Overview

overview

8

Static

static

3

hosts自�...up.exe

windows7-x64

8

hosts自�...up.exe

windows10-2004-x64

8

hosts自�...��.url

windows7-x64

1

hosts自�...��.url

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2024, 19:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hosts自动更新工具/hostsup.exe

  • Size

    1.3MB

  • MD5

    c21960106da028ab79683b1734959d2f

  • SHA1

    c5f8ee61978422dfaba4a910c11136fad6ac3ea6

  • SHA256

    8245fbf6adfce62357bf92c6e4e12358e04ad7ea9b6b131fb30ba03eaa8c9443

  • SHA512

    d3629fe553eb4920731db4e05ad17e12f10691ff4a4a5e811de8701f0f8748335ce90c506934f82b813b0f6f2ee84710eca2aec7213df1444af8e111da01cc06

  • SSDEEP

    24576:vczJKVdfnx6G7Aa6lMr1SA3IreNbNhl88Vo5i+MgZPeScqzYcypZBecGnQ2J+x:vcAvx6GJ6lM1SaAeVl88Vo5qgcqzY7Zx

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hosts自动更新工具\hostsup.exe
    "C:\Users\Admin\AppData\Local\Temp\hosts自动更新工具\hostsup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\hosts\hosts.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
          PID:2492
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /c /s /h /d /y c:\hosts\MSSOAP30.dll C:\windows\system32\
          3⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Enumerates system info in registry
          PID:2384
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo y"
          3⤵
            PID:1080
          • C:\Windows\SysWOW64\xcopy.exe
            xcopy /c /s /h /d /y c:\hosts\msxml4r.dll C:\windows\system32\
            3⤵
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Enumerates system info in registry
            PID:1752
          • C:\Windows\SysWOW64\xcopy.exe
            xcopy /c /s /h /d /y c:\hosts\msxml4.dll C:\windows\system32\
            3⤵
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Enumerates system info in registry
            PID:4604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo y"
            3⤵
              PID:520
            • C:\Windows\SysWOW64\xcopy.exe
              xcopy /c /s /h /d /y c:\hosts\WINHTTP5.DLL C:\windows\system32\
              3⤵
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Enumerates system info in registry
              PID:2964
            • C:\Windows\SysWOW64\xcopy.exe
              xcopy /c /s /h /d /y c:\hosts\WISC30.dll C:\windows\system32\
              3⤵
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Enumerates system info in registry
              PID:3452
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo y"
              3⤵
                PID:1816
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                3⤵
                  PID:1932
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                  3⤵
                    PID:1296
                  • C:\Windows\SysWOW64\xcopy.exe
                    xcopy /c /s /h /d /y c:\hosts\MSSOAPR3.dll C:\windows\system32\
                    3⤵
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • Enumerates system info in registry
                    PID:4868
                  • C:\Windows\SysWOW64\xcopy.exe
                    xcopy /c /s /h /d /y c:\hosts\hostsup.exe C:\windows\system32\wbem\
                    3⤵
                    • Drops file in System32 directory
                    • Enumerates system info in registry
                    PID:1600
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                    3⤵
                      PID:3512
                    • C:\Windows\SysWOW64\regsvr32.exe
                      RegSvr32 c:\Windows\System32\MSSOAP30.dll /s
                      3⤵
                      • Loads dropped DLL
                      • Modifies registry class
                      PID:1668
                    • C:\Windows\SysWOW64\regsvr32.exe
                      RegSvr32 c:\Windows\System32\MSSOAPR3.dll /s
                      3⤵
                      • Loads dropped DLL
                      PID:3964
                    • C:\Windows\SysWOW64\regsvr32.exe
                      RegSvr32 c:\Windows\System32\msxml4.dll /s
                      3⤵
                      • Loads dropped DLL
                      • Modifies registry class
                      PID:4664
                    • C:\Windows\SysWOW64\regsvr32.exe
                      RegSvr32 c:\Windows\System32\WINHTTP5.DLL /s
                      3⤵
                      • Loads dropped DLL
                      • Modifies registry class
                      PID:1344
                    • C:\Windows\SysWOW64\regsvr32.exe
                      RegSvr32 c:\Windows\System32\WISC30.dll /s
                      3⤵
                      • Loads dropped DLL
                      PID:4436
                    • C:\WINDOWS\SysWOW64\wbem\hostsup.exe
                      C:\WINDOWS\system32\wbem\hostsup.exe
                      3⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetWindowsHookEx
                      PID:5036

