bdde17b00128a3f71289f2a6fa2b49d82aae185f806c743b98a667849e2921c1

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6489aea5477d87766add25a9a9de76b.exe
Size

2.1MB
MD5

d6489aea5477d87766add25a9a9de76b
SHA1

60bbb02a4fe1f2e7d2988f784715a8fd195d42e6
SHA256

bdde17b00128a3f71289f2a6fa2b49d82aae185f806c743b98a667849e2921c1
SHA512

230d0fde909dd9a69338016e199cc672ec200fc70c8c1b28334441e09ca78bb3fe5aa319ee12a5f9143c4b23c8b7f299f206bb3180b57034e61a91b29260725c
SSDEEP

49152:wYiKmUyR5QuthfsDPnlWe34/mjlGYe8ISOzr8:wNKmUm+utqOoQYheE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2208	Wisliu.exe
3056	SN.exe

Loads dropped DLL 9 IoCs

pid	Process
2896	d6489aea5477d87766add25a9a9de76b.exe
2896	d6489aea5477d87766add25a9a9de76b.exe
2208	Wisliu.exe
2208	Wisliu.exe
3056	SN.exe
3056	SN.exe
3056	SN.exe
3056	SN.exe
2548	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SN.exe	Wisliu.exe
File opened for modification	C:\Windows\SysWOW64\d3dplus.dll	Wisliu.exe
File opened for modification	C:\Windows\SysWOW64\ime31.ime	Wisliu.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	Wisliu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Jikliu.exe	d6489aea5477d87766add25a9a9de76b.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX, 1"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	SN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	SN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1"	SN.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2896	d6489aea5477d87766add25a9a9de76b.exe
2896	d6489aea5477d87766add25a9a9de76b.exe
2896	d6489aea5477d87766add25a9a9de76b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2896	d6489aea5477d87766add25a9a9de76b.exe
2896	d6489aea5477d87766add25a9a9de76b.exe
2208	Wisliu.exe
3056	SN.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2208	2896	d6489aea5477d87766add25a9a9de76b.exe	28
PID 2896 wrote to memory of 2208	2896	d6489aea5477d87766add25a9a9de76b.exe	28
PID 2896 wrote to memory of 2208	2896	d6489aea5477d87766add25a9a9de76b.exe	28
PID 2896 wrote to memory of 2208	2896	d6489aea5477d87766add25a9a9de76b.exe	28
PID 2208 wrote to memory of 3056	2208	Wisliu.exe	29
PID 2208 wrote to memory of 3056	2208	Wisliu.exe	29
PID 2208 wrote to memory of 3056	2208	Wisliu.exe	29
PID 2208 wrote to memory of 3056	2208	Wisliu.exe	29
PID 3056 wrote to memory of 2548	3056	SN.exe	30
PID 3056 wrote to memory of 2548	3056	SN.exe	30
PID 3056 wrote to memory of 2548	3056	SN.exe	30
PID 3056 wrote to memory of 2548	3056	SN.exe	30
PID 3056 wrote to memory of 2548	3056	SN.exe	30
PID 3056 wrote to memory of 2548	3056	SN.exe	30
PID 3056 wrote to memory of 2548	3056	SN.exe	30

C:\Users\Admin\AppData\Local\Temp\d6489aea5477d87766add25a9a9de76b.exe
"C:\Users\Admin\AppData\Local\Temp\d6489aea5477d87766add25a9a9de76b.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\Wisliu.exe
  C:\Users\Admin\AppData\Local\Temp\Wisliu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\SN.exe
    C:\Windows\system32\SN.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s MSINET.OCX
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wisliu.exe

Filesize
1.1MB

MD5
e94e17164ec8b6b514ccf200968bd5ca

SHA1
3696a07bca1c7122cd754b2ba51ddc62ac339116

SHA256
c1530ecdb760c33e256441e4c32b7d7c9d28b175b77d7181aec3607a594df5fe

SHA512
6b5978703a73e153b45dfeed9c38d803d0c6bd375a654dbc2b11174ea7d5bdd432c289817286e2ac4e8b41a980515c4b0d6846f132e180904186fa9e2adfd43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wisliu.exe

Filesize
1.1MB

MD5
84329a0f40fb85b7954e6252b9ba9a6a

SHA1
4f38e3b93bb2517d2494b8488445a4380da01b0a

SHA256
fba5fd44c677b33119347b2ccc3bd4a2d7c5a3a431cc8fb7e12ddc5cd66dba8d

SHA512
11cd64f6b11b01d6fe6aa5aaeee29a061259a5919f1ce5b0a949f29fd9d807c182abfa706fa3d1d3bd9731bb93cce2a5fd5e02b74166f5e9f317b204f6f72731

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
\Users\Admin\AppData\Local\Temp\Wisliu.exe

Filesize
1.5MB

MD5
4a54a217e046470b198ff37cfe4fc946

SHA1
a7568d54ff4d336b33981c2d675ad8f36c450188

SHA256
9c56aacaf82622521bc76b6b73ee96f28b9a573f428f60d06e3f4fd9b5d47f95

SHA512
75591c67db7cef195be793dd418d16a548b527620fdcff0e5392820f817a3cd12822f7c2e887ddf4874d45bd0763161e1b4287376ccc7e9226878b53f23dcf02

Download Submit
\Users\Admin\AppData\Local\Temp\Wisliu.exe

Filesize
1.4MB

MD5
54cfe585c11399deedfa24dc49f7108a

SHA1
db1ddeb6a91866b182a7bc6e4aa0c81abe6ec180

SHA256
6f30f047174566dc784cf1509c9f078ab29615e825c08c38d8fe06b7f5ddd902

SHA512
40be744ea0c9ac3643df6d46f89ee72f6918e1d6ebf12ec891ace6082baf8b3d2f67cb8932db386cdd2536888766e434f1396137c2fb6938dd5e7d2ba686844d

Download Submit
\Windows\SysWOW64\SN.exe

Filesize
408KB

MD5
8e9100ee10528f1235c1215e6942ee52

SHA1
ffacb93104e106455c9d547ae277a5210f3f873c

SHA256
cfa26df627f7e0151f04c6e958a08beb08947dc436ab33751c4cbc1598e85c6b

SHA512
700e5f1030fdab410f3d1ede1cb023246be6026493b8f52abdc08fef6ad539fc4e795397a045be93589d2c384b274424a38272ff9e688a798ca403532a3495f1

Download Submit
memory/2208-11-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2208-18-0x00000000002E0000-0x0000000000346000-memory.dmp

Filesize
408KB

Download
memory/2208-34-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2896-4-0x0000000002620000-0x00000000027AA000-memory.dmp

Filesize
1.5MB

Download
memory/3056-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3056-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download