663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
Size

1.9MB
MD5

590b1a7d37d12106e1dbcfd063b23398
SHA1

789e25388a35a54fcf3f956cd582fa5c4ab3f595
SHA256

663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322
SHA512

9c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96
SSDEEP

49152:cP0K1HDEsdSiopguI125iZblH7PJdR0ebbau1m:y71HDEfHgB7PJdnw

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2644	waike.exe
1508	v.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	waike.exe
1508	v.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/files/0x000d000000015c9b-3.dat	upx
behavioral1/memory/2644-4-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/2416-6-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/2416-8-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/2644-9-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/2644-10-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/2644-38-0x0000000000400000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/2644-55-0x0000000000400000-0x000000000085F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	waike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	waike.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
2644	waike.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1508	v.exe
Token: 35	1508	v.exe
Token: SeSecurityPrivilege	1508	v.exe
Token: SeSecurityPrivilege	1508	v.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2416	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
2416	663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
2644	waike.exe
2644	waike.exe
1980	hh.exe
1980	hh.exe
2732	hh.exe
2732	hh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1704	2644	waike.exe	31
PID 2644 wrote to memory of 1704	2644	waike.exe	31
PID 2644 wrote to memory of 1704	2644	waike.exe	31
PID 2644 wrote to memory of 1704	2644	waike.exe	31
PID 2644 wrote to memory of 1508	2644	waike.exe	34
PID 2644 wrote to memory of 1508	2644	waike.exe	34
PID 2644 wrote to memory of 1508	2644	waike.exe	34
PID 2644 wrote to memory of 1508	2644	waike.exe	34
PID 2644 wrote to memory of 2072	2644	waike.exe	42
PID 2644 wrote to memory of 2072	2644	waike.exe	42
PID 2644 wrote to memory of 2072	2644	waike.exe	42
PID 2644 wrote to memory of 2072	2644	waike.exe	42

C:\Users\Admin\AppData\Local\Temp\663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe
"C:\Users\Admin\AppData\Local\Temp\663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2416

C:\mina\waike.exe
"C:\mina\waike.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  PID:1704
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\v.bat
  2⤵
  PID:2072

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9755444187291871\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9755444187291871\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
57461b234b2a75ce813cf6144996c5e8

SHA1
1ea8277e245640f60bda92182edc9bcc3107aea6

SHA256
e21679de70ebbe36c9fe3f3618992e97c44180bb81da959df9f48202bad51e01

SHA512
14e2127a8034f265958ce1b80c315770d3ae221ac715a7b6577714d423beab8e0a89a0ad89a63bc28d60a9c3d406755e96a998de33821be797fe843009dfdd7c

Download Submit
C:\Users\Public\cxzvasdfg\9755444187291871\A11.chm

Filesize
9KB

MD5
2342b3ba19855ddd8c3e311b2842bdbb

SHA1
ecec63f62d445bdcc369af3f29df566611c7d4a5

SHA256
257c340891c8007dbb720853244785b8d7433fb70ca0038528b9fde035d0bfe6

SHA512
f5230c860656004d8f860f5b2941b15519cebf7ce6494eefcea6307be4057f5cd6178cbdfca9a022d28fd11cc0d81ed1f2a719ff9a614e28a0eb12f048302cb9

Download Submit
C:\Users\Public\xiaodaxzqxia\111

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\Users\Public\xiaodaxzqxia\v.bat

Filesize
18B

MD5
11bc70016f1fde86d2cdce0846a5076f

SHA1
d01eb4d8423b89b743643b80b1fb8e649cbad4e5

SHA256
94568641d14104f957b438b273187700590b63f0c22f52235d8e5b77233efd3c

SHA512
e4a25b57d4b682d08911a693ff0fcffc7f3cabbe60d820105f1fc47bd8b7c1740ab371e1ef7f94d5b6b2811d5dc3f4af2c382ee91fe4ba614384e405cd114da1

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\mina\waike.exe

Filesize
1.9MB

MD5
590b1a7d37d12106e1dbcfd063b23398

SHA1
789e25388a35a54fcf3f956cd582fa5c4ab3f595

SHA256
663b5f9cc1c8c974a7651cdd6a720a7bc77a59c01b8d27274a504340666fd322

SHA512
9c6736ee2181f91630e2208fd70f3097a6d590f3b1c822d6ad0e518d4643cf453269549435e693ff8cd6038cd1274c42d8bb4473e863fa7adb49f80f3aae9a96

Download Submit
\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
memory/2416-0-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2416-8-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2416-6-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2644-10-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2644-9-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2644-38-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2644-55-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/2644-4-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download