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\RGI7177.tmp
                  Filesize

                  13KB

                  MD5

                  ebb97e14bae904875dc8d81b14e0b302

                  SHA1

                  a2f1f59ff4e21016b83a9339ba665e52873c93ba

                  SHA256

                  04cee747869111519df599c57462e3559ced6145a74b961436830fdbc9a94294

                  SHA512

                  17de7557cb9eba97e7de7e07c0289f2eb81b911db28409ed7fc3187325b9b7efd2c8a68f4b322701720ce6718ec82ec8baf3840abb84800e94fefd77323d2632

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RGI7271.tmp
                  Filesize

                  965B

                  MD5

                  833e6a34800eac4da9ba3b8b7830e220

                  SHA1

                  c0b5b21b1dcdc5f0c892ab8fde66d5bf5ff76ca9

                  SHA256

                  f1802ff1038969dff5111c155812fd0bc1793ed9fd59afbc63275cf539ee679a

                  SHA512

                  0e46a3efa3553909cb16e476aeef0347c7ad27abc818f1beea1b39a0428157ababc67b910e13033ada7af3775d1f5f37a8348c7de881d54740a4b4221130638c

                  Download Submit

                • C:\WINDOWS\SysWOW64\wbem\hostsup.exe
                  Filesize

                  448KB

                  MD5

                  44733d9cb04d497770257315d801efcc

                  SHA1

                  4cd0ccab7b7514da75a9d6a91ab9440af1e0a654

                  SHA256

                  52a9e5e82dfa659e3de9566e814021722c6c49d718b5d5d7e85ec87af34b34da

                  SHA512

                  8832107a5119a311f8f436b2e211e1698244f4794732b4044badbda892797b17bcf03882fd5556ced70894b1a5ff7683487cd4857ae2824bde3cd40c0d70bb1b

                  Download Submit

                • C:\Windows\SysWOW64\MSSOAP30.dll
                  Filesize

                  427KB

                  MD5

                  26479ad282b3217ab36560993f25ba70

                  SHA1

                  b689dff53771551e0bb75fe2584327596efeb3c4

                  SHA256

                  00feee373742308df9de9a064225ce367401ac96250deb0c9806f773c70ac789

                  SHA512

                  19327a4949c77fc1a083dcd715133994d920a7cdfa2799530cfe94d6b6f63268a9f0420bb6ec20a87832f7d7cd08bb0a515e25a8e500a03dd30f176a4f0c7de7

                  Download Submit

                • C:\Windows\SysWOW64\WINHTTP5.DLL
                  Filesize

                  284KB

                  MD5

                  1d030bf7c36f7998d3783af54eb0cf92

                  SHA1

                  b27c12c5cd60f25c33049a7a46db10e6640165e6

                  SHA256

                  a648e8e8b73a750007e73db5a6a0e39852498fcfb4ca587dbe16d19630ee54de

                  SHA512

                  bdd370b1a4b6db07fabbb688115d7d7c882662b892b8f88fad2600eead642ac899f3d9a9f637355b889e5d1dbe7409ccdc6ace5fd3d62e37fbec59e872b500da

