Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2023 14:56
Behavioral task
behavioral1
Sample
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
30 seconds
General
-
Target
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
-
Size
65KB
-
MD5
176b6e4649ccebe0f73d40146d0b7fa1
-
SHA1
4941b675ed6aae118932f8ced2b1db3f52a6eab3
-
SHA256
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d
-
SHA512
ac1b8b695c9c0b3afebf4b7277b638b1317399c2dc910b2cd26ae9e548dc684974ede9f3e14268dfda3ce901ee23ac74663a06386e403a652cca070ed557f78a
-
SSDEEP
1536:1E1SjujsC8XANkPZgJkM8Ydwqo0fdWoz5I9lKcfc6hxRGS+w:mLjsXANkR/fkfdWolI9AiDZ
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
chinesebuilder.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 chinesebuilder.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE chinesebuilder.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies chinesebuilder.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 chinesebuilder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
chinesebuilder.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix chinesebuilder.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" chinesebuilder.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" chinesebuilder.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chinesebuilder.exepid process 3784 chinesebuilder.exe 3784 chinesebuilder.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exepid process 2192 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exechinesebuilder.exedescription pid process target process PID 4676 wrote to memory of 2192 4676 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe PID 4676 wrote to memory of 2192 4676 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe PID 4676 wrote to memory of 2192 4676 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe PID 5004 wrote to memory of 3784 5004 chinesebuilder.exe chinesebuilder.exe PID 5004 wrote to memory of 3784 5004 chinesebuilder.exe chinesebuilder.exe PID 5004 wrote to memory of 3784 5004 chinesebuilder.exe chinesebuilder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe"C:\Users\Admin\AppData\Local\Temp\47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe--3390afee2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\chinesebuilder.exe"C:\Windows\SysWOW64\chinesebuilder.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chinesebuilder.exe--9b4e33202⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses