e4bf89f0f173f6c293ff297d431102ad00c30ab9592840925715a59b9b2875f0

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12230a5cbcd429735d5d31b4759bc382.exe
Size

688KB
MD5

12230a5cbcd429735d5d31b4759bc382
SHA1

f781a19701c374838fcfdae361359977645c9ca2
SHA256

e4bf89f0f173f6c293ff297d431102ad00c30ab9592840925715a59b9b2875f0
SHA512

47c93c639330cecd85275182cd4f63c5fece6867905c245a9cf0cdb9507ebbb2e1ec7ed6042191aef54a9355be793cd4c1e8dbf21150bffab29935e02066a339
SSDEEP

12288:WO5r2SoKqy0Ecw8NQ2ZBaLAhdOSkryZtGUyAoTJa3ONEoTtQsQud:J5rZoPy0Nw8VfaLEdOSlHGvAoTRNptU+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1404	wnzczs.exe

Loads dropped DLL 2 IoCs

pid	Process
1404	wnzczs.exe
1404	wnzczs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000200000001e7e0-2.dat	nsis_installer_1
behavioral2/files/0x000200000001e7e0-2.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\SearchScopes	12230a5cbcd429735d5d31b4759bc382.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	12230a5cbcd429735d5d31b4759bc382.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	12230a5cbcd429735d5d31b4759bc382.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	12230a5cbcd429735d5d31b4759bc382.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È"	12230a5cbcd429735d5d31b4759bc382.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8"	12230a5cbcd429735d5d31b4759bc382.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1404	1440	12230a5cbcd429735d5d31b4759bc382.exe	90
PID 1440 wrote to memory of 1404	1440	12230a5cbcd429735d5d31b4759bc382.exe	90
PID 1440 wrote to memory of 1404	1440	12230a5cbcd429735d5d31b4759bc382.exe	90

C:\Users\Admin\AppData\Local\Temp\12230a5cbcd429735d5d31b4759bc382.exe
"C:\Users\Admin\AppData\Local\Temp\12230a5cbcd429735d5d31b4759bc382.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\nsn3247.tmp\wnzczs.exe
  C:\Users\Admin\AppData\Local\Temp\nsn3247.tmp\wnzczs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsn3247.tmp\wnzczs.exe

Filesize
532KB

MD5
bc2e432c77159557d130d50ce98c31cd

SHA1
98b9af68fa9f5ae5c75fcde94476234a6ff1c534

SHA256
acfa98bcdc1ff353b16e6b9506bbbc92322191526aee81f22080f7e56410d5f5

SHA512
4d073014d188c8c7afe51e1b4c7fbf3dfcb3cf315edd0e3978d95799ba39f6ef3716fc18b2775e1957630d4552364f44e83dac25165b85b67c48cd4d8b61d8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4003.tmp\InstallOptions.dll

Filesize
14KB

MD5
271b5d1043c4402f08ddeae383f6979c

SHA1
2b88c58aa27bfb4979239579cd65d4c6c67a5295

SHA256
90485cb175686c3e97b32ebf99daa939c1a6f46e7031f71b72b81cd114fd5b51

SHA512
f8bd4b316726f05647162bb52a2aeb4a6cf5ee976fdb7817a3d25b868b83fb482c38d078f01d3a629afb0d6fa6ce409b2b3404398563137e22010074f529c11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4003.tmp\System.dll

Filesize
10KB

MD5
82f7926fd7d12e3eb8ed7b5232bcf956

SHA1
6065fc921b742cc86c77ce2533fc1d17359eb45e

SHA256
604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984

SHA512
b31a63ebbda8f147c32d8336c5ecde8c5261ad5526b01926d7cd74b7a9a1348da56e180e53d20e1e300daca76f9511f24d6e695550b705b7650c239e5b6e76c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4003.tmp\ioSpecial.ini

Filesize
613B

MD5
3362009bd424dc6ee4e5168094b7d5f0

SHA1
1db8e525b88b5a9cfcec3d916acaaa62ad5dc50b

SHA256
4d2fa24678c4022d5e06d7d08a2c2fb4b4711cd43f45933de4322c8ecf5655db

SHA512
9cabbbbe677f4fa08c573053e04922221186fa26d47f53227f9d83ff39e359354b8d9a753f269c0f31973f5e4a38662f58bb08d8fbfef9baf66f6adba16c6bf8

Download Submit