12ba8a583fb035e61f45e7ad2b9986a84ae8c4e0e77e7770e7d86a2f7fc68e04

General

Target

6a2442a4fb891753552346218815bc47.exe
Size

256KB
MD5

6a2442a4fb891753552346218815bc47
SHA1

ebd1f02cbe8eaceb7d5065ff6aee59dee7e63645
SHA256

12ba8a583fb035e61f45e7ad2b9986a84ae8c4e0e77e7770e7d86a2f7fc68e04
SHA512

60ba1b1e75d0e323bb48a83f6b51aa2026d8f2d7def67fd8c7c7697dd23cc553f2660c6258e74e9cc6dd33ff432b8c0b2e2302659582400b0c12be4ba86184a7
SSDEEP

3072:mEO9K3Cmp5z9VtzdDfFbESg5YT9o/etIyAylfFoVBL:mRBmp5zPDDVESg5YTC/etIBycB

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,c:\\windows\\system32\\Ieautoups.exe"	6a2442a4fb891753552346218815bc47.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\autoups.exe	6a2442a4fb891753552346218815bc47.exe
File opened for modification	\??\c:\windows\SysWOW64\ieupdate.dll	6a2442a4fb891753552346218815bc47.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9EE7A389-A4EF-11EE-A0B6-E2FF52840C3F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\homepages = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan3 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url2 = "www.114la.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url4 = "www.265.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url5 = "www.ku6.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan7 = "www.hanguoqvod.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan5 = "www.hanguoqvod.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url6 = "www.youku.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url7 = "www.tudou.com"	6a2442a4fb891753552346218815bc47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\ = "lanren"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan1 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan2 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url3 = "www.5566.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan8 = "http://search8.taobao.com/browse/cat-0-g,nvwv6mjqgaytcnjvgbptaxzq.htm?pid=mm_10854201_0_0"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url1 = "www.hao123.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan4 = "www.86484.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\tihuan6 = "www.hanguoqvod.com"	6a2442a4fb891753552346218815bc47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lanren\url8 = "www.taobao.cn"	6a2442a4fb891753552346218815bc47.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2380	6a2442a4fb891753552346218815bc47.exe
1060	iexplore.exe
1060	iexplore.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1060	2380	6a2442a4fb891753552346218815bc47.exe	21
PID 2380 wrote to memory of 1060	2380	6a2442a4fb891753552346218815bc47.exe	21
PID 1060 wrote to memory of 4464	1060	iexplore.exe	24
PID 1060 wrote to memory of 4464	1060	iexplore.exe	24
PID 1060 wrote to memory of 4464	1060	iexplore.exe	24
PID 2380 wrote to memory of 3544	2380	6a2442a4fb891753552346218815bc47.exe	27
PID 2380 wrote to memory of 3544	2380	6a2442a4fb891753552346218815bc47.exe	27
PID 2380 wrote to memory of 3544	2380	6a2442a4fb891753552346218815bc47.exe	27

C:\Users\Admin\AppData\Local\Temp\6a2442a4fb891753552346218815bc47.exe
"C:\Users\Admin\AppData\Local\Temp\6a2442a4fb891753552346218815bc47.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.nt555.com/tongji/count/count.asp?id=00-00-00-00-00-00&ver=1.0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:17410 /prefetch:2
    3⤵
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regsvr32 /s c:\windows\system32\ieupdate.dll
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s c:\windows\system32\ieupdate.dll
    3⤵
    PID:4232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat""
  2⤵
  PID:4328
- C:\Windows\SysWOW64\autoups.exe
  autoups.exe
  2⤵
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\autoups.exe > nul
    3⤵
    PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC719.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\suggestions[1].en-US

Filesize
1KB

MD5
c6bdda3f990d9f4af799c6780b8859b4

SHA1
a621164f6b814af5e867c84e7b014695c850fc7e

SHA256
bf1d3d4bd2bfaf7e1c3ecda4669a16a68da4c2780c49c60b09d3fbc13a1633dc

SHA512
955019d37611587f11831068a20a8b7f2a51838d6c11d02c822aa752fc056ba1336ce2d8f1e7d338fee9b3c9b11889ab8c615a1f60183f27cb060b3976033443

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
190B

MD5
e2405f313fed2029a4c20958ce44ba3a

SHA1
5ae1f7c23c0fb31529e9769bc3c36d69fa1e31b7

SHA256
04fe8ceed5499b6b0718e8633054274adb6ed9f876467e93978f018cc50070d9

SHA512
ed5865a37b0396d1852664ce7731a772c7a92d1d8d0adf0b174665c778e91dd2e64eb82ec85ca8304796d5d2f23f48611b62ce85a118c6096d5de46f90b44fa1

Download Submit
C:\Windows\SysWOW64\autoups.exe

Filesize
31KB

MD5
3fff18b3b113138eea98ffd64b8f3cc5

SHA1
547ee75d6831ff3d94c1401af6f6c5e5d9d3e7fc

SHA256
bea5cbc58025a59eeadc92ee80ac144e975425aacd21fd26b578df87cb7f856d

SHA512
a0599c6c9044ba39c17ac71403a0ce381b7b682fd1e2fa16bdc37fffbe7040191360bde67a320310ee5a47dc048d0ab3f7d782b855feb7acfce9a3f54ce3f8f2

Download Submit
C:\Windows\SysWOW64\autoups.exe

Filesize
53KB

MD5
69df2da8567018c8c4f23dd1e385f352

SHA1
4b3fb4a1b760001f963a1c3bffe89f165c27add2

SHA256
158e20d67167eca3dc1e0587b4c0ea4f51ad89f82c2de0901d12803d3ed52170

SHA512
fc74209817646e29765b358a09ebd3cf72bd6ffc66c0b8a974bee6211c98d874baa892b4dee457c9e470e2e7a44d63adc553e2cc22c25e30480dfeabc1605da2

Download Submit
C:\Windows\SysWOW64\ieupdate.dll

Filesize
39KB

MD5
4d5bfe5a79dc7fe3b22b36df2af0e0bb

SHA1
bbac2476fb6ea34033b5e8f5757adec0d8fe938c

SHA256
2922909663222740fb861d1741a4b3fb4407cab59b6cd9f9f8900810a980163b

SHA512
3d8f86dcde79ed61f7a162f5cd6bc418d7c3c3d4772df9e97e5fe71a6bb0292a66aa04b2d6ed7f072144f934433ff0756f79ec33b93144c1961494957a7c3190

Download Submit
\??\c:\windows\SysWOW64\ieupdate.dll

Filesize
40KB

MD5
f3913cc263d354b36ac3c1214cf42232

SHA1
1c9fc2576b847d0e67fe8217d9cc47a0dd41c543

SHA256
64abbc73537d45cbc87b37c88b7b48b5288f52ac1c6f7db368e8d6832d810c2e

SHA512
8d016bdfe351718c827f143ef90073194280750280f0f7fdafbd2bd381770b5d1ad671c9a00b7fd93fa71074c7fd577d0a76b9cbc451ff4c7e02318468e65817

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads