bd2ea68d336adba4760cd608103d6145e12a4b058d00dc1a89096de345361917

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23d4168b97d49cf50bf56f9198ce756a.exe
Size

80KB
MD5

23d4168b97d49cf50bf56f9198ce756a
SHA1

ab8d8369ccb88945e5def3750335a5b5d9bdf975
SHA256

bd2ea68d336adba4760cd608103d6145e12a4b058d00dc1a89096de345361917
SHA512

767bfa7ff0ea2f09cc043134f2790f13fb1047bf1166f69dcc1c031706ea35af5cd2cfe370d729bbc90786f1aabfe085529034dc9b2662b2f8a4742383262083
SSDEEP

1536:Ws2MEe4xcMZdrHC13I7qce/kPa49sKJP4dJ:12MP03zC13IO3H49XG

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2220	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\DefaultIcon	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\ = "????"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell\open\command	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell\open	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "ur1"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon\ = "shdoclc.dll,0"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://www.38078.com"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\ = "????"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "1nk"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell\open	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.38078.com"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell\open\command	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\ = "????"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.38078.com"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE\ = "IE"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\DefaultIcon	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\DefaultIcon\ = "shdoclc.dll,0"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://www.38078.com"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2660	regedit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeRestorePrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeBackupPrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeRestorePrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeBackupPrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeDebugPrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeRestorePrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeBackupPrivilege	2540	23d4168b97d49cf50bf56f9198ce756a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2540	23d4168b97d49cf50bf56f9198ce756a.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2220	2540	23d4168b97d49cf50bf56f9198ce756a.exe	16
PID 2540 wrote to memory of 2220	2540	23d4168b97d49cf50bf56f9198ce756a.exe	16
PID 2540 wrote to memory of 2220	2540	23d4168b97d49cf50bf56f9198ce756a.exe	16
PID 2540 wrote to memory of 2220	2540	23d4168b97d49cf50bf56f9198ce756a.exe	16
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2788	2540	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 2540 wrote to memory of 2584	2540	23d4168b97d49cf50bf56f9198ce756a.exe	20
PID 2540 wrote to memory of 2584	2540	23d4168b97d49cf50bf56f9198ce756a.exe	20
PID 2540 wrote to memory of 2584	2540	23d4168b97d49cf50bf56f9198ce756a.exe	20
PID 2540 wrote to memory of 2584	2540	23d4168b97d49cf50bf56f9198ce756a.exe	20
PID 2584 wrote to memory of 2660	2584	cmd.exe	19
PID 2584 wrote to memory of 2660	2584	cmd.exe	19
PID 2584 wrote to memory of 2660	2584	cmd.exe	19
PID 2584 wrote to memory of 2660	2584	cmd.exe	19

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ZhuDongFangyu.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe advpack.dll,DelNodeRunDLL32 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
1⤵
PID:2788

C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
1⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\23d4168b97d49cf50bf56f9198ce756a.exe
"C:\Users\Admin\AppData\Local\Temp\23d4168b97d49cf50bf56f9198ce756a.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\.dll

Filesize
61B

MD5
73a81c08a706d9a973e3830c57372da9

SHA1
76ff1bb2c69d1d9c210a9c8a43e441fabb6f98b6

SHA256
954a2b38743ba5d3a84f9dc17bb2f722ff5d1ce376293c981f67c073de44eab1

SHA512
896192b29876382f2bc632d9fb636961365918d7afd425f72ee99d5c83ac3dde5f4ce2a81fe6adcb2d3d7723c94ed783049dad6c5f950d33c0585f1ef13a414a

Download Submit
memory/2540-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2540-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download