e2b8e3ab0263dc9a4f1140218c5e848ef370c4db8646e580a36a82345f2f35b7

General

Target

1b0452c96cf6155c88b91ecf270f53d8.exe
Size

56KB
MD5

1b0452c96cf6155c88b91ecf270f53d8
SHA1

f7176b55f7ded0f754c018bbb7533c0e5a00a270
SHA256

e2b8e3ab0263dc9a4f1140218c5e848ef370c4db8646e580a36a82345f2f35b7
SHA512

d95498dd9fb49f444fa2a0b1c48232721e3423365f5a7dc6b859ebd2b518feda863e29d8627dcaf0e53decf8bb9fdff88ab098a0ec5b8492e94dd6a118c3a07e
SSDEEP

768:npdmkzjFAACXOO/stfqu9DwCRMov1JOQoNrjMF437v1Zv10v1Jv1uv1Ev1JOK4V:nXmkzRV1v7LWBxn4XqInoaVq2HEo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	CCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CCenter = "C:\\Windows\\CCenter.exe"	CCenter.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\f:\autorun.inf	CCenter.exe
File opened for modification	\??\g:\autorun.inf	CCenter.exe
File opened for modification	\??\h:\autorun.inf	CCenter.exe
File opened for modification	\??\i:\autorun.inf	CCenter.exe
File opened for modification	\??\j:\autorun.inf	CCenter.exe
File opened for modification	\??\k:\autorun.inf	CCenter.exe
File opened for modification	\??\d:\autorun.inf	CCenter.exe
File opened for modification	\??\e:\autorun.inf	CCenter.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CCenter.exe	1b0452c96cf6155c88b91ecf270f53d8.exe
File opened for modification	C:\Windows\CCenter.exe	1b0452c96cf6155c88b91ecf270f53d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	CCenter.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.8koo.cn/"	CCenter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	1b0452c96cf6155c88b91ecf270f53d8.exe
948	CCenter.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 948	1736	1b0452c96cf6155c88b91ecf270f53d8.exe	16
PID 1736 wrote to memory of 948	1736	1b0452c96cf6155c88b91ecf270f53d8.exe	16
PID 1736 wrote to memory of 948	1736	1b0452c96cf6155c88b91ecf270f53d8.exe	16
PID 1736 wrote to memory of 948	1736	1b0452c96cf6155c88b91ecf270f53d8.exe	16

C:\Users\Admin\AppData\Local\Temp\1b0452c96cf6155c88b91ecf270f53d8.exe
"C:\Users\Admin\AppData\Local\Temp\1b0452c96cf6155c88b91ecf270f53d8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\CCenter.exe
  C:\Windows\CCenter.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of SetWindowsHookEx
  PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2648
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-13-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1736-12-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1736-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads