ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651

Analysis

max time kernel
143s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
Size

4.2MB
MD5

2cd33053df641ff9d99f45ffaf0c661e
SHA1

b32b7eccf3cca7bc999ff2dc6150ddc3c2232d28
SHA256

ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651
SHA512

207c14f5cdcc09ba249efa5cad09a557729b48dcd1e8b410fb89313d2563ee4d5bd3107a662212dc13f159f392f8e012b814f5212c13143fa53e85d72786b48d
SSDEEP

98304:uT7RTADJDqhFgHrSGiJIk7iUGUmG6NT7Oh84:uJ+JDfHrKbiJTaS

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	¸üÐÂ³ÌÐò.exe

Loads dropped DLL 3 IoCs

pid	Process
2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-6-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-16-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-23-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-25-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-18-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-30-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-44-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-49-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-52-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-36-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-34-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-32-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-28-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-11-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-53-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2084-59-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-80-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-81-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-83-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-85-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-87-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-89-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-93-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-96-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-99-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-102-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-105-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-108-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-111-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-114-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-117-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-120-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-123-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-126-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-129-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-132-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-135-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-137-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/540-139-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://591314.org/?soft"	¸üÐÂ³ÌÐò.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://591314.org/?soft"	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://591314.org/?soft"	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://591314.org/?soft"	¸üÐÂ³ÌÐò.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
540	¸üÐÂ³ÌÐò.exe
540	¸üÐÂ³ÌÐò.exe
540	¸üÐÂ³ÌÐò.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 540	2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe	32
PID 2084 wrote to memory of 540	2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe	32
PID 2084 wrote to memory of 540	2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe	32
PID 2084 wrote to memory of 540	2084	ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe	32

C:\Users\Admin\AppData\Local\Temp\ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
"C:\Users\Admin\AppData\Local\Temp\ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe
  "C:\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe" http://www.yitu3s.com/yanzheng/,jzd2bz_Z,3.7.0,0,ccfa6b18b0f1e9cdba5ec354d1d6938639524378c7c7b7a7b1447c53f2b93651.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of SetWindowsHookEx
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ET199_32.dll

Filesize
76KB

MD5
5b01443c869844be6df255c64ebf09ab

SHA1
59ea5729340c07d972decfc72d984dc4fff08f4f

SHA256
5b3b5d407df419d6b0ad6e8628662bf6c9614771da3832cde91d0630211fff16

SHA512
4156715dfbd064ab3f410646cd19077932c36d7c80e09765d817ce8c09820403f5056c09a965159e408a37de0a2b42c8f39251bf089c09428e13ed965d64b414

Download Submit
\Users\Admin\AppData\Local\Temp\¸üÐÂ³ÌÐò.exe

Filesize
916KB

MD5
8e8a4dfd27e0f68003200a7b2ec7b8d4

SHA1
7cbdf7a772fc1d2192cc25e6db349f0333b4e127

SHA256
0bd4c5c88762212fdc9d4e7d6878b6007a647fb28227f17bde1c4ee01e632e8f

SHA512
e1fba4d30b74ca58bd4860760a953b9363cc7254ce5034bc4e751ed32b4d6a4ef695c5d982a45ae0886aaf9ae7b5c82471586774a399ce04501a9abc750153b8

Download Submit
memory/540-108-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-114-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-132-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-129-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-126-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-123-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-120-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-102-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-105-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-111-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-135-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-137-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-117-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-99-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-96-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-93-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-89-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-87-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-85-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-83-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-81-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-80-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/540-139-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-52-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-53-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-56-0x0000000000B90000-0x0000000000BAE000-memory.dmp

Filesize
120KB

Download
memory/2084-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-58-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-59-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-64-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-65-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-66-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-67-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-68-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-28-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-32-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-34-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-36-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-11-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-0-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-49-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-44-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-30-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-18-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-25-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-23-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-16-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-6-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2084-3-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-2-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-1-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2084-143-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads