954e24091236b7a1ee631e949d37f19b7ba8b895c9334b8bc3b1b5a0832bdd99

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccc58503b636cae179ed1c74831b6a82.exe
Size

71KB
MD5

ccc58503b636cae179ed1c74831b6a82
SHA1

c5470ddf676eba074944578d84c1c5ae1aa651c9
SHA256

954e24091236b7a1ee631e949d37f19b7ba8b895c9334b8bc3b1b5a0832bdd99
SHA512

7bb0e2aa7bab8acaaf63c029c9c3890e282c03556ab7162607d4e80c09eaedf2b260519521a5ff99e98b49126c157866be0b664829df695689b6c5edff89c881
SSDEEP

1536:cGniz1zJA9ezf9Sg6UYX4tqzN2WiTjS2TyVaMukKZZ8xaQI/I+u/FTu:cGnC29kER1EkiPYVa/XGbpNu

Score

8^/10

evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	zhhss081102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\zhndf = "rundll32.exe C:\\Windows\\system\\zhnhsdf081102b.dll zhqb16"	zhhss081102.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2220	attrib.exe
1016	attrib.exe
2944	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4544	zhhss081102.exe

Loads dropped DLL 2 IoCs

pid	Process
1392	rundll32.exe
1392	rundll32.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\zhhss081102.exe	attrib.exe
File opened for modification	C:\Windows\system\nhsyh32a.dll	attrib.exe
File created	C:\Windows\system\nhsyh32a.dll	zhhss081102.exe
File created	C:\Windows\system\zhhss081102.exe	ccc58503b636cae179ed1c74831b6a82.exe
File opened for modification	C:\Windows\system\zhhss081102.exe	ccc58503b636cae179ed1c74831b6a82.exe
File created	C:\Windows\system\zhnhsdf081102b.dll	ccc58503b636cae179ed1c74831b6a82.exe
File opened for modification	C:\Windows\system\zhnhsdf081102b.dll	ccc58503b636cae179ed1c74831b6a82.exe
File opened for modification	C:\Windows\system\zhnhsdf081102b.dll	attrib.exe
File opened for modification	C:\Windows\system\nhsyh32a.dll	zhhss081102.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094594"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	zhhss081102.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "192863145"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094594"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417317796"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{366E6A6D-E335-11EE-B9F7-7A73248FA209} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094594"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "192863145"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "236771445"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3328	ccc58503b636cae179ed1c74831b6a82.exe
3328	ccc58503b636cae179ed1c74831b6a82.exe
3328	ccc58503b636cae179ed1c74831b6a82.exe
3328	ccc58503b636cae179ed1c74831b6a82.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe
4544	zhhss081102.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	ccc58503b636cae179ed1c74831b6a82.exe
Token: SeDebugPrivilege	4544	zhhss081102.exe
Token: SeDebugPrivilege	4544	zhhss081102.exe
Token: SeDebugPrivilege	4544	zhhss081102.exe
Token: SeDebugPrivilege	4544	zhhss081102.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3672	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3672	iexplore.exe
3672	iexplore.exe
4536	IEXPLORE.EXE
4536	IEXPLORE.EXE
4536	IEXPLORE.EXE
4536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 2220	3328	ccc58503b636cae179ed1c74831b6a82.exe	97
PID 3328 wrote to memory of 2220	3328	ccc58503b636cae179ed1c74831b6a82.exe	97
PID 3328 wrote to memory of 2220	3328	ccc58503b636cae179ed1c74831b6a82.exe	97
PID 3328 wrote to memory of 1016	3328	ccc58503b636cae179ed1c74831b6a82.exe	99
PID 3328 wrote to memory of 1016	3328	ccc58503b636cae179ed1c74831b6a82.exe	99
PID 3328 wrote to memory of 1016	3328	ccc58503b636cae179ed1c74831b6a82.exe	99
PID 3328 wrote to memory of 1392	3328	ccc58503b636cae179ed1c74831b6a82.exe	101
PID 3328 wrote to memory of 1392	3328	ccc58503b636cae179ed1c74831b6a82.exe	101
PID 3328 wrote to memory of 1392	3328	ccc58503b636cae179ed1c74831b6a82.exe	101
PID 3328 wrote to memory of 3304	3328	ccc58503b636cae179ed1c74831b6a82.exe	104
PID 3328 wrote to memory of 3304	3328	ccc58503b636cae179ed1c74831b6a82.exe	104
PID 3328 wrote to memory of 3304	3328	ccc58503b636cae179ed1c74831b6a82.exe	104
PID 1392 wrote to memory of 4024	1392	rundll32.exe	106
PID 1392 wrote to memory of 4024	1392	rundll32.exe	106
PID 1392 wrote to memory of 4024	1392	rundll32.exe	106
PID 4024 wrote to memory of 4544	4024	cmd.exe	108
PID 4024 wrote to memory of 4544	4024	cmd.exe	108
PID 4024 wrote to memory of 4544	4024	cmd.exe	108
PID 4544 wrote to memory of 2944	4544	zhhss081102.exe	116
PID 4544 wrote to memory of 2944	4544	zhhss081102.exe	116
PID 4544 wrote to memory of 2944	4544	zhhss081102.exe	116
PID 4544 wrote to memory of 3672	4544	zhhss081102.exe	119
PID 4544 wrote to memory of 3672	4544	zhhss081102.exe	119
PID 3672 wrote to memory of 4536	3672	iexplore.exe	120
PID 3672 wrote to memory of 4536	3672	iexplore.exe	120
PID 3672 wrote to memory of 4536	3672	iexplore.exe	120
PID 4544 wrote to memory of 3672	4544	zhhss081102.exe	119

