Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2023, 03:46

General

  • Target

    CKC210/KuaiShouCookie.exe

  • Size

    5.0MB

  • MD5

    75017ed5b2ce20e69a88a8d42b704551

  • SHA1

    21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5

  • SHA256

    9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10

  • SHA512

    c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046

  • SSDEEP

    49152:sVcK+w5sMtIaflPXUnf+8uyqao5wSceGDktpPF7IbzPDWvRH0YIBt3c7xhTetB1G:GtVPEfgyq8YPSbzbWvRtIBt3dtR

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe
    "C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows-Inter\Windows-BaseHttps-ks.exe
      C:\Windows-Inter\Windows-BaseHttps-ks.exe NewDirFirstRun 1428
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2184
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule dir=in action=allow enable=yes name="Windows-BaseHttps-ks.exe" program="C:\Windows-Inter\Windows-BaseHttps-ks.exe"
        3⤵
        • Modifies Windows Firewall
        PID:4976
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"
        3⤵
        • Modifies Windows Firewall
        PID:2372
      • C:\Windows\SysWOW64\certutil.exe
        certutil -addstore -f Root C:\Windows-Inter\server.crt
        3⤵
          PID:4716
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f >nul 2>nul "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
            4⤵
              PID:4080
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f >nul 2>nul "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f
              4⤵
                PID:2172
            • C:\Windows-Inter\localFliter.exe
              C:\Windows-Inter\ addr 127.0.0.1:8089
              3⤵
              • Executes dropped EXE
              PID:3740
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule dir=in action=allow enable=yes name="KuaiShouCookie.exe" program="C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"
            2⤵
            • Modifies Windows Firewall
            PID:4456
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"
            2⤵
            • Modifies Windows Firewall
            PID:1236

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows-Inter\Windows-BaseHttps-ks.exe

          Filesize

          5.0MB

          MD5

          75017ed5b2ce20e69a88a8d42b704551

          SHA1

          21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5

          SHA256

          9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10

          SHA512

          c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046

        • C:\Windows-Inter\ar.txt

          Filesize

          21KB

          MD5

          85e6427a1824675b0ef08a787f536946

          SHA1

          61791a04b2e0aa44cc21119bef3c68c37e5cd869

          SHA256

          693b1a47084b175386643d63da896203fe6885636f55058f171376f7fd184c12

          SHA512

          af9bd61f5eef5aef0bd4669f29cbfab84ef1bfddb80fe6a00a5831f0676d0289c1ec0c0bae9e4a023d5147d3aff14359d0ebc05a096bd962f9810edacb941816

        • C:\Windows-Inter\localFliter.exe

          Filesize

          13.6MB

          MD5

          d21c3019c3ca68ecd4498137c4c50779

          SHA1

          8624eb874d5d91869201e5647b5d72dff89e0534

          SHA256

          34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

          SHA512

          654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

        • C:\Windows-Inter\localFliter.exe

          Filesize

          13.6MB

          MD5

          d21c3019c3ca68ecd4498137c4c50779

          SHA1

          8624eb874d5d91869201e5647b5d72dff89e0534

          SHA256

          34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

          SHA512

          654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

        • C:\Windows-Inter\localconfig.ini

          Filesize

          687B

          MD5

          02a08126bdabb617143b6ca8df77509d

          SHA1

          0462da25134aad952bff346e254ca700c492a7ea

          SHA256

          3ebbc7dcab4b64d6f6a49ebaa53903feaf451a0f8f2bf3be970419f7fafd345c

          SHA512

          0727ff3e0b5ae3ee77efde9e9c8c919e37716b2a9441f71e6150ff7f282d07e68587c2877eb0fdd9d06940161bb089c4a3de4a1930b7eef060c42fcd46999c70

        • C:\Windows-Inter\server.crt

          Filesize

          1KB

          MD5

          0c656ab9a27948d585e63137f4c2e509

          SHA1

          e7263d031e418dc2cf62220942d0cf9cda9fc5f0

          SHA256

          65654713f161a38fdaf2277f225bddcb7c2d494271f3d550c7878317cdfe8e38

          SHA512

          65f22fe2532623e81583893d5d5ba87bef1b81e8bffae06b982e441a529f1e44631556dac8cbddcff190e6df7b035ba3ad61426a77a3f507e9329bd5275d83af

        • C:\Windows-Inter\server.key

          Filesize

          1KB

          MD5

          272159ffd4ed1398205d00169472c10e

          SHA1

          ae3e8016c67ca6d90f74bcafbc5e1edcd619d5b3

          SHA256

          df01dbd59d8190472f87caf609e425516ec551cfeab0bb10fdcbf01464929355

          SHA512

          e57ab4f7616ad3ab42c9de0e53dcbbdb985737afbdea8e68bf3551dabcafa33e58df544d4bed17d19d38fe740c557ad33b4b51fc262131fd2bd2ad6f0cd16100

        • memory/2184-156-0x0000000000A30000-0x0000000000A31000-memory.dmp

          Filesize

          4KB

        • memory/2184-162-0x0000000003450000-0x0000000003459000-memory.dmp

          Filesize

          36KB

        • memory/2184-163-0x0000000003450000-0x0000000003459000-memory.dmp

          Filesize

          36KB

        • memory/2184-170-0x0000000000A30000-0x0000000000A31000-memory.dmp

          Filesize

          4KB

        • memory/2184-171-0x0000000000400000-0x000000000091B000-memory.dmp

          Filesize

          5.1MB

        • memory/2184-177-0x0000000000400000-0x000000000091B000-memory.dmp

          Filesize

          5.1MB

        • memory/4656-133-0x0000000000400000-0x000000000091B000-memory.dmp

          Filesize

          5.1MB

        • memory/4656-150-0x00000000035D0000-0x00000000035D9000-memory.dmp

          Filesize

          36KB

        • memory/4656-157-0x0000000000400000-0x000000000091B000-memory.dmp

          Filesize

          5.1MB

        • memory/4656-134-0x0000000002A70000-0x0000000002A71000-memory.dmp

          Filesize

          4KB

        • memory/4656-151-0x00000000035D0000-0x00000000035D9000-memory.dmp

          Filesize

          36KB