bd2ea68d336adba4760cd608103d6145e12a4b058d00dc1a89096de345361917

General

Target

23d4168b97d49cf50bf56f9198ce756a.exe
Size

80KB
MD5

23d4168b97d49cf50bf56f9198ce756a
SHA1

ab8d8369ccb88945e5def3750335a5b5d9bdf975
SHA256

bd2ea68d336adba4760cd608103d6145e12a4b058d00dc1a89096de345361917
SHA512

767bfa7ff0ea2f09cc043134f2790f13fb1047bf1166f69dcc1c031706ea35af5cd2cfe370d729bbc90786f1aabfe085529034dc9b2662b2f8a4742383262083
SSDEEP

1536:Ws2MEe4xcMZdrHC13I7qce/kPa49sKJP4dJ:12MP03zC13IO3H49XG

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4824	taskkill.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE\ = "IE"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\ = "????"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell\open	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.38078.com"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\ = "????"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\ = "????"	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\DefaultIcon\ = "shdoclc.dll,0"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\DefaultIcon\ = "shdoclc.dll,0"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon\ = "shdoclc.dll,0"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.38078.com"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\DefaultIcon	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "ur1"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.38078.com"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\shell\open\command	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command	23d4168b97d49cf50bf56f9198ce756a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "1nk"	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell\open\command	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ur1\DefaultIcon	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE	23d4168b97d49cf50bf56f9198ce756a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1nk\shell\open	23d4168b97d49cf50bf56f9198ce756a.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3876	regedit.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeRestorePrivilege	1532	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeBackupPrivilege	1532	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeRestorePrivilege	1532	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeBackupPrivilege	1532	23d4168b97d49cf50bf56f9198ce756a.exe
Token: SeDebugPrivilege	1532	23d4168b97d49cf50bf56f9198ce756a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	23d4168b97d49cf50bf56f9198ce756a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4824	1532	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 1532 wrote to memory of 4824	1532	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 1532 wrote to memory of 4824	1532	23d4168b97d49cf50bf56f9198ce756a.exe	17
PID 1532 wrote to memory of 3064	1532	23d4168b97d49cf50bf56f9198ce756a.exe	26
PID 1532 wrote to memory of 3064	1532	23d4168b97d49cf50bf56f9198ce756a.exe	26
PID 1532 wrote to memory of 3064	1532	23d4168b97d49cf50bf56f9198ce756a.exe	26

C:\Users\Admin\AppData\Local\Temp\23d4168b97d49cf50bf56f9198ce756a.exe
"C:\Users\Admin\AppData\Local\Temp\23d4168b97d49cf50bf56f9198ce756a.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ZhuDongFangyu.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
  2⤵
  PID:3064

C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
1⤵
- Runs .reg file with regedit
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempIE.reg

Filesize
2KB

MD5
e195de0c7406c7eee7e6e7108536f57f

SHA1
aa7813d6fe57e32026f8eddb1371d91dfe5c55b7

SHA256
4827ad29848f09613499f36e095a0e575cc47b0a1636e657ec97b948886ccef7

SHA512
9717c1eb17d99426427dff94f039bae85f9edc8fe02bfb36d2ac69fba50ab7007d3741d8e09ec9daf6605fccb606809869ae860c9a87f091c06958e9b2c389a9

Download Submit
C:\Users\Admin\Desktop\.dll

Filesize
61B

MD5
73a81c08a706d9a973e3830c57372da9

SHA1
76ff1bb2c69d1d9c210a9c8a43e441fabb6f98b6

SHA256
954a2b38743ba5d3a84f9dc17bb2f722ff5d1ce376293c981f67c073de44eab1

SHA512
896192b29876382f2bc632d9fb636961365918d7afd425f72ee99d5c83ac3dde5f4ce2a81fe6adcb2d3d7723c94ed783049dad6c5f950d33c0585f1ef13a414a

Download Submit
memory/1532-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1532-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing