217c2d2da19684d59ca61bb6ce6032caffb899e006890ec946fba0f275dc73ce

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

993d70d947853967556274adc8f20e05.exe
Size

1.6MB
MD5

993d70d947853967556274adc8f20e05
SHA1

71ebe248007ff4ff38e71032685f37ee21342678
SHA256

217c2d2da19684d59ca61bb6ce6032caffb899e006890ec946fba0f275dc73ce
SHA512

28bdb57e6c6be63e03a784719f252d22c7fa0a32f2404fde01f9756f8893fb1f8795377150a31a4404feff613af26c596af671ed7c1c710669b1b144c6b3aecd
SSDEEP

49152:IfrxeAbi3bgkjfB6mII4hEfffJLa79qK2XfZ7HSbNuA9okDWsPqd6mxBcdiW5D5+:Ile/UyUKzHz0D2

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2756	crp84DA.exe
2560	uti8BB0.exe
3024	crp8EFD.exe
564	bdg8FB2.tmp

Loads dropped DLL 10 IoCs

pid	Process
1204	993d70d947853967556274adc8f20e05.exe
1204	993d70d947853967556274adc8f20e05.exe
1204	993d70d947853967556274adc8f20e05.exe
1204	993d70d947853967556274adc8f20e05.exe
3024	crp8EFD.exe
3024	crp8EFD.exe
564	bdg8FB2.tmp
564	bdg8FB2.tmp
564	bdg8FB2.tmp
564	bdg8FB2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018af3-40.dat	upx
behavioral1/memory/1204-46-0x0000000004480000-0x0000000004594000-memory.dmp	upx
behavioral1/files/0x0006000000018af3-47.dat	upx
behavioral1/memory/3024-48-0x0000000000400000-0x0000000000514000-memory.dmp	upx
behavioral1/memory/3024-70-0x0000000000400000-0x0000000000514000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hao123Setting = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdg906E.exe http://br.hao123.com/?tn=epom_pay_hp_01_hao123_br"	crp8EFD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	crp8EFD.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://br.hao123.com/?tn=epom_pay_hp_01_hao123_br"	crp8EFD.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	bdg8FB2.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	bdg8FB2.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	bdg8FB2.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2560	uti8BB0.exe
2560	uti8BB0.exe
3024	crp8EFD.exe
3024	crp8EFD.exe
564	bdg8FB2.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2756	crp84DA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe
2756	crp84DA.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	crp84DA.exe
2756	crp84DA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2756	1204	993d70d947853967556274adc8f20e05.exe	29
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 2560	1204	993d70d947853967556274adc8f20e05.exe	30
PID 1204 wrote to memory of 3024	1204	993d70d947853967556274adc8f20e05.exe	32
PID 1204 wrote to memory of 3024	1204	993d70d947853967556274adc8f20e05.exe	32
PID 1204 wrote to memory of 3024	1204	993d70d947853967556274adc8f20e05.exe	32
PID 1204 wrote to memory of 3024	1204	993d70d947853967556274adc8f20e05.exe	32
PID 3024 wrote to memory of 564	3024	crp8EFD.exe	33
PID 3024 wrote to memory of 564	3024	crp8EFD.exe	33
PID 3024 wrote to memory of 564	3024	crp8EFD.exe	33
PID 3024 wrote to memory of 564	3024	crp8EFD.exe	33
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18
PID 564 wrote to memory of 1308	564	bdg8FB2.tmp	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\993d70d947853967556274adc8f20e05.exe
  "C:\Users\Admin\AppData\Local\Temp\993d70d947853967556274adc8f20e05.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\crp84DA.exe
    "C:\Users\Admin\AppData\Local\Temp\crp84DA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\uti8BB0.exe
    -home -home2 -et -channel 169741 -spff
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\crp8EFD.exe
    "C:\Users\Admin\AppData\Local\Temp\crp8EFD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\bdg8FB2.tmp
      -install -tn=tn=epom_pay_sc_01_hao123_br
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b2e49db0dc42e1748d3b65f7c80963b

SHA1
eadb6d0cf65e2e02cf18319fc101ab14b0100b6c

SHA256
a80278f3df7bbb06102cec60f55cf4d4ad9abeff893044d045e0afd83abce063

SHA512
e1d702c9a7cc4d053b6aa3beacb7dc9532c1dbfc0937a3a17ca6bc7492cc44840bcf41bb12a8e24503ff919c53fd9a23e18586fdf1aa6f67db23a6117d638390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
679d2e23eafb810a117190b3197517a8

SHA1
532adcead8740ae2ceebab437eda2d53f6f0ca12

SHA256
8a8f195e38b302db782feae853bd5f32b69bd09f8789b61c94cab8631b65beef

SHA512
cf3d73b40f3297ce6fc1dda9afa37d24f8919ca404a9c7930347126f3ba91c6ccdafa2f6f0f0ce96d4c99f9d43f6f4420c1dea81f60b5bb421b6783c5102f94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab957C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar961B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdg8FB2.tmp

Filesize
565KB

MD5
0f584cb3450521550b9deaef6b9b5f30

SHA1
cedaa4dfcd6b915dc39f3bb8d6fba4aa904077cc

SHA256
2d8d18711fdb516c4dcca60aa8437b127416ac0cd0f0caa089f8b9699f4ac167

SHA512
b584fe9ba75dd8eddb3fc82472f01677b47663631fae51f995c78c140410e017ef37741a15f75ca473892dc015cbd62ffb283718bddbf148fec1324f837949a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crp8EFD.exe

