0ab3347233ca85e26d6d65d5a1ae47b6f109bd46aef2589a7b67bc55dc6c3148

General

Target

767735c8c772038e7d89fdd442513170.exe
Size

294KB
MD5

767735c8c772038e7d89fdd442513170
SHA1

51d31eadcc515633d625393b734c72a07f1eeb67
SHA256

0ab3347233ca85e26d6d65d5a1ae47b6f109bd46aef2589a7b67bc55dc6c3148
SHA512

05f1b64cff4e21d783df0f887e7156041403be5ea63f459dd01674ba6fefcda6cceaa4540f3091089a2ac4ca54d648730a718765df5413928a44b3e9dd866846
SSDEEP

6144:cdYgxDPu6luzMm2mBiXS6S9JSelDyX2UFLstcAyXRU0ODDoL:tgxDPuQuLTKSH9flD74sK60ODDoL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	767735c8c772038e7d89fdd442513170.tmp

Loads dropped DLL 3 IoCs

pid	Process
2276	767735c8c772038e7d89fdd442513170.exe
2972	767735c8c772038e7d89fdd442513170.tmp
2972	767735c8c772038e7d89fdd442513170.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\TaoBao\is-B315V.tmp	767735c8c772038e7d89fdd442513170.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
2756	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	767735c8c772038e7d89fdd442513170.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2972	2276	767735c8c772038e7d89fdd442513170.exe	28
PID 2276 wrote to memory of 2972	2276	767735c8c772038e7d89fdd442513170.exe	28
PID 2276 wrote to memory of 2972	2276	767735c8c772038e7d89fdd442513170.exe	28
PID 2276 wrote to memory of 2972	2276	767735c8c772038e7d89fdd442513170.exe	28
PID 2972 wrote to memory of 2756	2972	767735c8c772038e7d89fdd442513170.tmp	29
PID 2972 wrote to memory of 2756	2972	767735c8c772038e7d89fdd442513170.tmp	29
PID 2972 wrote to memory of 2756	2972	767735c8c772038e7d89fdd442513170.tmp	29
PID 2972 wrote to memory of 2756	2972	767735c8c772038e7d89fdd442513170.tmp	29
PID 2972 wrote to memory of 2768	2972	767735c8c772038e7d89fdd442513170.tmp	30
PID 2972 wrote to memory of 2768	2972	767735c8c772038e7d89fdd442513170.tmp	30
PID 2972 wrote to memory of 2768	2972	767735c8c772038e7d89fdd442513170.tmp	30
PID 2972 wrote to memory of 2768	2972	767735c8c772038e7d89fdd442513170.tmp	30

C:\Users\Admin\AppData\Local\Temp\767735c8c772038e7d89fdd442513170.exe
"C:\Users\Admin\AppData\Local\Temp\767735c8c772038e7d89fdd442513170.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\is-6263R.tmp\767735c8c772038e7d89fdd442513170.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6263R.tmp\767735c8c772038e7d89fdd442513170.tmp" /SL5="$70122,51900,51712,C:\Users\Admin\AppData\Local\Temp\767735c8c772038e7d89fdd442513170.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\Regedit.exe" -s C:\Progra~1\TaoBao\info.desc
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Runs regedit.exe
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\767735c8c772038e7d89fdd442513170.exe"
    3⤵
    - Deletes itself
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TaoBao\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
\Users\Admin\AppData\Local\Temp\is-6263R.tmp\767735c8c772038e7d89fdd442513170.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
\Users\Admin\AppData\Local\Temp\is-D99TN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2276-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2276-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2972-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2972-21-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads