5436b335e7bd94178d6ba6a9d3e1b0d1d65ac84a5d36410792dd808e9691aa9d

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/08/2023, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CKC210/KuaiShouCookie.exe
Size

5.0MB
MD5

75017ed5b2ce20e69a88a8d42b704551
SHA1

21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5
SHA256

9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10
SHA512

c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046
SSDEEP

49152:sVcK+w5sMtIaflPXUnf+8uyqao5wSceGDktpPF7IbzPDWvRH0YIBt3c7xhTetB1G:GtVPEfgyq8YPSbzbWvRtIBt3dtR

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Windows-BaseHttps-ks.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
592	netsh.exe
1628	netsh.exe
460	netsh.exe
2972	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
1144	Windows-BaseHttps-ks.exe
1500	localFliter.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	KuaiShouCookie.exe
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe
2792	Process not Found
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1
HTTP User-Agent header	9	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2292	KuaiShouCookie.exe
2292	KuaiShouCookie.exe
2292	KuaiShouCookie.exe
2292	KuaiShouCookie.exe
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe
1144	Windows-BaseHttps-ks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	KuaiShouCookie.exe
Token: SeDebugPrivilege	2292	KuaiShouCookie.exe
Token: SeDebugPrivilege	2292	KuaiShouCookie.exe
Token: SeDebugPrivilege	2292	KuaiShouCookie.exe
Token: SeDebugPrivilege	1144	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	1144	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	1144	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	1144	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	1144	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	1144	Windows-BaseHttps-ks.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1144	2292	KuaiShouCookie.exe	28
PID 2292 wrote to memory of 1144	2292	KuaiShouCookie.exe	28
PID 2292 wrote to memory of 1144	2292	KuaiShouCookie.exe	28
PID 2292 wrote to memory of 1144	2292	KuaiShouCookie.exe	28
PID 2292 wrote to memory of 592	2292	KuaiShouCookie.exe	29
PID 2292 wrote to memory of 592	2292	KuaiShouCookie.exe	29
PID 2292 wrote to memory of 592	2292	KuaiShouCookie.exe	29
PID 2292 wrote to memory of 592	2292	KuaiShouCookie.exe	29
PID 2292 wrote to memory of 1628	2292	KuaiShouCookie.exe	32
PID 2292 wrote to memory of 1628	2292	KuaiShouCookie.exe	32
PID 2292 wrote to memory of 1628	2292	KuaiShouCookie.exe	32
PID 2292 wrote to memory of 1628	2292	KuaiShouCookie.exe	32
PID 1144 wrote to memory of 460	1144	Windows-BaseHttps-ks.exe	33
PID 1144 wrote to memory of 460	1144	Windows-BaseHttps-ks.exe	33
PID 1144 wrote to memory of 460	1144	Windows-BaseHttps-ks.exe	33
PID 1144 wrote to memory of 460	1144	Windows-BaseHttps-ks.exe	33
PID 1144 wrote to memory of 2972	1144	Windows-BaseHttps-ks.exe	35
PID 1144 wrote to memory of 2972	1144	Windows-BaseHttps-ks.exe	35
PID 1144 wrote to memory of 2972	1144	Windows-BaseHttps-ks.exe	35
PID 1144 wrote to memory of 2972	1144	Windows-BaseHttps-ks.exe	35
PID 1144 wrote to memory of 1272	1144	Windows-BaseHttps-ks.exe	37
PID 1144 wrote to memory of 1272	1144	Windows-BaseHttps-ks.exe	37
PID 1144 wrote to memory of 1272	1144	Windows-BaseHttps-ks.exe	37
PID 1144 wrote to memory of 1272	1144	Windows-BaseHttps-ks.exe	37
PID 1144 wrote to memory of 2304	1144	Windows-BaseHttps-ks.exe	39
PID 1144 wrote to memory of 2304	1144	Windows-BaseHttps-ks.exe	39
PID 1144 wrote to memory of 2304	1144	Windows-BaseHttps-ks.exe	39
PID 1144 wrote to memory of 2304	1144	Windows-BaseHttps-ks.exe	39
PID 1144 wrote to memory of 1512	1144	Windows-BaseHttps-ks.exe	40
PID 1144 wrote to memory of 1512	1144	Windows-BaseHttps-ks.exe	40
PID 1144 wrote to memory of 1512	1144	Windows-BaseHttps-ks.exe	40
PID 1144 wrote to memory of 1512	1144	Windows-BaseHttps-ks.exe	40
PID 1512 wrote to memory of 2164	1512	cmd.exe	43
PID 1512 wrote to memory of 2164	1512	cmd.exe	43
PID 1512 wrote to memory of 2164	1512	cmd.exe	43
PID 1512 wrote to memory of 2164	1512	cmd.exe	43
PID 2304 wrote to memory of 2280	2304	cmd.exe	44
PID 2304 wrote to memory of 2280	2304	cmd.exe	44
PID 2304 wrote to memory of 2280	2304	cmd.exe	44
PID 2304 wrote to memory of 2280	2304	cmd.exe	44
PID 1144 wrote to memory of 1500	1144	Windows-BaseHttps-ks.exe	45
PID 1144 wrote to memory of 1500	1144	Windows-BaseHttps-ks.exe	45
PID 1144 wrote to memory of 1500	1144	Windows-BaseHttps-ks.exe	45
PID 1144 wrote to memory of 1500	1144	Windows-BaseHttps-ks.exe	45

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Windows-BaseHttps-ks.exe

C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe
"C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows-Inter\Windows-BaseHttps-ks.exe
  C:\Windows-Inter\Windows-BaseHttps-ks.exe NewDirFirstRun 844
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1144
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule dir=in action=allow enable=yes name="Windows-BaseHttps-ks.exe" program="C:\Windows-Inter\Windows-BaseHttps-ks.exe"
    3⤵
    - Modifies Windows Firewall
    PID:460
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2972
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f Root C:\Windows-Inter\server.crt
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f >nul 2>nul "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f >nul 2>nul "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f
      4⤵
      PID:2164
- - C:\Windows-Inter\localFliter.exe
    C:\Windows-Inter\ addr 127.0.0.1:8089
    3⤵
    - Executes dropped EXE
    PID:1500
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule dir=in action=allow enable=yes name="KuaiShouCookie.exe" program="C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"
  2⤵
  - Modifies Windows Firewall
  PID:592
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows-Inter\Windows-BaseHttps-ks.exe

Filesize
5.0MB

MD5
75017ed5b2ce20e69a88a8d42b704551

SHA1
21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5

SHA256
9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10

SHA512
c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046

Download Submit
C:\Windows-Inter\ar.txt

Filesize
21KB

MD5
85e6427a1824675b0ef08a787f536946

SHA1
61791a04b2e0aa44cc21119bef3c68c37e5cd869

SHA256
693b1a47084b175386643d63da896203fe6885636f55058f171376f7fd184c12

SHA512
af9bd61f5eef5aef0bd4669f29cbfab84ef1bfddb80fe6a00a5831f0676d0289c1ec0c0bae9e4a023d5147d3aff14359d0ebc05a096bd962f9810edacb941816

Download Submit
C:\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
C:\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
C:\Windows-Inter\localconfig.ini

Filesize
687B

MD5
02a08126bdabb617143b6ca8df77509d

SHA1
0462da25134aad952bff346e254ca700c492a7ea

SHA256
3ebbc7dcab4b64d6f6a49ebaa53903feaf451a0f8f2bf3be970419f7fafd345c

SHA512
0727ff3e0b5ae3ee77efde9e9c8c919e37716b2a9441f71e6150ff7f282d07e68587c2877eb0fdd9d06940161bb089c4a3de4a1930b7eef060c42fcd46999c70

Download Submit
C:\Windows-Inter\server.crt

Filesize
1KB

MD5
0c656ab9a27948d585e63137f4c2e509

SHA1
e7263d031e418dc2cf62220942d0cf9cda9fc5f0

SHA256
65654713f161a38fdaf2277f225bddcb7c2d494271f3d550c7878317cdfe8e38

SHA512
65f22fe2532623e81583893d5d5ba87bef1b81e8bffae06b982e441a529f1e44631556dac8cbddcff190e6df7b035ba3ad61426a77a3f507e9329bd5275d83af

Download Submit
C:\Windows-Inter\server.key

Filesize
1KB

MD5
272159ffd4ed1398205d00169472c10e

SHA1
ae3e8016c67ca6d90f74bcafbc5e1edcd619d5b3

SHA256
df01dbd59d8190472f87caf609e425516ec551cfeab0bb10fdcbf01464929355

SHA512
e57ab4f7616ad3ab42c9de0e53dcbbdb985737afbdea8e68bf3551dabcafa33e58df544d4bed17d19d38fe740c557ad33b4b51fc262131fd2bd2ad6f0cd16100

Download Submit
\Windows-Inter\Windows-BaseHttps-ks.exe

Filesize
5.0MB

MD5
75017ed5b2ce20e69a88a8d42b704551

SHA1
21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5

SHA256
9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10

SHA512
c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046

Download Submit
\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
memory/1144-84-0x0000000000A40000-0x0000000000A49000-memory.dmp

Filesize
36KB

Download
memory/1144-85-0x0000000000A40000-0x0000000000A49000-memory.dmp

Filesize
36KB

Download
memory/1144-78-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1144-95-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/1144-96-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1144-104-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/2292-79-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/2292-71-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/2292-53-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/2292-70-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/2292-54-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download