0e2ebfe7949d6d277192bb03d1672143ab79482b42d2e40213f79f5f239358d0

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52b39b547f6f7a4ecc80b9c0eac12ad7.exe
Size

2.5MB
MD5

52b39b547f6f7a4ecc80b9c0eac12ad7
SHA1

19ce008ec4d99fb7f14d2e260095aef685d3955c
SHA256

0e2ebfe7949d6d277192bb03d1672143ab79482b42d2e40213f79f5f239358d0
SHA512

17901f13b4a26ff528587b099dee3d9c076d8ea7c042b0821faaf2daa0291e33859145ed6202adacd36dd68ea40d3d935d117c2279b752b63c07af23151e0917
SSDEEP

49152:p4lhGQJgTldHwqQlCBPOYu3fPEY+4s6Qiml3EwW/09F:SlI+mdQnCtOYu3fPr+Nt3IM9F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3012	haha014.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\orange-install.ico	52b39b547f6f7a4ecc80b9c0eac12ad7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	3012	WerFault.exe	91

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	52b39b547f6f7a4ecc80b9c0eac12ad7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È"	52b39b547f6f7a4ecc80b9c0eac12ad7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8"	52b39b547f6f7a4ecc80b9c0eac12ad7.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\SearchScopes	52b39b547f6f7a4ecc80b9c0eac12ad7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	52b39b547f6f7a4ecc80b9c0eac12ad7.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	52b39b547f6f7a4ecc80b9c0eac12ad7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3012	1788	52b39b547f6f7a4ecc80b9c0eac12ad7.exe	91
PID 1788 wrote to memory of 3012	1788	52b39b547f6f7a4ecc80b9c0eac12ad7.exe	91
PID 1788 wrote to memory of 3012	1788	52b39b547f6f7a4ecc80b9c0eac12ad7.exe	91

C:\Users\Admin\AppData\Local\Temp\52b39b547f6f7a4ecc80b9c0eac12ad7.exe
"C:\Users\Admin\AppData\Local\Temp\52b39b547f6f7a4ecc80b9c0eac12ad7.exe"
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\nst6A34.tmp\haha014.exe
  C:\Users\Admin\AppData\Local\Temp\nst6A34.tmp\haha014.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 756
    3⤵
    - Program crash
    PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3012 -ip 3012
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst6A34.tmp\haha014.exe

Filesize
1.4MB

MD5
2029026a229c155ded71a9bb3707fb4c

SHA1
48e7026b71b7b22c27a9f16b06d9d13b936898d6

SHA256
f32f0bc8b5b4414becf8ed2f653f8cd0fc3257e86de5b81c23120d4adcfe270f

SHA512
acda63e882ad8ad1c9f10d154f7194c1b1d68f7f614b36cfda68bcb5c935deb625bd7bbfb55837f41493352e1b72cd2f7a1da8b14839dcb2fc15397e9c2eb87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6A34.tmp\haha014.exe

Filesize
1.1MB

MD5
340ef2fdbabae7f479bbdf53035905c0

SHA1
d4b179e4cf2470a3e933fbcddf60a12d7f8132a6

SHA256
ecad338384cc92c98d64e0d1f3feaf9f8081abb8dcd291f3625822fdcd8c37e7

SHA512
87528cc57dfa97fc9b6b937e6713766e86aae74d463fdcd313b88eb869f3e1f3ecb1626978e30c312c383967aaf9ce624a4cae11b9bd1ad09895ba57f43019bc

Download Submit
memory/3012-6-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/3012-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download