a5de2d43ad63dc2314c5823b3a9ecd0eec43057a38016e8f541a5495c0312675

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hosts自动更新工具/hostsup.exe
Size

1.3MB
MD5

c21960106da028ab79683b1734959d2f
SHA1

c5f8ee61978422dfaba4a910c11136fad6ac3ea6
SHA256

8245fbf6adfce62357bf92c6e4e12358e04ad7ea9b6b131fb30ba03eaa8c9443
SHA512

d3629fe553eb4920731db4e05ad17e12f10691ff4a4a5e811de8701f0f8748335ce90c506934f82b813b0f6f2ee84710eca2aec7213df1444af8e111da01cc06
SSDEEP

24576:vczJKVdfnx6G7Aa6lMr1SA3IreNbNhl88Vo5i+MgZPeScqzYcypZBecGnQ2J+x:vcAvx6GJ6lM1SaAeVl88Vo5qgcqzY7Zx

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	hostsup.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	hostsup.exe

Loads dropped DLL 14 IoCs

pid	Process
2544	regsvr32.exe
2544	regsvr32.exe
292	regsvr32.exe
1008	regsvr32.exe
1140	regsvr32.exe
2784	regsvr32.exe
2784	regsvr32.exe
2608	cmd.exe
2888	hostsup.exe
2888	hostsup.exe
2888	hostsup.exe
2888	hostsup.exe
2888	hostsup.exe
2888	hostsup.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\msxml4.dll	xcopy.exe
File created	C:\windows\SysWOW64\WISC30.dll	xcopy.exe
File created	C:\windows\SysWOW64\wbem\hostsup.exe	xcopy.exe
File opened for modification	C:\windows\SysWOW64\MSSOAP30.dll	xcopy.exe
File created	C:\windows\SysWOW64\WINHTTP5.DLL	xcopy.exe
File opened for modification	C:\windows\SysWOW64\WISC30.dll	xcopy.exe
File opened for modification	C:\windows\SysWOW64\wbem	xcopy.exe
File created	C:\windows\SysWOW64\MSSOAPR3.dll	xcopy.exe
File opened for modification	C:\windows\SysWOW64\MSSOAPR3.dll	xcopy.exe
File opened for modification	C:\windows\SysWOW64\msxml4r.dll	xcopy.exe
File opened for modification	C:\windows\SysWOW64\WINHTTP5.DLL	xcopy.exe
File created	C:\windows\SysWOW64\MSSOAP30.dll	xcopy.exe
File opened for modification	C:\windows\SysWOW64\msxml4.dll	xcopy.exe
File created	C:\windows\SysWOW64\msxml4r.dll	xcopy.exe
File opened for modification	C:\windows\SysWOW64\wbem\hostsup.exe	xcopy.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64	xcopy.exe
File opened for modification	C:\windows\SysWOW64	xcopy.exe
File opened for modification	C:\windows\SysWOW64	xcopy.exe
File opened for modification	C:\windows\SysWOW64	xcopy.exe
File opened for modification	C:\windows\SysWOW64	xcopy.exe
File opened for modification	C:\windows\SysWOW64	xcopy.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	regsvr32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7E00C3F-D6C7-4E53-9887-61A2D4EBF0E8}\InprocServer32\ = "c:\\Windows\\SysWow64\\MSSOAP30.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92A03CF-B92B-404F-9AC5-58664A592E4C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E6CDFEF-4C42-411B-BACA-FE96F7A13C04}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABAADE34-EEF6-408A-8896-65BE669D27FA}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0BBA669-55F7-4E9C-941E-49BC4715C834}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\ = "Server XML HTTP 4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91147A58-DFE4-47C0-8E76-987FC1A6001B}\3.0\ = "Microsoft Soap Type Library (v3.0)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85E6E71-1493-442F-BC97-B511BE0D5D96}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1E6061A-F8DC-4CA8-A952-FAF7419F1029}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23BDF2B5-2304-4550-BBE2-F197E2CC47B6}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml4.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A2C40FB2-B768-4EC8-809A-6ECB4B89C6A7}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49F9421C-DC88-43E1-825F-70E788E9A9A9}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0871607-8C99-4824-92CD-85CBD4C7273F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\ = "SAXAttributes 4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSOAP.HttpConnector30	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSOAP.FileAttachment30	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52088645-8E96-4C18-8621-B46611635303}\ = "IByteArrayAttachment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05AE7FB3-C4E9-4F79-A5C3-DAB525E31F2C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8004A743-6A1E-45E4-B2E2-A6D117F06008}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AF40C50-9257-11D5-87EA-00B0D0BE6479}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8D986B6-9257-11D5-87EA-00B0D0BE6479}\ = "MSSOAP30.DLL SoapReader class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52088645-8E96-4C18-8621-B46611635303}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AF40C4E-9257-11D5-87EA-00B0D0BE6479}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ABAADE34-EEF6-408A-8896-65BE669D27FA}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3F8BAA5-8A05-4641-91CE-3FBC533D1EDB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{104F6816-093E-41D7-A68B-8E1CC408B279}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AF40C4E-9257-11D5-87EA-00B0D0BE6479}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AF40C4E-9257-11D5-87EA-00B0D0BE6479}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F8BAA5-8A05-4641-91CE-3FBC533D1EDB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE523FD4-AFB8-4643-BA90-9DEB3C7FB4A3}\ = "IWSDLReader"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.FreeThreadedDOMDocument.4.0\CLSID\ = "{88d969c1-f192-11d4-a65f-0040963251e5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\ = "MXNamespaceManager 4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D602A27-DC39-45D6-A6B1-7003DE2E173C}\ = "Microsoft SOAP Simple Message Parser class version 3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{176B81CD-4F22-4CA0-9F54-9FE5935A595B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0C9F1C0-0039-427B-8ACC-AD172FE557A8}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{663EB158-8D95-4657-AE32-B7C60DE6122F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F017F97-9257-11D5-87EA-00B0D0BE6479}\InProcServer32\ = "c:\\Windows\\SysWow64\\MSSOAP30.