256
1fe2918fac6b55f7b7ab33791cd6492015aff7ccc1364b63d28ce2aa95136a83

SHA512
9041aa2437c4daeb06a2b2e62520e07d9a3dd325196bd81661332a33fe6eb6711491ecf34153c7fdd9c7998a32eb0cde7dda799749ac763621b8d2f1c422e93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPrinter_58_76_Drv\打印机驱动安装.exe

Filesize
1.2MB

MD5
60741dfbb32a6f407bfdc187656a2696

SHA1
ffbc58973fcf5e141eae966cb8a0a56098211366

SHA256
1fe2918fac6b55f7b7ab33791cd6492015aff7ccc1364b63d28ce2aa95136a83

SHA512
9041aa2437c4daeb06a2b2e62520e07d9a3dd325196bd81661332a33fe6eb6711491ecf34153c7fdd9c7998a32eb0cde7dda799749ac763621b8d2f1c422e93b

Download Submit
\Users\Admin\AppData\Local\Temp\XPrinter_58_76_Drv\打印机驱动安装.exe

Filesize
1.2MB

MD5
60741dfbb32a6f407bfdc187656a2696

SHA1
ffbc58973fcf5e141eae966cb8a0a56098211366

SHA256
1fe2918fac6b55f7b7ab33791cd6492015aff7ccc1364b63d28ce2aa95136a83

SHA512
9041aa2437c4daeb06a2b2e62520e07d9a3dd325196bd81661332a33fe6eb6711491ecf34153c7fdd9c7998a32eb0cde7dda799749ac763621b8d2f1c422e93b

Download Submit
memory/848-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/848-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads