6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769

General

Target

6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe
Size

1.8MB
MD5

86de4fbb2ec2f0f9426978c3571517f6
SHA1

72aa05e386464166af57d1ae2dfab1338cead3b6
SHA256

6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769
SHA512

b9b3ac7ed99e99c8cc490837b6c6b19f372669432ead00387fc0a988e936af30a3b947b6e20d7e4457b263feb5e97088ed795079ffda74b78d3d0130c3d6cf99
SSDEEP

49152:AVqTqAoNmJa/yWXSxdNrWR7leXK5MxKP0o9aU:AVqTqNkGPCTdM7lwqMQP98U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1068	v.exe

Loads dropped DLL 2 IoCs

pid	Process
948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe
1068	v.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	948	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	hh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1068	v.exe
Token: 35	1068	v.exe
Token: SeSecurityPrivilege	1068	v.exe
Token: SeSecurityPrivilege	1068	v.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe
948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe
2832	hh.exe
2832	hh.exe
1244	hh.exe
1244	hh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2172	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	28
PID 948 wrote to memory of 2172	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	28
PID 948 wrote to memory of 2172	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	28
PID 948 wrote to memory of 2172	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	28
PID 2172 wrote to memory of 668	2172	cmd.exe	30
PID 2172 wrote to memory of 668	2172	cmd.exe	30
PID 2172 wrote to memory of 668	2172	cmd.exe	30
PID 2172 wrote to memory of 668	2172	cmd.exe	30
PID 948 wrote to memory of 1068	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	39
PID 948 wrote to memory of 1068	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	39
PID 948 wrote to memory of 1068	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	39
PID 948 wrote to memory of 1068	948	6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe	39

C:\Users\Admin\AppData\Local\Temp\6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe
"C:\Users\Admin\AppData\Local\Temp\6025c3c27a1a63e3d979cda58773ac74f7918a69c0e6e69d66dfa1241f1aa769.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
    3⤵
    PID:668
- C:\Users\Public\xiaodaxzqxia\v.exe
  "C:\Users\Public\xiaodaxzqxia\v.exe" x 111 -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 956
  2⤵
  - Program crash
  PID:1476

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5785432689496725\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5785432689496725\A11.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat

Filesize
8KB

MD5
58ceb4b820fdfb8adefc66b90867583d

SHA1
2ffcffef3cc82dd9fcc6902769fc3e1a33aa1153

SHA256
ee79f7e6fb9412a70cee2336ec99563dd3bec7acdb0e805aa0e1f9b6099f1193

SHA512
61b4ad036331fcc2b387f9bb128666d2f8daa85521de33f411a192ae0faf974a6bcc5e087cf70eaa54b27f45e7b97ebd7990621cc89779f8d63381be5f0cc976

Download Submit
C:\Users\Public\cxzvasdfg\5785432689496725\A11.chm

Filesize
9KB

MD5
2342b3ba19855ddd8c3e311b2842bdbb

SHA1
ecec63f62d445bdcc369af3f29df566611c7d4a5

SHA256
257c340891c8007dbb720853244785b8d7433fb70ca0038528b9fde035d0bfe6

SHA512
f5230c860656004d8f860f5b2941b15519cebf7ce6494eefcea6307be4057f5cd6178cbdfca9a022d28fd11cc0d81ed1f2a719ff9a614e28a0eb12f048302cb9

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat

Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
\Users\Public\xiaodaxzqxia\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
\Users\Public\xiaodaxzqxia\v.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
memory/948-0-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/948-1-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/948-10-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/948-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/948-21-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/948-24-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/948-42-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing