3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1815s
max time network
1819s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Genericcc.exe
Size

293KB
MD5

dbc292a2292c6061700236830d45ca91
SHA1

fcdfba4b95c145a715209d694639de6be0478f6b
SHA256

e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60
SHA512

551e097fb31a5e7a6b6ecf602f7ae8cb63dc620940fe47b003ebcafcedbfdb391731cfce399b48111ee9524f2272f53eb4076c84f65e377336930fd6b3c3e0fe
SSDEEP

6144:6qcbmoTtMUxxzP75a2eoEnnZcYupty6DPlQ82hmbN:6NTTyUX/5a2NGZcTs6DPlahmbN

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe ,C:\\Windows\\system32\\PnkB.exe"	Genericcc.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral17/files/0x001a000000016cf4-19.dat	aspack_v212_v242

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pp.exe	Genericcc.exe
File opened for modification	C:\Windows\SysWOW64\PnkB.exe	Genericcc.exe
File created	C:\Windows\SysWOW64\pp.exe	Genericcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	Genericcc.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Version Vector	Genericcc.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.185b.com/"	regedit.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command	Genericcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder\Attributes = "0"	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\InprocServer32 = "Apartment"	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ = "Internet Explorer"	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)\Command	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.185B.Com/"	Genericcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open\command	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shellex	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell	Genericcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)	Genericcc.exe

Runs regedit.exe 1 IoCs

pid	Process
2508	regedit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2508	2308	Genericcc.exe	27
PID 2308 wrote to memory of 2508	2308	Genericcc.exe	27
PID 2308 wrote to memory of 2508	2308	Genericcc.exe	27
PID 2308 wrote to memory of 2508	2308	Genericcc.exe	27
PID 2308 wrote to memory of 2572	2308	Genericcc.exe	28
PID 2308 wrote to memory of 2572	2308	Genericcc.exe	28
PID 2308 wrote to memory of 2572	2308	Genericcc.exe	28
PID 2308 wrote to memory of 2572	2308	Genericcc.exe	28
PID 2572 wrote to memory of 2800	2572	cmd.exe	30
PID 2572 wrote to memory of 2800	2572	cmd.exe	30
PID 2572 wrote to memory of 2800	2572	cmd.exe	30
PID 2572 wrote to memory of 2800	2572	cmd.exe	30
PID 2572 wrote to memory of 2664	2572	cmd.exe	31
PID 2572 wrote to memory of 2664	2572	cmd.exe	31
PID 2572 wrote to memory of 2664	2572	cmd.exe	31
PID 2572 wrote to memory of 2664	2572	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\Genericcc.exe
"C:\Users\Admin\AppData\Local\Temp\Genericcc.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\\\18.ini"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs regedit.exe
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\srun45.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18.ini

Filesize
139B

MD5
bb454b063043f484326575ce60d587c1

SHA1
cac3171df8fc25526a82356ed53f1c45a86167be

SHA256
838a54026108ff550f5d3c425cf7852abea41882590863e423cf9e94573dc11f

SHA512
8c86e46eea787025937204f93738c02f1d5268c19e20126d86df5f1bb3d15367935b3f23e5c6c482b462ac79dbbcc87b38a952a3a8567bf9a3cff2a68ab92099

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun45.bat

Filesize
191B

MD5
5c6d4da221562cd890030577900c795e

SHA1
36960646b2cfe9b3e93d83b218e9d0d32fa00c16

SHA256
e5974641325732c2832c991a89546e8af53f992973520f784423e1310fa7556f

SHA512
8253aae7eb6defaa104562846fdedb6e4f199045f41bf8510b66751b517c4f0e8e53b57f6bae74cb7d130eff47355979f4943e61402f0cdfdbfbee072a866504

Download Submit
C:\Windows\SysWOW64\PnkB.exe

Filesize
293KB

MD5
89cbe0bb7a7b1eea0456d58c96290fe1

SHA1
e6b5330faa1d544dd3beae3bd4f3d7d019f6e210

SHA256
cc98136eb78d9c6a7fef6c1b2dc6131dd299fefb8843c06c7c64dc9b40487f57

SHA512
3748cd41db7a1bf3c2729cfba7cc279835045a2a76bd8e4609c9344e67291fb473475bf3d9b32e4da23fc1ceae0c6dd3e9852d47ddac065c6549ede4a90e2f03

Download Submit
memory/2308-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2308-22-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads