7b97a7978fdd342c0f004b60643b22010c3f058dfd1de813acc983263704dacf

General

Target

b6d2bf02bfba362f806a998d313e54b6.exe
Size

40KB
MD5

b6d2bf02bfba362f806a998d313e54b6
SHA1

fb79ae88b809e07417891eb181ba9d15a781efe5
SHA256

7b97a7978fdd342c0f004b60643b22010c3f058dfd1de813acc983263704dacf
SHA512

10f96aa48ccde89f162b5c7655ef316abd3189acb27c0dda44b23369d981e759d94941408ebd78d2fd2b1dce67562be617b6b0def114f593024f7f747835e07e
SSDEEP

384:Ym7ZpAoh6RU6EUArk+D94CvorkM2oswl/3MgWK+:YifJ8t6rkUyhZ3RWT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command\ = "\"c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.sogouliulanqi.com"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon\ = "c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon\ = "c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\ = "????(&H)"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3292	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
988	b6d2bf02bfba362f806a998d313e54b6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1192	988	b6d2bf02bfba362f806a998d313e54b6.exe	86
PID 988 wrote to memory of 1192	988	b6d2bf02bfba362f806a998d313e54b6.exe	86
PID 988 wrote to memory of 1192	988	b6d2bf02bfba362f806a998d313e54b6.exe	86
PID 1192 wrote to memory of 3292	1192	cmd.exe	88
PID 1192 wrote to memory of 3292	1192	cmd.exe	88
PID 1192 wrote to memory of 3292	1192	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\b6d2bf02bfba362f806a998d313e54b6.exe
"C:\Users\Admin\AppData\Local\Temp\b6d2bf02bfba362f806a998d313e54b6.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\QQ.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\QQ.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQ.reg

Filesize
2KB

MD5
ddb7f26485d51c950458550a7df6d38c

SHA1
23acf9a2190654f3c173214b303342bb84b838a7

SHA256
6eb77ad035d63f5f90799ae9fbd351280cc315db6a0e6237db786a686c7464d2

SHA512
e207e0e54c23d3f019daea858062af7c898b3df65622855b2d36d865e073afbde5c7d539cd428c671c70ca0881bb0dcc3c5d3be6ceffb4e84b124e8aa59b9ffd

Download Submit

Analysis

Sharing