025a0db4f4660bdf75df9a741f60c1cdea91414d645ee2ceb4b1c840ea8e12d9

General

Target

e02cc29cff2c827cc41f31d9fad7e593.dll
Size

658KB
MD5

e02cc29cff2c827cc41f31d9fad7e593
SHA1

0696186379e9025d455891cda578d7b229d50b6c
SHA256

025a0db4f4660bdf75df9a741f60c1cdea91414d645ee2ceb4b1c840ea8e12d9
SHA512

3ed183e0951d7260e20f5573e251df83a37d477a1e94b6e73ccfecd971a2fd372cd0a21080a770616967c21728d42a5ca2886700a959c3bfa5fec139867844e4
SSDEEP

12288:pinyjXg2mxYOJR1eSOqar4gwkNivwB2aCMvwx/VSJ:pM+myMR1e0ar4gwkNiy2aCMvw

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XSKHSBFKD\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e02cc29cff2c827cc41f31d9fad7e593.dll"	regsvr32.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\httpErrorPagesScripts[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\httpErrorPagesScripts[1]	svchost.exe
File opened for modification	C:\windows\SysWOW64\uafdafuu.dll	svchost.exe
File created	C:\windows\SysWOW64\uafdafuu.dll.tmp	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\windows\SysWOW64\uafdafuu.dll	svchost.exe
File created	C:\Windows\SysWOW64\wbem\ljfsdfs32.uut	svchost.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ljfsdfs32.uut	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1]	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\info_48[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1]	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1]	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\bullet[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\bullet[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1]	svchost.exe
File created	C:\Windows\SysWOW64\ctrgltbbkkqo	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\6543ÍøÖ·µ¼º½.lnk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\info_48[1]	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\background_gradient[1]	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\background_gradient[1]	svchost.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\Buttontext = "6543ÍøÖ·µ¼º½"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\HotIcon = "C:\\Windows\\system32\\ctrgltbbkkqo"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\Exec = "http://www.6543wz.cn"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\HotIcon = "C:\\Windows\\system32\\ctrgltbbkkqo"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\MenuText = "6543ÍøÖ·µ¼º½"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\Default Visible = "Yes"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{410035E1-F5A9-415C-B376-7CCF2FC54A68}\Icon = "C:\\Windows\\system32\\ctrgltbbkkqo"	svchost.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe
4400	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 3624	4960	regsvr32.exe	84
PID 4960 wrote to memory of 3624	4960	regsvr32.exe	84
PID 4960 wrote to memory of 3624	4960	regsvr32.exe	84

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e02cc29cff2c827cc41f31d9fad7e593.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e02cc29cff2c827cc41f31d9fad7e593.dll
  2⤵
  - Sets DLL path for service in the registry
  PID:3624

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k MCCSBKNIG -s XSKHSBFKD
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
memory/4400-10-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-14-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-16-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-45-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-46-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-47-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/4400-64-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-15-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/4400-13-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-4-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-3-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-2-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-1-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-93-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4400-116-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads