Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2023, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
CKC210/KuaiShouCookie.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
CKC210/KuaiShouCookie.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
CKC210/localFliter.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
CKC210/localFliter.exe
Resource
win10v2004-20230703-en
General
-
Target
CKC210/KuaiShouCookie.exe
-
Size
5.0MB
-
MD5
75017ed5b2ce20e69a88a8d42b704551
-
SHA1
21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5
-
SHA256
9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10
-
SHA512
c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046
-
SSDEEP
49152:sVcK+w5sMtIaflPXUnf+8uyqao5wSceGDktpPF7IbzPDWvRH0YIBt3c7xhTetB1G:GtVPEfgyq8YPSbzbWvRtIBt3dtR
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Windows-BaseHttps-ks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windows-BaseHttps-ks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Windows-BaseHttps-ks.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
pid Process 1236 netsh.exe 4976 netsh.exe 2372 netsh.exe 4456 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2184 Windows-BaseHttps-ks.exe 3740 localFliter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 43 Go-http-client/1.1 HTTP User-Agent header 37 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 4656 KuaiShouCookie.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe 2184 Windows-BaseHttps-ks.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4656 KuaiShouCookie.exe Token: SeDebugPrivilege 4656 KuaiShouCookie.exe Token: SeDebugPrivilege 4656 KuaiShouCookie.exe Token: SeDebugPrivilege 4656 KuaiShouCookie.exe Token: SeDebugPrivilege 2184 Windows-BaseHttps-ks.exe Token: SeDebugPrivilege 2184 Windows-BaseHttps-ks.exe Token: SeDebugPrivilege 2184 Windows-BaseHttps-ks.exe Token: SeDebugPrivilege 2184 Windows-BaseHttps-ks.exe Token: SeDebugPrivilege 2184 Windows-BaseHttps-ks.exe Token: SeDebugPrivilege 2184 Windows-BaseHttps-ks.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2184 4656 KuaiShouCookie.exe 82 PID 4656 wrote to memory of 2184 4656 KuaiShouCookie.exe 82 PID 4656 wrote to memory of 2184 4656 KuaiShouCookie.exe 82 PID 4656 wrote to memory of 4456 4656 KuaiShouCookie.exe 83 PID 4656 wrote to memory of 4456 4656 KuaiShouCookie.exe 83 PID 4656 wrote to memory of 4456 4656 KuaiShouCookie.exe 83 PID 4656 wrote to memory of 1236 4656 KuaiShouCookie.exe 84 PID 4656 wrote to memory of 1236 4656 KuaiShouCookie.exe 84 PID 4656 wrote to memory of 1236 4656 KuaiShouCookie.exe 84 PID 2184 wrote to memory of 4976 2184 Windows-BaseHttps-ks.exe 87 PID 2184 wrote to memory of 4976 2184 Windows-BaseHttps-ks.exe 87 PID 2184 wrote to memory of 4976 2184 Windows-BaseHttps-ks.exe 87 PID 2184 wrote to memory of 2372 2184 Windows-BaseHttps-ks.exe 88 PID 2184 wrote to memory of 2372 2184 Windows-BaseHttps-ks.exe 88 PID 2184 wrote to memory of 2372 2184 Windows-BaseHttps-ks.exe 88 PID 2184 wrote to memory of 4716 2184 Windows-BaseHttps-ks.exe 96 PID 2184 wrote to memory of 4716 2184 Windows-BaseHttps-ks.exe 96 PID 2184 wrote to memory of 4716 2184 Windows-BaseHttps-ks.exe 96 PID 2184 wrote to memory of 3636 2184 Windows-BaseHttps-ks.exe 98 PID 2184 wrote to memory of 3636 2184 Windows-BaseHttps-ks.exe 98 PID 2184 wrote to memory of 3636 2184 Windows-BaseHttps-ks.exe 98 PID 2184 wrote to memory of 376 2184 Windows-BaseHttps-ks.exe 99 PID 2184 wrote to memory of 376 2184 Windows-BaseHttps-ks.exe 99 PID 2184 wrote to memory of 376 2184 Windows-BaseHttps-ks.exe 99 PID 376 wrote to memory of 2172 376 cmd.exe 103 PID 376 wrote to memory of 2172 376 cmd.exe 103 PID 376 wrote to memory of 2172 376 cmd.exe 103 PID 3636 