d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171

Resubmissions

22-10-2023 02:49

231022-da4exaeh37 7

22-10-2023 02:48

231022-daweasda6z 7

22-10-2023 02:41

231022-c6mllada3w 7

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe
Size

1.3MB
MD5

f47e11a824c6094d439ba159ec9c3f04
SHA1

7460d14072a26fad9567961f51b1383e335d33c8
SHA256

d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171
SHA512

44878e66c8ad85b76b18912b4afdd8e80cb49b0cf32ad41ea1c6eb30afcdba5150ef46d89e12cd995497f29a0dc2aebd18339115d0e95de61cbc6c3bfd6c8383
SSDEEP

24576:1b3QxsVkMEzjeMREXxC+5QQ7fdhSNpr17/R8T2Od7OS5Q5Wc26qeMyaVl:EsileMRU5VMhR8VPO5Wc26XlQl

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
620	v.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe
2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/2356-13-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/2356-15-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/2356-31-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/2356-45-0x0000000000400000-0x0000000000717000-memory.dmp	upx
behavioral1/memory/2356-47-0x0000000000400000-0x0000000000717000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe
2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe
2904	hh.exe
2904	hh.exe
1444	hh.exe
1444	hh.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2440	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	28
PID 2356 wrote to memory of 2440	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	28
PID 2356 wrote to memory of 2440	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	28
PID 2356 wrote to memory of 2440	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	28
PID 2356 wrote to memory of 2360	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	30
PID 2356 wrote to memory of 2360	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	30
PID 2356 wrote to memory of 2360	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	30
PID 2356 wrote to memory of 2360	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	30
PID 2440 wrote to memory of 2456	2440	cmd.exe	31
PID 2440 wrote to memory of 2456	2440	cmd.exe	31
PID 2440 wrote to memory of 2456	2440	cmd.exe	31
PID 2440 wrote to memory of 2456	2440	cmd.exe	31
PID 2360 wrote to memory of 2820	2360	WScript.exe	32
PID 2360 wrote to memory of 2820	2360	WScript.exe	32
PID 2360 wrote to memory of 2820	2360	WScript.exe	32
PID 2360 wrote to memory of 2820	2360	WScript.exe	32
PID 2820 wrote to memory of 2576	2820	cmd.exe	34
PID 2820 wrote to memory of 2576	2820	cmd.exe	34
PID 2820 wrote to memory of 2576	2820	cmd.exe	34
PID 2820 wrote to memory of 2576	2820	cmd.exe	34
PID 2356 wrote to memory of 620	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	41
PID 2356 wrote to memory of 620	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	41
PID 2356 wrote to memory of 620	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	41
PID 2356 wrote to memory of 620	2356	d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe	41

C:\Users\Admin\AppData\Local\Temp\d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe
"C:\Users\Admin\AppData\Local\Temp\d5d06dc5a926f69d8ee73fbebfcd5ff0428a5fb05e6d122edff3a31e89336171.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    PID:2456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
      4⤵
      PID:2576
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
  2⤵
  - Executes dropped EXE
  PID:620

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5587865777823228\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5587865777823228\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
b954a58df76365f8b3c911e213e5b95f

SHA1
1bb91e94f11b448af2f2893eb3461941ae52f1b1

SHA256
202f19ff42d82372571704866c0e6e9eb1f9c2cffd0cbe02a87e871b47fbae9e

SHA512
8d55a7b8fcba0ecabb9ebab7a3f1fa1c3368a3409984b33d8b0e92b1c7e6bdf440dc3ab708db7ff04951a06f3fb44af7eb92febbaba3b9dfc58a886c48c31614

Download Submit
C:\Users\Public\cxzvasdfg\5587865777823228\A11.chm

Filesize
9KB

MD5
2342b3ba19855ddd8c3e311b2842bdbb

SHA1
ecec63f62d445bdcc369af3f29df566611c7d4a5

SHA256
257c340891c8007dbb720853244785b8d7433fb70ca0038528b9fde035d0bfe6

SHA512
f5230c860656004d8f860f5b2941b15519cebf7ce6494eefcea6307be4057f5cd6178cbdfca9a022d28fd11cc0d81ed1f2a719ff9a614e28a0eb12f048302cb9

Download Submit
C:\Users\Public\xiaodaxzqxia\A.vbs

Filesize
107B

MD5
bcb223ea9c0598f04684216bcd0e12a6

SHA1
2661c8fbca3654a29fa261def7f16ea23a6f3165

SHA256
ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

SHA512
77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/620-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2356-13-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2356-31-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2356-15-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2356-0-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2356-45-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2356-47-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download