                  Download Submit

                • C:\Windows\SysWOW64\msxml4.dll
                  Filesize

                  950KB

                  MD5

                  cf5ac041c3677c1f1f7c4a5cf21721f5

                  SHA1

                  e08a866c9e0e20c287cdcbf63905953584c6545d

                  SHA256

                  0108a6636d98b8322b4bfd2034ec26f6367e741fa5002fbe6e53c44812e56a34

                  SHA512

                  0bc6c44164a80c7038c488dedc23c151d153aabf6de433e82e02b8d4a2fbb6ac566933e0d8fe252bc7fb0cc5eea195e98507b797f76289a2fe46a6c788153931

                  Download Submit

                • C:\Windows\SysWOW64\msxml4.dll
                  Filesize

                  582KB

                  MD5

                  0e89e3f7a4891c354f8eae8d1bea62ba

                  SHA1

                  08c74c3acf30fb2e0abeaea2b981a4a34a612a7f

                  SHA256

                  037e576cb78c0ce15d7b448ffa9d4ad7666c42d28dd12aa200a09f06fa5fb50e

                  SHA512

                  1c1a55f2e3be3a5f1f9869859d64b3910f1eaacfc5497a0129dadb1d86b0ec3f3d907fb49f335092d0acb2b5ae1afd8ed7e0cb891d86ce76a60ce6f97bb8d95f

                  Download Submit

                • C:\Windows\SysWOW64\wbem\hostsup.exe
                  Filesize

                  752KB

                  MD5

                  669c79a14c7ad7598aba9301633cfe85

                  SHA1

                  4828022e53400e66d41bddb7e1c80fbc80c74c07

                  SHA256

                  03cc55df832221082f3fcc0f53bb5cd45e3108bdf0d03cf70d0cafef2554537e

                  SHA512

                  39bdcd1d8ca8bd3765e4e997b5653966e94505759bec74413dbc960a2716f1b059218a4ca44d0ae8cb50d12635826ab4f1af970b1a6b553a16fe69f4e9cf26a5

                  Download Submit

                • C:\Windows\SysWOW64\wbem\hostsup.exe
                  Filesize

                  450KB

                  MD5

                  23f3422da183f695663e0add206a4114

                  SHA1

                  8700c97757e6b25283c9aa99727ae6e6cd77570f

                  SHA256

                  d2348f88ed5d2601999a5cb9321c2b8879ab8059e83b9e0c56439b983bfcadce

                  SHA512

                  e6aeef31afad144f0a8bca68533369db7cf16f7dd7885852ace5747691f3d18dc67654dd0c92b012ef8bb356ebe320c64ab7936ece58e46a7554b9c9d57ae4f1

                  Download Submit

                • C:\hosts\MSSOAPR3.dll
                  Filesize

                  29KB

                  MD5

                  0180d57b4c0145c855369a9608022863

                  SHA1

                  a1b199c1e8eedfb5db68396e205818539e990fb3

                  SHA256

                  fb7fdc200117760ba28007aece7ed01c37a5570b4d88294511333c3609266bc0

                  SHA512

                  5abb4c1f2df003b1bd90277d15e5c6070eb5b199b40135673cf4f31a5239828b4cb5a57c3a2b0276031e7c2168e4fc903438605eeb6a808e2519094d8c13c814

                  Download Submit

                • C:\hosts\WISC30.dll
                  Filesize

                  90KB

                  MD5

                  b3f0f6f16a6e28e98daef67ebc172de0

                  SHA1

                  48b27f906c89868c98199487fbcdc228757ff347

                  SHA256

                  80d5b669e3eaa308f8a021fb399f050ceeb917919567c834477f4e21db5d948f

                  SHA512

                  39686459e7857358303067e2dc59bcd92850c17e3e91b3f9f801dadc4586a9bb16a1949a3dde089b0f1f5b8b03ce5d1455d0945edac64dac1c74490a20cc74f2

                  Download Submit

                • C:\hosts\hosts.bat
                  Filesize

                  810B

                  MD5

                  4de9325a6e13693d333ad9c66a271913

                  SHA1

                  985a5c4d2445719c0a540a1721140c80b3796fda

                  SHA256

                  bf30b5b5eac4cc90e4ca26115a4fb8b7da4a1ea34c7584d1f9c68b6d9e093b09

                  SHA512

                  cd4b250dede041d8148ce6cf1b6629a7f17d2e0953ec5d01efe096755a564f4d087496a7c58c9d4d976df5cac1c0d9f411d335098639b0fd94406acd9c186b02

                  Download Submit

                • C:\hosts\hostsup.exe
                  Filesize

                  756KB

                  MD5

                  ccc072684e4f7bee0ae666667e0429c4

                  SHA1

                  2e4e4c95a780d058e51d211445f9c775d9ef3841

                  SHA256

                  9c72bdf8222d10f66659effc757a50995985dcabd045b534cd03509db94689e0

                  SHA512

                  80641784fe6ef3f4167c30343f84fb42d37e8f3383a5bbde4e15aa123eda68719032440faaf5cb25bf5b3aec47ca2325465be5f5a682604821f5ae9b337819c4

                  Download Submit

                • C:\hosts\msxml4.dll
                  Filesize

                  1.2MB

                  MD5

                  0038c321f4322702a3b1532a7287fd82

                  SHA1

                  7314176c7228c5b000ec21ee479c50c22a1f67b5

                  SHA256

                  7fca0c82477671891b2384d1fc456bd0f273ae7fbf2bf49fe2bf75bd8c0a105c

                  SHA512

                  23474fd8d34e8a5d1f10ccbbc3a386656f1c263a13fa2d8a8634d6b3a5ecb473d40622e46fa4185a59c62a50527ac1ce93b50c00efa45599db3a7c697e5388a3

                  Download Submit

                • C:\hosts\msxml4r.dll
                  Filesize

                  80KB

                  MD5

                  cf34eec288a4c53e71602d5e0d65ef89

                  SHA1

                  b360c17666f748e424e1802e79b9c8fc827d754e

                  SHA256

                  4e75a8e8cbc8486cafc73b208532c6969c23731ecf0c93e66a4ac076136de750

                  SHA512

                  99a6ff9a7b45ba58e492e2850e1e2900c80cb7909e3dac6264da2e43fba8c69ec19291acf4aa1dce555cf5e779438eb52f2cfb32b860eab4fce7dcef84dacefb

                  Download Submit

                • \??\c:\Windows\SysWOW64\msxml4.dll
                  Filesize

                  670KB

                  MD5

                  f28e935ffcf0973a0c0871d6b6963e25

                  SHA1

                  4f45fad573b68796e81106a186971318c9984135

                  SHA256

                  2790a4c2787020f6889672c97bbb4d48e91ddb36da324b743895b587515761a2

                  SHA512

                  bae1b0d5c95df1a39d28ddcdf3401519a48f5a8c1f4bdaea4c74af746a283c9e576b106ff864344f0c97b7a745dbf1471e3f9142feaf42bbd4b29b02d79716e4

                  Download Submit

                • \??\c:\hosts\ieyouhua.ico
                  Filesize

                  9KB

                  MD5

                  c54da81eff73fb9067fd151e389b6706

                  SHA1

                  b816b70a37d197143e8a5899d60df735e1500ba8

                  SHA256

                  4ff4b4c7afc853ecf2f26abfe990bfd1833529a4027da7020e984091e0e11573

                  SHA512

                  cca2b8404551d3701adb01d1d1680c3442b7053db47584375cae71418a730b1eedce47a9fa38b48b0fd205f66d577a2c7370d5f6c3bde39749f79c8b343f18ab

                  Download Submit

                • memory/5036-87-0x00000000036E0000-0x000000000374E000-memory.dmp

                  Filesize

                  440KB

                  Download

                • memory/5036-92-0x00000000027E0000-0x00000000027F9000-memory.dmp

                  Filesize

                  100KB

                  Download