Resubmissions
07-02-2024 13:21
240207-qlmmrahhgr 6Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
220509 - (Cabinet Meeting 2022)/Increasingly confident US is baiting China.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
220509 - (Cabinet Meeting 2022)/Increasingly confident US is baiting China.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
220509 - (Cabinet Meeting 2022)/libcef.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
220509 - (Cabinet Meeting 2022)/libcef.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
220509 - (Cabinet Meeting 2022)/~.docx
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
220509 - (Cabinet Meeting 2022)/~.docx
Resource
win10v2004-20231222-en
General
-
Target
220509 - (Cabinet Meeting 2022)/Increasingly confident US is baiting China.exe
-
Size
397KB
-
MD5
c751af3a2b5e5085e0cf4a66a09480d9
-
SHA1
0d451c8ee760d3fdf1233b44b657dc10e0450bb6
-
SHA256
4761183bc8bff993a5551916eda73c84bb8f9eadd24c4c19587045bb91609a83
-
SHA512
bd88ea76db942b4fd865ed986be75d6df6a90d10f3600a4c3f330a0d7935b1906b536a2eb2cc0211dd199bf2a37440d0a8febbbe6c6ad9b9027e6e59c9511e01
-
SSDEEP
12288:n5RmQFpKMFeO7Blp/B8Z7QZLJZpT6672GbziER839l/d6LYE2B38jqLX:Z/l839l/ooEC
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL C:\\Users\\Public\\Libraries\\Graphics\\AdobeLicensing.exe" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 948 AdobeLicensing.exe 2084 AdobeLicensing.exe -
Loads dropped DLL 2 IoCs
pid Process 948 AdobeLicensing.exe 2084 AdobeLicensing.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3012 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2704 reg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2704 2852 cmd.exe 32 PID 2852 wrote to memory of 2704 2852 cmd.exe 32 PID 2852 wrote to memory of 2704 2852 cmd.exe 32 PID 2852 wrote to memory of 2704 2852 cmd.exe 32 PID 1184 wrote to memory of 948 1184 taskeng.exe 37 PID 1184 wrote to memory of 948 1184 taskeng.exe 37 PID 1184 wrote to memory of 948 1184 taskeng.exe 37 PID 1184 wrote to memory of 948 1184 taskeng.exe 37 PID 1184 wrote to memory of 2084 1184 taskeng.exe 38 PID 1184 wrote to memory of 2084 1184 taskeng.exe 38 PID 1184 wrote to memory of 2084 1184 taskeng.exe 38 PID 1184 wrote to memory of 2084 1184 taskeng.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\220509 - (Cabinet Meeting 2022)\Increasingly confident US is baiting China.exe"C:\Users\Admin\AppData\Local\Temp\220509 - (Cabinet Meeting 2022)\Increasingly confident US is baiting China.exe"1⤵PID:3000
-
C:\Windows\SysWOW64\schtasks.exe/F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\Users\Public\Libraries\Graphics\AdobeLicensing.exe2⤵
- Creates scheduled task(s)
PID:3012
-
-
C:\Windows\SysWOW64\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Graphics /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL "C:\Users\Public\Libraries\Graphics\AdobeLicensing.exe"" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Graphics /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL "C:\Users\Public\Libraries\Graphics\AdobeLicensing.exe"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2704
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BF0F5514-ABFF-47A7-AC49-516549590C2C} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Public\Libraries\Graphics\AdobeLicensing.exeC:\Users\Public\Libraries\Graphics\AdobeLicensing.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948
-
-
C:\Users\Public\Libraries\Graphics\AdobeLicensing.exeC:\Users\Public\Libraries\Graphics\AdobeLicensing.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD5c751af3a2b5e5085e0cf4a66a09480d9
SHA10d451c8ee760d3fdf1233b44b657dc10e0450bb6
SHA2564761183bc8bff993a5551916eda73c84bb8f9eadd24c4c19587045bb91609a83
SHA512bd88ea76db942b4fd865ed986be75d6df6a90d10f3600a4c3f330a0d7935b1906b536a2eb2cc0211dd199bf2a37440d0a8febbbe6c6ad9b9027e6e59c9511e01
-
Filesize
190KB
MD5268d61837aa248c1d49a973612a129ce
SHA11da0d7053ace976847cc2c9ff783743195178013
SHA256966ab1c468e3fc7d8d8b2d73a9ca9a85d352a0db8043c5eab36dd304a5915812
SHA512ec9015ffb5d7f5b545ce30f91314de961757c1f885ef3a66a7b918418f48cfbe38dcfa9d2ac9c8969469560d50696a55c8a9d5b55f58f675e1248b7328ccbcaa