wrote to memory of 4080 3636 cmd.exe 102 PID 3636 wrote to memory of 4080 3636 cmd.exe 102 PID 3636 wrote to memory of 4080 3636 cmd.exe 102 PID 2184 wrote to memory of 3740 2184 Windows-BaseHttps-ks.exe 104 PID 2184 wrote to memory of 3740 2184 Windows-BaseHttps-ks.exe 104 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Windows-BaseHttps-ks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windows-BaseHttps-ks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Windows-BaseHttps-ks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows-Inter\Windows-BaseHttps-ks.exeC:\Windows-Inter\Windows-BaseHttps-ks.exe NewDirFirstRun 14282⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2184 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=in action=allow enable=yes name="Windows-BaseHttps-ks.exe" program="C:\Windows-Inter\Windows-BaseHttps-ks.exe"3⤵
- Modifies Windows Firewall
PID:4976
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"3⤵
- Modifies Windows Firewall
PID:2372
-
-
C:\Windows\SysWOW64\certutil.execertutil -addstore -f Root C:\Windows-Inter\server.crt3⤵PID:4716
-
-
C:\Windows\SysWOW64\cmd.execmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f >nul 2>nul "3⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f4⤵PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f >nul 2>nul "3⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f4⤵PID:2172
-
-
-
C:\Windows-Inter\localFliter.exeC:\Windows-Inter\ addr 127.0.0.1:80893⤵
- Executes dropped EXE
PID:3740
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=in action=allow enable=yes name="KuaiShouCookie.exe" program="C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"2⤵
- Modifies Windows Firewall
PID:4456
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"2⤵
- Modifies Windows Firewall
PID:1236
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD575017ed5b2ce20e69a88a8d42b704551
SHA121b511d55f4cffc74d1e20cc0e48c471f0ddf8b5
SHA2569d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10
SHA512c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046
-
Filesize
21KB
MD585e6427a1824675b0ef08a787f536946
SHA161791a04b2e0aa44cc21119bef3c68c37e5cd869
SHA256693b1a47084b175386643d63da896203fe6885636f55058f171376f7fd184c12
SHA512af9bd61f5eef5aef0bd4669f29cbfab84ef1bfddb80fe6a00a5831f0676d0289c1ec0c0bae9e4a023d5147d3aff14359d0ebc05a096bd962f9810edacb941816
-
Filesize
13.6MB
MD5d21c3019c3ca68ecd4498137c4c50779
SHA18624eb874d5d91869201e5647b5d72dff89e0534
SHA25634cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b
SHA512654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e
-
Filesize
13.6MB
MD5d21c3019c3ca68ecd4498137c4c50779
SHA18624eb874d5d91869201e5647b5d72dff89e0534
SHA25634cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b
SHA512654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e
-
Filesize
687B
MD502a08126bdabb617143b6ca8df77509d
SHA10462da25134aad952bff346e254ca700c492a7ea
SHA2563ebbc7dcab4b64d6f6a49ebaa53903feaf451a0f8f2bf3be970419f7fafd345c
SHA5120727ff3e0b5ae3ee77efde9e9c8c919e37716b2a9441f71e6150ff7f282d07e68587c2877eb0fdd9d06940161bb089c4a3de4a1930b7eef060c42fcd46999c70
-
Filesize
1KB
MD50c656ab9a27948d585e63137f4c2e509
SHA1e7263d031e418dc2cf62220942d0cf9cda9fc5f0
SHA25665654713f161a38fdaf2277f225bddcb7c2d494271f3d550c7878317cdfe8e38
SHA51265f22fe2532623e81583893d5d5ba87bef1b81e8bffae06b982e441a529f1e44631556dac8cbddcff190e6df7b035ba3ad61426a77a3f507e9329bd5275d83af
-
Filesize
1KB
MD5272159ffd4ed1398205d00169472c10e
SHA1ae3e8016c67ca6d90f74bcafbc5e1edcd619d5b3
SHA256df01dbd59d8190472f87caf609e425516ec551cfeab0bb10fdcbf01464929355
SHA512e57ab4f7616ad3ab42c9de0e53dcbbdb985737afbdea8e68bf3551dabcafa33e58df544d4bed17d19d38fe740c557ad33b4b51fc262131fd2bd2ad6f0cd16100