3cef3217e072ff075fc66d10cb78282937946c9d280f0c92b7f5d1248c589653

General

Target

7a324b43703d8911e3e4808ff138382e.exe
Size

152KB
MD5

7a324b43703d8911e3e4808ff138382e
SHA1

ffd5bec6a5c23f328cb0edf8f7cb7cd0c62eee75
SHA256

3cef3217e072ff075fc66d10cb78282937946c9d280f0c92b7f5d1248c589653
SHA512

167961720060d438c8f3d55653a7c02b3e7833de27a54c145822f4520a7ea13ce6df3211a75ce1a0cc1be2ffffec6731b44be8a4f54d60bc042fd7727f9be6df
SSDEEP

3072:orYJLQfPGKSrHtyoZu2ZNn5CmEhIAsdxn6sM0TZMl9VJdzh5vaBAzQTCv:MYefPSDtRV5CmEhIAsdxn6sM0TZMl9Vd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	7a324b43703d8911e3e4808ff138382e.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\MUI\iexplore.exe	7a324b43703d8911e3e4808ff138382e.exe
File opened for modification	C:\Program Files\Thunder\ComDlls	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\Program Files\Thunder\ComDlls\1143\taobao.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\Program Files\Thunder\ComDlls\1143\game.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\Program Files\Thunder\ComDlls\1143\movie.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\Program Files\Thunder\ComDlls\1143\mm.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\Program Files\Thunder\ComDlls\1143\bubhlq.exe	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\Program Files\Internet Explorer\MUI\iexplore.exe	7a324b43703d8911e3e4808ff138382e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\Downloaded Program Files\game.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\WINDOWS\Downloaded Program Files\mm.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\WINDOWS\Downloaded Program Files\movie.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\WINDOWS\Downloaded Program Files\taobao.ico	7a324b43703d8911e3e4808ff138382e.exe
File created	C:\WINDOWS\Downloaded Program Files\9pTV.exe	7a324b43703d8911e3e4808ff138382e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	7a324b43703d8911e3e4808ff138382e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	7a324b43703d8911e3e4808ff138382e.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command\ = "\"C:\\Program Files\\Thunder\\ComDlls\\1143\\bubhlq.exe\" \"%1\""	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex\ContextMenuHandlers	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\IsShortcut	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file	7a324b43703d8911e3e4808ff138382e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4\ = "msm4file"	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shellex\ContextMenuHandlers\	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\ = "open"	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0"	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\ = "¿ì½Ý·½Ê½"	7a324b43703d8911e3e4808ff138382e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\NeverShowExt	7a324b43703d8911e3e4808ff138382e.exe

C:\Users\Admin\AppData\Local\Temp\7a324b43703d8911e3e4808ff138382e.exe
"C:\Users\Admin\AppData\Local\Temp\7a324b43703d8911e3e4808ff138382e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Downloaded Program Files\9pTV.exe

Filesize
4KB

MD5
2456220224cd60483d3d29b7088c5b90

SHA1
d5f85919684d20fc09ca8c8bc2a1d05f572c0566

SHA256
99ffba54b51f896cfa69e77c85a53f9a818a0e38e9a9cd12ab84cfb1d32e8809

SHA512
9f685f4b8418eddeebac6a1e8d4add9c974e518fb7a472d7f8bb1cdfb9d8403d8228e5adb108b95e897f343f0933b97ff448b221928c257cc1e265bbc2369617

Download Submit
C:\b.txt

Filesize
231B

MD5
990de430a5325512998ce67a53bd1891

SHA1
0f377d36525f4816c95bf1c09001d745b15a79d1

SHA256
4690195576f4da71651363441b8ac897e1208987a21316fb77776823b6266b16

SHA512
879fe9e8aceccd1a0532bc5a1a36c6e68887bb2a963c47801ee1f87373e5d6e38de46b4f9604520c8ff0efd56a5eb968a534a99cc0f5c8f87bf2b68d816a701c

Download Submit

Analysis

Sharing