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2220	attrib.exe
1016	attrib.exe
2944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ccc58503b636cae179ed1c74831b6a82.exe
"C:\Users\Admin\AppData\Local\Temp\ccc58503b636cae179ed1c74831b6a82.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system\zhhss081102.exe"
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:2220
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Windows\system\zhnhsdf081102b.dll"
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:1016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system\zhnhsdf081102b.dll zhqb16
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\zhqbdf16d.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system\zhhss081102.exe
      "C:\Windows\system\zhhss081102.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system\nhsyh32a.dll"
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:2944
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3672 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\ccc58503b636cae179ed1c74831b6a82.exe"
  2⤵
  PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\hsyhdf16.ini

Filesize
161B

MD5
0776d6232b50673264fd61c714170275

SHA1
ee1e4f123e4a6ddc3426d27e8fc63ded90e47258

SHA256
01727c51487ede7686cb72c8a5d2b4f41ea0d232e19ec958d0b68b623d075d69

SHA512
4cd629a5113c9d270cb102719aef7e45b841aea7d594642db1e60771974cca6bbab514f5d9e3d5dd2c141801d943deee071c02ccb3e103fde2b7ba78987addd7

Download Submit
C:\Documents and Settings\All Users\hsyhdf16.ini

Filesize
216B

MD5
cdfe12569bd710cdda9451bda3cb9a23

SHA1
4518882d9f1bfd092a08b94e664ac17b9ef96560

SHA256
18b52c2932bfbbb6333b95991fdd55cd4d890f512bbf200a15d5e995b4e9f2f0

SHA512
dabf9d1d7b7ac45020cd85097b150304b81b207c2badbd01b87fc3cb5b59deca7e849691cf370f385fcfb838b4f4be48745aef0f0b52a2d7830e3ba7a4873c1d

Download Submit
C:\ProgramData\hsyhdf16.ini

Filesize
96B

MD5
9dc7aa26183a97f2d8f7c28ba9bbc17e

SHA1
f26b2e07a7327a2937512fe67d80b59b7703e8be

SHA256
8e48c451d0583cc227c7f6fc4bcdd4802e33a5d23f1c21de9a38aeac38e87110

SHA512
b4067b70911a65951c7dbec6220a9c1bc9176a030fab9b11bbf02c99a74db72add5b38f199d0afe5f1176340ea80c0930f5d9f2b5504dd54f611baaa45b8ccfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\system\nhsyh32a.dll

Filesize
117KB

MD5
aefb1f74f37d547841827680356d8b1a

SHA1
8b5d7713cd4e84e5f28cf3b1dcdcf6e5b80ab5b6

SHA256
3646ef3feff677dd383638a9ab445937eebc46f3334e3ed1ec304aa8b33fdb41

SHA512
238439f2c6022a7a3828a931bc818f4686777ad29a516d8d98141060c6060c3194f70207f6b294ba807afb4e5ae8d778e3b3d55456de68bc8d78448a039bf212

Download Submit
C:\Windows\system\zhhss081102.exe

Filesize
71KB

MD5
ccc58503b636cae179ed1c74831b6a82

SHA1
c5470ddf676eba074944578d84c1c5ae1aa651c9

SHA256
954e24091236b7a1ee631e949d37f19b7ba8b895c9334b8bc3b1b5a0832bdd99

SHA512
7bb0e2aa7bab8acaaf63c029c9c3890e282c03556ab7162607d4e80c09eaedf2b260519521a5ff99e98b49126c157866be0b664829df695689b6c5edff89c881

Download Submit
C:\Windows\system\zhnhsdf081102b.dll

Filesize
29KB

MD5
fd5c5c4703978e471656dea772b92615

SHA1
9d826e92b05f5d4ef32de6d7ab790575f95eb833

SHA256
70e92aa4eed52d6c15c1df4d106af52f034533e2d3482bd9a06632a17994abb1

SHA512
8b873d25b0ac9b1feaa8b5669f3ff0804a48334daa0e359408d0fefd8b83a484f75fc303890bcaf921291d055cc92fd77999edd1ec6648ae6c698dd2b2b73762

Download Submit
\??\c:\zhqbdf16d.bat

Filesize
47B

MD5
7064a3e60df3438f6a242eb7611b9a0c

SHA1
220f1758ddb2e6d90f4441d94693f4f09e87b17b

SHA256
0c14b3f3b73652a202599b23832708de0e6666539bfc1e449d9b102befa94a27

SHA512
9cb3e841a1804d0a3cbfc006bbfca6ae4a743071dc4fc2f179e3a1a26b56f187a07ac0723f5d9ef7381d4722a0e7ba69b66673a71aa85aaa2338d2eebf9ad354

Download Submit
memory/1392-19-0x0000000000730000-0x000000000073D000-memory.dmp

Filesize
52KB

Download
memory/1392-26-0x0000000000730000-0x000000000073D000-memory.dmp

Filesize
52KB

Download
memory/1392-47-0x0000000000730000-0x000000000073D000-memory.dmp

Filesize
52KB

Download