Filesize
271KB

MD5
1532670c79b51ab6c26e646bed3c6337

SHA1
039917ae5aed6aa147d3d2a3955e7491e5af3abd

SHA256
78dac2da249ab027998a06a68b6c1b2bea92695045bca09b4154103adf115131

SHA512
101aaf13e833b2b1a41246c2d9b5af8b6927c72e36a7cfc0b6b515e0a5a17cac0996bb7c29cfb705ffdfc098c6c43b1f9e521926e23f2b0dac00d50daffd163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hao123Config.xml

Filesize
362B

MD5
3b7815c41e181da969e7291394a05921

SHA1
e06652c6943f276190407020f17e898c8faea74f

SHA256
ba6f5e311e458f0946905cbda15724acbc4f611a8d59d3ae3767e7461bf1bb3b

SHA512
538a73b8b00decb3564bae86f0bdb1d7de91dffc7cf578fb6052b8be33d518a210c78e10f87f0dcab51eae1ba0d609f3974b404ac0ad4331ab0a88f2c0f675d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hao123.lnk

Filesize
944B

MD5
7720d1bb1ce4daedc58b9ccc1cb62eb8

SHA1
71a5d0533f2c8e46ef8f3a594dd0fee8aede14e4

SHA256
50aba614f2c77d4afed49754241508d836a2978170fbf672d401d0d21c5d3c9d

SHA512
b6a3357d60464e2f09a1998e8af4906ca86c6a558de40d8c87b8caca5602ab39a1c6cca233232454e12fc0f7af25202f118f8ba4bb55c8a85069155c7791429f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs.js

Filesize
6KB

MD5
fa68f7704038aee7490636b14768443d

SHA1
d336f40227f86e72a5ffab3036b362b1f4a97767

SHA256
19576189e5a8cafc4e1775978fd41df23e822d192a19e0b52f576dc8f25a6aae

SHA512
81ea4947f2a28ea2a58097668b9c3de4e1a20d39fd6a1f1968dcbeb6689ac36432e1d7dfed63b2c886525e5533a71d86cebad4b496618b3cb2efff2c14875a5f

Download Submit
\Users\Admin\AppData\Local\Temp\crp84DA.exe

Filesize
805KB

MD5
9426b74223a014f2c2fe014a552fa09d

SHA1
1e9a21843930d02da8a47123d6441cf17917630f

SHA256
5d0eca3977574fe7e996e59ca0419189b313bce57e70bd0374bfd428a580d7f0

SHA512
8dfa2cfbb017ac7148e3d4a5ce73a813d78834b6029a81a7051e98a187bd5747d1b4b16f4c02d92816efc4c32e5b389839bd03c2547bdad1707badd01dbbe265

Download Submit
\Users\Admin\AppData\Local\Temp\crp8EFD.exe

Filesize
292KB

MD5
8ae4de4f26110ebd2d82c93583000135

SHA1
162c4e83dd5f1e8a3791e1362fd8dee31af974f3

SHA256
55afdb0a55f2e910d0f0ceeab863a27b6b290529e634a9d4f309d1b0d09d6971

SHA512
12a7b321fc749647e3b0d35801be00d0c8a3a4498e084dddf21fbcfdf05af4c8e701a8160296f524f86f5fc3805b3432cbe8146c5247c9e76fa23ffcff728308

Download Submit
\Users\Admin\AppData\Local\Temp\uti8BB0.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit
\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1106.exe

Filesize
477KB

MD5
59700bfe6fe2568de8293bf845e40af0

SHA1
b73a503fd59b2f5a1ce581dc97a6911c98384a06

SHA256
d07cd0875406121bf26955226252c3fd81ef6ec64ac03718e2342df2a9e62b5c

SHA512
6679aa20162c018e98975f701ed65d6b9a15aadbde56f95da086ae237ff088059d6d4d4fdc2894b7255000abfe30b627d6448c5aa945a37a5b5befd42e42f164

Download Submit
\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1106.exe

Filesize
542KB

MD5
ba3820fdb32eacfa4d0aa62117c8ddc3

SHA1
d2ff2ef93e6946567127246005cae1004aa62303

SHA256
d1073b77a7c39e3c7b7d3cbd1552cb5287d573e8b25b9d9855692375655aa5a1

SHA512
44e77eb96271981f6b92c67816c0f30113e1defa7567d75e3cc724c7376eedcb60177e54ccd075a0c8de7fcc48dcd1d8874bd01100d696f158a3333c5b7474d5

Download Submit
memory/564-74-0x0000000075710000-0x0000000075820000-memory.dmp

Filesize
1.1MB

Download
memory/564-71-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-4864-0x0000000075710000-0x0000000075820000-memory.dmp

Filesize
1.1MB

Download
memory/564-215-0x0000000002D30000-0x0000000002D32000-memory.dmp

Filesize
8KB

Download
memory/1204-57-0x0000000004480000-0x0000000004594000-memory.dmp

Filesize
1.1MB

Download
memory/1204-46-0x0000000004480000-0x0000000004594000-memory.dmp

Filesize
1.1MB

Download
memory/1308-216-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/3024-48-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3024-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download