Overview

overview

8

Static

static

3

3ca83d3d69...8e.exe

windows7-x64

8

3ca83d3d69...8e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe

  • Size

    137KB

  • MD5

    41f36b7364ae75a23d53115e25242e11

  • SHA1

    dec728ce00c78eb5aada2d908453864284f2a871

  • SHA256

    3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e

  • SHA512

    ff21c60cc550f12d605693641ed298b4479997134d6eaa0946a756efec45108fab3b6c86b806457f7ccf57c6a295c4279aaa4dcc618ff691d0b767478c81f72a

  • SSDEEP

    3072:r1i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU81:Ji/NjO5x0Xg+UGSYnuy3Oai/Nd

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe
    "C:\Users\Admin\AppData\Local\Temp\3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im KSafeTray.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\WINDOWS\sys.exe
      "C:\WINDOWS\sys.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /im KSafeTray.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:2232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
        3⤵
          PID:1956
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h "C:\WINDOWS\sys.exe"
            4⤵
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
          3⤵
            PID:1496
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h "c:\sys.exe"
              4⤵
              • Views/modifies file attributes
              PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del 3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe
          2⤵
          • Deletes itself
          PID:2704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        67KB

        MD5

        753df6889fd7410a2e9fe333da83a429

        SHA1

        3c425f16e8267186061dd48ac1c77c122962456e

        SHA256

        b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

        SHA512

        9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        abfa3515c9740945fc84e0ecd3c342a7

        SHA1

        b7adb36f438b4f6330e868498c2aa3941281aa0d

        SHA256

        8d3bcd456787ba01789b333bbffae0edf93be73c683ef878ce8cf375d332784f

        SHA512

        83c4d7bac65e8b41a61e24d9f4b31e43fcea0a49f0390e914e59e67550882376b22b9a4a009711c0a0a3393331051f7a112f7f944c0a11bca23abe3112f6bfef

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        648a72801d294cea867ff077588f0469

        SHA1

        527e778e3a4a9db54713e9adf1f477616649439c

        SHA256

        e40801c7ec883629d76795abbf94a62aeb9b16492d4fba97dceb23bc500ce117

        SHA512

        b566675b5da111f96b9c2b84cc31a0b9faeac6c6c581703aee125b7c577e5c43f8e324971c0b8d309ed5578490105040c5c8798bfc088b1fc91bca8416116810

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        2229d338a4da91f30eaa54b835f3b027

        SHA1

        c6f845547b1b085795665430d61dbcfd20259edb

        SHA256

        98ed318e08e4cdd882272d1e2f7901912c56289e9a0f0a26dfa8255b408c280d

        SHA512

        01a18b4ace5433567587881b6790df0dd193538c6f2aea713ffb979f1c84f3e21a1ae70049b018c6d79be5a64b419c1dcfca0c031f5837df3d7c1b4da95b1834

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        9e5d2de2296b5b79d59ce882dd2f1a8b

        SHA1

        dbddbfe1a3525424a8d99a1fd4a71a3e09ec9ec1

        SHA256

        f81b49db5f73adce3eef1c2b3ff70338cc5a4368638c0f0b97e7cd0f5281c976

        SHA512

        c94a839c5b565453f0b9b6740ab8a0918ed919901e317fa570a63cced61a96775b9fdff1791e4fcc69cf2398bd4d5df6b0dfa069db73c110a80a1fd9dc343dad

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        a6584d86d3e4d040bf0d3710a1608a70

        SHA1

        a2630803777a4cd47829fe3dc003c84b57f7d597

        SHA256

        896c891e78f06e59c82cb316a60b59e14dd82cc47183a297e448a1cb97c15566

        SHA512

        8faa2b36eadab8bdacf6c58b2fc70e10a97c4bdfec7a704a3df8e1a2b75e5daa9d9c2b74f335818ac61ad1d1386097e85c313619d9942932d91e4b686abb02d7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        21083f239849719fa4efc7e80d95fb4f

        SHA1

        494d1144caa9e6b1913ea3832155830f87c92c58

        SHA256

        3907404d28a8a6db6ad24c5f22ef68b1c07c7c25293a755b04063b1637b7fdd7

        SHA512

        568197ca4dda5328ae17d26711b8931b2066323b811dfa31eac9993d23b0e745f67694a1e7186606faaded4d27668e4f73a05ae3c9c9507d51346cd22b189995

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1413844c16accbf0e9658af1e9db71d5

        SHA1

        2e5fee5aa3d907c2b325ff190c37ed7639091cf7

        SHA256

        47874db277bcacca097f49953b43f51c57f6a850f85ab8a570dae7cd33cbc259

        SHA512

        d3682bd0fb7e9438b24082eef2cbebb9afc32c51804c2875a8b4fbe11a8724efc5636ccf8775fa5a85e232275f4489b64d6916bc076bb1dcc25a19a7a564ace1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        a3fe96a13b8505450587e40f8a1dd84e

        SHA1

        eb11395ef9ec2e232383928c931e89932c7a0d6f

        SHA256

        94981cb1bfda1d827770da595e479f1ddf8d9baaa1ed17dabc29bad125c74b60

        SHA512

        5cd68848056b08b3b0e6c9907b58b43bdea93f37f6fb5c8640e480f4e3d92c01ac9898b8b40d09fc2acc45e51aae35952bff4bdc0a370b4c8302b56b276ad0ac

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c5317ceb7552b23a89696669a45ead58

        SHA1

        5c3e247ea6c04179128fdaa7f83fd67aacda33ed

        SHA256

        c6893bf1bedab8a5f5eec65615e5bda6c69fb4989f6f6a3ffa58489b26612df8

        SHA512

        b287a8b90f12188e482513b9b5ab7b345f8e4e0cffe469407317259a376c9c4158970044dc51b800ae870565727d4d421c9fe38637fc4ca8b5c6d74bd7f7cd2b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab594A.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar5BC1.tmp
        Filesize

        175KB

        MD5

        dd73cead4b93366cf3465c8cd32e2796

        SHA1

        74546226dfe9ceb8184651e920d1dbfb432b314e

        SHA256

        a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

        SHA512

        ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

        Download Submit

      • C:\Windows\sys.exe
        Filesize

        137KB

        MD5

        1cd04e8ba28d5031eef08676fbd9f80d

        SHA1

        4faab6f8bcebc3824dedaac2b276472b24f0f66d

        SHA256

        5ff3114c0e58cb47482f86519bc1458237988179b5adfb97edba6c769c7de5f0

        SHA512

        ea15e3e85ec35e57af209de35c7cbe1f10dd6639cf63bff2b9da5514f415b46cbd0b1f52fc6249ab76c610b7afaec27518dadb47daee82ba5c3cb843940def68

        Download Submit

      • \??\c:\sys.exe
        Filesize

        137KB

        MD5

        94e81639ef04cdd0437e56a79e7f758d

        SHA1

        916237e15b120a1e2311aa02ed304d4160865cee

        SHA256

        788ace8c8602d420e7dff33ae5f75093b228115d0b95539f5702040633dda6f8

        SHA512

        f78231bf75cac778eb064390cca41f2486eb10f4b5af4d4d51d890b81a8990b57fc907e54cd0c566557e8187eeda27d0846623e5cdd78322cc9dec826027aa45

        Download Submit