d18b1b9472e9adad52cdf260422fa4886307f41a4d20ed691f4c11bc375c9022

General

Target

反p2p终结者2012 增强绿色版/反p2p终结者2012增强版.exe
Size

62.6MB
MD5

5e6b1c5a450caebbc8a8e9cbd3f37723
SHA1

fe86b4566340b18fb61c4e6e89c8be94ec6fff00
SHA256

f73b0f38bd675deb45bdf2e0f15cf8b5729d5ef1f1c872da520f282ef3412170
SHA512

7a50a07004e48fe109aad99facaaa295aece2453db759d5ad5887e988693ebbca8e268a1aa53efa7259ffeea8574a6f926f8f87eef12273cd0182df2c8d5cb04
SSDEEP

24576:tXvrMJvSqd8nqX9vH84VT7YLlbDPU16duTPTKWJ/wQ0e:tYJKLnKCDPU8c7KWJE

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10013622-A707-22d2-9CBD-0000F87A469H}	反p2p终结者2012增强版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10013622-A707-22d2-9CBD-0000F87A469H}\StubPath = "C:\\Program Files\\Common Files\\Microsoft Shared\\bbs\\bbs\\bbs.exe"	反p2p终结者2012增强版.exe

Executes dropped EXE 1 IoCs

pid	Process
392	forumdisp.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\bbs\bbs\bbs.exe	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\bbs\bbs	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ntfs.bat	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\a2.txt	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bbs\bbs\bbs.exe	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\xinzhu.txt	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\bbs\	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared	反p2p终结者2012增强版.exe
File created	C:\Program Files\forumdisp.exe	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\kkk.txt	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES5.INI	反p2p终结者2012增强版.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe
808	反p2p终结者2012增强版.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 392	808	反p2p终结者2012增强版.exe	31
PID 808 wrote to memory of 392	808	反p2p终结者2012增强版.exe	31
PID 808 wrote to memory of 392	808	反p2p终结者2012增强版.exe	31
PID 808 wrote to memory of 3176	808	反p2p终结者2012增强版.exe	106
PID 808 wrote to memory of 3176	808	反p2p终结者2012增强版.exe	106
PID 808 wrote to memory of 3176	808	反p2p终结者2012增强版.exe	106
PID 3176 wrote to memory of 4424	3176	cmd.exe	103
PID 3176 wrote to memory of 4424	3176	cmd.exe	103
PID 3176 wrote to memory of 4424	3176	cmd.exe	103
PID 3176 wrote to memory of 4952	3176	cmd.exe	104
PID 3176 wrote to memory of 4952	3176	cmd.exe	104
PID 3176 wrote to memory of 4952	3176	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\反p2p终结者2012 增强绿色版\反p2p终结者2012增强版.exe
"C:\Users\Admin\AppData\Local\Temp\反p2p终结者2012 增强绿色版\反p2p终结者2012增强版.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808
- C:\Program Files\forumdisp.exe
  "C:\Program Files\forumdisp.exe"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSInfo\ntfs.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Common Files\Microsoft Shared\bbs\bbs /d everyone /e
1⤵
PID:4424

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files\Common Files\Microsoft Shared\bbs" /d everyone /e
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ntfs.bat

Filesize
155B

MD5
47b63a8da5491c2f1fc60b13f30b7bce

SHA1
0521d1f3b1bee284ab3859d4be333d14a6c72d50

SHA256
714bd7e92b51d99f27aaac0b2a4ac3bc8fb50ccf9d78e459bef6111af73296c6

SHA512
8f8478832e341def6dc21086707475783804875f118c928c4156ae86051e7af5b85d17dcfc910c74d26a67ebd64768b709f9438c09e46536ff55d4f8348556a9

Download Submit
C:\Program Files\forumdisp.exe

Filesize
124KB

MD5
f85b331671f5bbb5fe56fc1763f714fe

SHA1
c711d05b86340e9dc69f1ce006bbbbb5481a1974

SHA256
b6d9e1adf24d8010789aad3e236aa3f59d88e6873a23f92b32ec116ac5f9f3a3

SHA512
da848fccd18a26ea254f44fb48273da650a29a68b44ed0f8874e2fccc218ad2150771cc453164a83b7ae04c941056457e00a56a7108bb803fa7664148111dbbb

Download Submit
C:\Program Files\forumdisp.exe

Filesize
128KB

MD5
31bf9b53e7961938f0338f4099bb6860

SHA1
d8d757f8dfe7b389a90a03377d60beae4c93d169

SHA256
d8f50ad4d4a4ed28bec90ee82f832d6fb0781c8a8e4fec7f89b016f40d8cac38

SHA512
6d46b96823047333c4b942f4fe03edc22e591132235ef292223bc0e3c195cba21a80c736c734f7a519c46bc62fb9bd10868559b7ebe407464037aae6f19fb54a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads