Overview

overview

8

Static

static

3

3ca83d3d69...8e.exe

windows7-x64

8

3ca83d3d69...8e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe

  • Size

    137KB

  • MD5

    41f36b7364ae75a23d53115e25242e11

  • SHA1

    dec728ce00c78eb5aada2d908453864284f2a871

  • SHA256

    3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e

  • SHA512

    ff21c60cc550f12d605693641ed298b4479997134d6eaa0946a756efec45108fab3b6c86b806457f7ccf57c6a295c4279aaa4dcc618ff691d0b767478c81f72a

  • SSDEEP

    3072:r1i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU81:Ji/NjO5x0Xg+UGSYnuy3Oai/Nd

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe
    "C:\Users\Admin\AppData\Local\Temp\3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im KSafeTray.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3328
    • C:\WINDOWS\sys.exe
      "C:\WINDOWS\sys.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /im KSafeTray.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3884
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:4328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1144
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1812
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\WINDOWS\sys.exe"
          4⤵
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "c:\sys.exe"
          4⤵
          • Views/modifies file attributes
          PID:4112
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del 3ca83d3d6900587f9823eda0ea431e4e9012b7179d53974798e3b4821d2b348e.exe
      2⤵
        PID:3100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      09dac099269a055f9f0ca2bceb8f801e

      SHA1

      f92a3b7a1dd6db63c162e4029f96d8ff157450e1

      SHA256

      db4e4e9c1bcbf08fead4e43095a289e2390e0c689668c5e0685166ea4b6488ee

      SHA512

      33e13bc0919c8f5977b65f097ca769fe91b8f1d8e0077e5055507dad27c5274fa1f7613d5af4904bf6c9f9b1dbdfd3163572e51e2d46b520597af63b1e4d6507

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      012e5bc4e2b630d3df6e2af43ede2c4a

      SHA1

      624a7ad12dea09d945fe01b74c3668b215a85b5a

      SHA256

      2eeefe8a7d0c4ab2eabae5864e90fa7c8cd2f0bc0e3a0f327834d7e5e0d4f46b

      SHA512

      ef89079ae052cd47b8948e9912823b9d588501610610471b4f92ca63d5c298b91bcf8b5959ca269b9bf5480d381c6d5dc4c3f89534c3dcfe954a80a8038aec39

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD34E.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Windows\sys.exe
      Filesize

      137KB

      MD5

      df8bc00f0649adb4c2d8d405e1f86022

      SHA1

      2c92b3f1e81d1531c77b006915d13becd83f73b1

      SHA256

      8d74cb3357e421fdd4dc42b2503ff1e8351b4614cc7bc70bf433a3d33d8f4122

      SHA512

      38906304976237b4ec1a83e143e69524207992dfa6ede95b0358db61cdd55b71f426bcb5c219a5a1af60639370db0f4ea4cbcbd1ee8b5c5aafe1912df2fb4e40

      Download Submit

    • \??\c:\sys.exe
      Filesize

      137KB

      MD5

      7b2886ff634eb9dda0e8b5bd43f61d61

      SHA1

      fe259ee1ab9e6f1ff02c4bcde37cefa8de84dcb7

      SHA256

      7d3a262eed530f22d3f83577db46335556c32ad35b4fa2d7f381faf516ec7300

      SHA512

      84277030ea552e10ef698f57e4d21c0ff80235b6afaf6c0cc1f12ac70f7aca98e8c7d3a0c93be076d85419d3eff7f7efb0484cbaf6e61caaf969ca76b5fab290

      Download Submit