5436b335e7bd94178d6ba6a9d3e1b0d1d65ac84a5d36410792dd808e9691aa9d

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CKC210/KuaiShouCookie.exe
Size

5.0MB
MD5

75017ed5b2ce20e69a88a8d42b704551
SHA1

21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5
SHA256

9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10
SHA512

c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046
SSDEEP

49152:sVcK+w5sMtIaflPXUnf+8uyqao5wSceGDktpPF7IbzPDWvRH0YIBt3c7xhTetB1G:GtVPEfgyq8YPSbzbWvRtIBt3dtR

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Windows-BaseHttps-ks.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
1236	netsh.exe
4976	netsh.exe
2372	netsh.exe
4456	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	Windows-BaseHttps-ks.exe
3740	localFliter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	43	Go-http-client/1.1
HTTP User-Agent header	37	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
4656	KuaiShouCookie.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe
2184	Windows-BaseHttps-ks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	KuaiShouCookie.exe
Token: SeDebugPrivilege	4656	KuaiShouCookie.exe
Token: SeDebugPrivilege	4656	KuaiShouCookie.exe
Token: SeDebugPrivilege	4656	KuaiShouCookie.exe
Token: SeDebugPrivilege	2184	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	2184	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	2184	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	2184	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	2184	Windows-BaseHttps-ks.exe
Token: SeDebugPrivilege	2184	Windows-BaseHttps-ks.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2184	4656	KuaiShouCookie.exe	82
PID 4656 wrote to memory of 2184	4656	KuaiShouCookie.exe	82
PID 4656 wrote to memory of 2184	4656	KuaiShouCookie.exe	82
PID 4656 wrote to memory of 4456	4656	KuaiShouCookie.exe	83
PID 4656 wrote to memory of 4456	4656	KuaiShouCookie.exe	83
PID 4656 wrote to memory of 4456	4656	KuaiShouCookie.exe	83
PID 4656 wrote to memory of 1236	4656	KuaiShouCookie.exe	84
PID 4656 wrote to memory of 1236	4656	KuaiShouCookie.exe	84
PID 4656 wrote to memory of 1236	4656	KuaiShouCookie.exe	84
PID 2184 wrote to memory of 4976	2184	Windows-BaseHttps-ks.exe	87
PID 2184 wrote to memory of 4976	2184	Windows-BaseHttps-ks.exe	87
PID 2184 wrote to memory of 4976	2184	Windows-BaseHttps-ks.exe	87
PID 2184 wrote to memory of 2372	2184	Windows-BaseHttps-ks.exe	88
PID 2184 wrote to memory of 2372	2184	Windows-BaseHttps-ks.exe	88
PID 2184 wrote to memory of 2372	2184	Windows-BaseHttps-ks.exe	88
PID 2184 wrote to memory of 4716	2184	Windows-BaseHttps-ks.exe	96
PID 2184 wrote to memory of 4716	2184	Windows-BaseHttps-ks.exe	96
PID 2184 wrote to memory of 4716	2184	Windows-BaseHttps-ks.exe	96
PID 2184 wrote to memory of 3636	2184	Windows-BaseHttps-ks.exe	98
PID 2184 wrote to memory of 3636	2184	Windows-BaseHttps-ks.exe	98
PID 2184 wrote to memory of 3636	2184	Windows-BaseHttps-ks.exe	98
PID 2184 wrote to memory of 376	2184	Windows-BaseHttps-ks.exe	99
PID 2184 wrote to memory of 376	2184	Windows-BaseHttps-ks.exe	99
PID 2184 wrote to memory of 376	2184	Windows-BaseHttps-ks.exe	99
PID 376 wrote to memory of 2172	376	cmd.exe	103
PID 376 wrote to memory of 2172	376	cmd.exe	103
PID 376 wrote to memory of 2172	376	cmd.exe	103
PID 3636 wrote to memory of 4080	3636	cmd.exe	102
PID 3636 wrote to memory of 4080	3636	cmd.exe	102
PID 3636 wrote to memory of 4080	3636	cmd.exe	102
PID 2184 wrote to memory of 3740	2184	Windows-BaseHttps-ks.exe	104
PID 2184 wrote to memory of 3740	2184	Windows-BaseHttps-ks.exe	104

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Windows-BaseHttps-ks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Windows-BaseHttps-ks.exe

C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe
"C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows-Inter\Windows-BaseHttps-ks.exe
  C:\Windows-Inter\Windows-BaseHttps-ks.exe NewDirFirstRun 1428
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2184
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule dir=in action=allow enable=yes name="Windows-BaseHttps-ks.exe" program="C:\Windows-Inter\Windows-BaseHttps-ks.exe"
    3⤵
    - Modifies Windows Firewall
    PID:4976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2372
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f Root C:\Windows-Inter\server.crt
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f >nul 2>nul "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
      4⤵
      PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f >nul 2>nul "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "127.0.0.1:8089" /f
      4⤵
      PID:2172
- - C:\Windows-Inter\localFliter.exe
    C:\Windows-Inter\ addr 127.0.0.1:8089
    3⤵
    - Executes dropped EXE
    PID:3740
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule dir=in action=allow enable=yes name="KuaiShouCookie.exe" program="C:\Users\Admin\AppData\Local\Temp\CKC210\KuaiShouCookie.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4456
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule dir=in action=allow enable=yes name="localFliter.exe" program="%~dp0localFliter.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows-Inter\Windows-BaseHttps-ks.exe

Filesize
5.0MB

MD5
75017ed5b2ce20e69a88a8d42b704551

SHA1
21b511d55f4cffc74d1e20cc0e48c471f0ddf8b5

SHA256
9d3b383b331b3d5dc2b6a73c881c88e18424fefd455f7bdb969971f910c14d10

SHA512
c1920bada242445027e68cc469c7070e7ccd6fecba36c32b86f9d94e751e5bf7812ece7141dbe76b7b573bd19dc8cd362a20a54274d61336ffce461882eeb046

Download Submit
C:\Windows-Inter\ar.txt

Filesize
21KB

MD5
85e6427a1824675b0ef08a787f536946

SHA1
61791a04b2e0aa44cc21119bef3c68c37e5cd869

SHA256
693b1a47084b175386643d63da896203fe6885636f55058f171376f7fd184c12

SHA512
af9bd61f5eef5aef0bd4669f29cbfab84ef1bfddb80fe6a00a5831f0676d0289c1ec0c0bae9e4a023d5147d3aff14359d0ebc05a096bd962f9810edacb941816

Download Submit
C:\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
C:\Windows-Inter\localFliter.exe

Filesize
13.6MB

MD5
d21c3019c3ca68ecd4498137c4c50779

SHA1
8624eb874d5d91869201e5647b5d72dff89e0534

SHA256
34cf1474832c9b4473c0dd813cebebe87adecc5dc9f01708efa712a8bb90941b

SHA512
654525cbefdd55874f7fa6494b238c9f7c60d798379ec3b44ddac18c8607de023f3222986c450d6485d47e05e3daae82aa06939bc02f1713fb4bac8d08428b0e

Download Submit
C:\Windows-Inter\localconfig.ini

Filesize
687B

MD5
02a08126bdabb617143b6ca8df77509d

SHA1
0462da25134aad952bff346e254ca700c492a7ea

SHA256
3ebbc7dcab4b64d6f6a49ebaa53903feaf451a0f8f2bf3be970419f7fafd345c

SHA512
0727ff3e0b5ae3ee77efde9e9c8c919e37716b2a9441f71e6150ff7f282d07e68587c2877eb0fdd9d06940161bb089c4a3de4a1930b7eef060c42fcd46999c70

Download Submit
C:\Windows-Inter\server.crt

Filesize
1KB

MD5
0c656ab9a27948d585e63137f4c2e509

SHA1
e7263d031e418dc2cf62220942d0cf9cda9fc5f0

SHA256
65654713f161a38fdaf2277f225bddcb7c2d494271f3d550c7878317cdfe8e38

SHA512
65f22fe2532623e81583893d5d5ba87bef1b81e8bffae06b982e441a529f1e44631556dac8cbddcff190e6df7b035ba3ad61426a77a3f507e9329bd5275d83af

Download Submit
C:\Windows-Inter\server.key

Filesize
1KB

MD5
272159ffd4ed1398205d00169472c10e

SHA1
ae3e8016c67ca6d90f74bcafbc5e1edcd619d5b3

SHA256
df01dbd59d8190472f87caf609e425516ec551cfeab0bb10fdcbf01464929355

SHA512
e57ab4f7616ad3ab42c9de0e53dcbbdb985737afbdea8e68bf3551dabcafa33e58df544d4bed17d19d38fe740c557ad33b4b51fc262131fd2bd2ad6f0cd16100

Download Submit
memory/2184-156-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2184-162-0x0000000003450000-0x0000000003459000-memory.dmp

Filesize
36KB

Download
memory/2184-163-0x0000000003450000-0x0000000003459000-memory.dmp

Filesize
36KB

Download
memory/2184-170-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2184-171-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/2184-177-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/4656-133-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/4656-150-0x00000000035D0000-0x00000000035D9000-memory.dmp

Filesize
36KB

Download
memory/4656-157-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/4656-134-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/4656-151-0x00000000035D0000-0x00000000035D9000-memory.dmp

Filesize
36KB

Download