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F017F94-9257-11D5-87EA-00B0D0BE6479}\ = "ISoapError"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0871607-8C99-4824-92CD-85CBD4C7273F}\TypeLib\Version = "3.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF90A70C-925B-11D5-87EA-00B0D0BE6479}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AF40C4E-9257-11D5-87EA-00B0D0BE6479}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AF40C50-9257-11D5-87EA-00B0D0BE6479}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0871607-8C99-4824-92CD-85CBD4C7273F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C92A03CF-B92B-404F-9AC5-58664A592E4C}\5.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{906A72B9-FF88-4A49-AFA2-CC4CAB5104EC}\ = "IMessageComposer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ABAADE34-EEF6-408A-8896-65BE669D27FA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70824404-7A18-412A-9A83-A9EC0F3FF045}\ = "ISimpleComposer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE523FD4-AFB8-4643-BA90-9DEB3C7FB4A3}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F017F94-9257-11D5-87EA-00B0D0BE6479}\ = "ISoapError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0AF40C58-9257-11D5-87EA-00B0D0BE6479}\ProgID\ = "MSSOAP.ConnectorFactory30"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E62C4B1-EE0C-48FB-9161-3EE041A03153}\ = "IComposerDestination"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABAADE34-EEF6-408A-8896-65BE669D27FA}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D40B730-F5FA-472C-8819-DDCD183BD0DE}\TypeLib\Version = "3.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSOAP.WinInetConnector30\Clsid\ = "{0AF40C54-9257-11D5-87EA-00B0D0BE6479}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0AF40C53-9257-11D5-87EA-00B0D0BE6479}\TypeLib\ = "{91147A58-DFE4-47C0-8E76-987FC1A6001B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A51A663-4790-4885-B0E4-124D4BDADB3E}	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1008	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe
Token: SeRestorePrivilege	1140	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	hostsup.exe
2888	hostsup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 1888 wrote to memory of 2608	1888	hostsup.exe	28
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2712	2608	cmd.exe	30
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2728	2608	cmd.exe	31
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2612	2608	cmd.exe	32
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2596	2608	cmd.exe	33
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2704	2608	cmd.exe	34
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2668	2608	cmd.exe	35
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2500	2608	cmd.exe	36
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2660	2608	cmd.exe	37
PID 2608 wrote to memory of 2936	2608	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\hosts自动更新工具\hostsup.exe
"C:\Users\Admin\AppData\Local\Temp\hosts自动更新工具\hostsup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\hosts\hosts.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\MSSOAP30.dll C:\windows\system32\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\MSSOAPR3.dll C:\windows\system32\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\msxml4.dll C:\windows\system32\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\msxml4r.dll C:\windows\system32\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\WINHTTP5.DLL C:\windows\system32\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\WISC30.dll C:\windows\system32\
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /s /h /d /y c:\hosts\hostsup.exe C:\windows\system32\wbem\
    3⤵
    - Drops file in System32 directory
    - Enumerates system info in registry
    PID:2484
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 c:\Windows\System32\MSSOAP30.dll /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2544
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 c:\Windows\System32\MSSOAPR3.dll /s
    3⤵
    - Loads dropped DLL
    PID:292
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 c:\Windows\System32\msxml4.dll /s
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 c:\Windows\System32\WINHTTP5.DLL /s
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 c:\Windows\System32\WISC30.dll /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2784
- - C:\WINDOWS\SysWOW64\wbem\hostsup.exe
    C:\WINDOWS\system32\wbem\hostsup.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RGI97BD.tmp

Filesize
13KB

MD5
ebb97e14bae904875dc8d81b14e0b302

SHA1
a2f1f59ff4e21016b83a9339ba665e52873c93ba

SHA256
04cee747869111519df599c57462e3559ced6145a74b961436830fdbc9a94294

SHA512
17de7557cb9eba97e7de7e07c0289f2eb81b911db28409ed7fc3187325b9b7efd2c8a68f4b322701720ce6718ec82ec8baf3840abb84800e94fefd77323d2632

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI9A2D.tmp

Filesize
965B

MD5
833e6a34800eac4da9ba3b8b7830e220

SHA1
c0b5b21b1dcdc5f0c892ab8fde66d5bf5ff76ca9

SHA256
f1802ff1038969dff5111c155812fd0bc1793ed9fd59afbc63275cf539ee679a

SHA512
0e46a3efa3553909cb16e476aeef0347c7ad27abc818f1beea1b39a0428157ababc67b910e13033ada7af3775d1f5f37a8348c7de881d54740a4b4221130638c

Download Submit
C:\Windows\SysWOW64\MSSOAPR3.dll

Filesize
29KB

MD5
0180d57b4c0145c855369a9608022863

SHA1
a1b199c1e8eedfb5db68396e205818539e990fb3

SHA256
fb7fdc200117760ba28007aece7ed01c37a5570b4d88294511333c3609266bc0

SHA512
5abb4c1f2df003b1bd90277d15e5c6070eb5b199b40135673cf4f31a5239828b4cb5a57c3a2b0276031e7c2168e4fc903438605eeb6a808e2519094d8c13c814

Download Submit
C:\Windows\SysWOW64\WISC30.dll

Filesize
90KB

MD5
b3f0f6f16a6e28e98daef67ebc172de0

SHA1
48b27f906c89868c98199487fbcdc228757ff347

SHA256
80d5b669e3eaa308f8a021fb399f050ceeb917919567c834477f4e21db5d948f

SHA512
39686459e7857358303067e2dc59bcd92850c17e3e91b3f9f801dadc4586a9bb16a1949a3dde089b0f1f5b8b03ce5d1455d0945edac64dac1c74490a20cc74f2

Download Submit
C:\hosts\MSSOAP30.dll

Filesize
427KB

MD5
26479ad282b3217ab36560993f25ba70

SHA1
b689dff53771551e0bb75fe2584327596efeb3c4

SHA256
00feee373742308df9de9a064225ce367401ac96250deb0c9806f773c70ac789

SHA512
19327a4949c77fc1a083dcd715133994d920a7cdfa2799530cfe94d6b6f63268a9f0420bb6ec20a87832f7d7cd08bb0a515e25a8e500a03dd30f176a4f0c7de7

Download Submit
C:\hosts\WINHTTP5.DLL

Filesize
284KB

MD5
1d030bf7c36f7998d3783af54eb0cf92

SHA1
b27c12c5cd60f25c33049a7a46db10e6640165e6

SHA256
a648e8e8b73a750007e73db5a6a0e39852498fcfb4ca587dbe16d19630ee54de

SHA512
bdd370b1a4b6db07fabbb688115d7d7c882662b892b8f88fad2600eead642ac899f3d9a9f637355b889e5d1dbe7409ccdc6ace5fd3d62e37fbec59e872b500da

Download Submit
C:\hosts\hosts.bat

Filesize
810B

MD5
4de9325a6e13693d333ad9c66a271913

SHA1
985a5c4d2445719c0a540a1721140c80b3796fda

SHA256
bf30b5b5eac4cc90e4ca26115a4fb8b7da4a1ea34c7584d1f9c68b6d9e093b09

SHA512
cd4b250dede041d8148ce6cf1b6629a7f17d2e0953ec5d01efe096755a564f4d087496a7c58c9d4d976df5cac1c0d9f411d335098639b0fd94406acd9c186b02

Download Submit
C:\hosts\hostsup.exe

Filesize
2.4MB

MD5
e2c1ddffec5345c37d582b3cedebdc71

SHA1
13ec5ec984d25a4de7b931a76ea140b293c07e1b

SHA256
fc9ae8df99ff7b44a4b0c9d0d6a9ecc1ea8dfd5948606be0b143c64b520fb891

SHA512
05df97ebcfe7da9a5b9a4f9632914cc87a85af0f43c0abda8c6146c672518ed845f3304c8a3875d2b4b42cf32c3082580ea6837170caa000b1d1f03b56a5c0ef

Download Submit
C:\hosts\msxml4.dll

Filesize
1.2MB

MD5
1587f0517603793588035eaca5b3450f

SHA1
e81121e3544cde9891797dcae6768e0b7bb72b98

SHA256
83206377ad3c28a1cc9f11ec0bfd6ef0abd196ee999f556074ff885f29ed99f1

SHA512
c20146836a4e0d971747aa9f8d22375e7464480f243e9bd001e51acc1ee3565e6dd7aa1e1f7a0c442f6a5274a08fe2a42a8c039b2666eed737c1b973a616ec57

Download Submit
C:\hosts\msxml4r.dll

Filesize
80KB

MD5
cf34eec288a4c53e71602d5e0d65ef89

SHA1
b360c17666f748e424e1802e79b9c8fc827d754e

SHA256
4e75a8e8cbc8486cafc73b208532c6969c23731ecf0c93e66a4ac076136de750

SHA512
99a6ff9a7b45ba58e492e2850e1e2900c80cb7909e3dac6264da2e43fba8c69ec19291acf4aa1dce555cf5e779438eb52f2cfb32b860eab4fce7dcef84dacefb

Download Submit
\??\c:\hosts\ieyouhua.ico

Filesize
9KB

MD5
c54da81eff73fb9067fd151e389b6706

SHA1
b816b70a37d197143e8a5899d60df735e1500ba8

SHA256
4ff4b4c7afc853ecf2f26abfe990bfd1833529a4027da7020e984091e0e11573

SHA512
cca2b8404551d3701adb01d1d1680c3442b7053db47584375cae71418a730b1eedce47a9fa38b48b0fd205f66d577a2c7370d5f6c3bde39749f79c8b343f18ab

Download Submit
memory/2544-56-0x0000000000210000-0x000000000027E000-memory.dmp

Filesize
440KB

Download
memory/2784-83-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/2888-93-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

Filesize
440KB

Download
memory/2888-96-0x0000000000320000-0x0000000000339000-memory.dmp

Filesize
100KB

Download