Analysis
-
max time kernel
127s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 01:33
Behavioral task
behavioral1
Sample
97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe
Resource
win10v2004-20240426-en
General
-
Target
97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe
-
Size
256KB
-
MD5
1d012ae931c84a5dcd45b4a41b207a84
-
SHA1
3b37ce894e526eef1ff803b5419529a357d2debe
-
SHA256
97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9
-
SHA512
ca891f6c213761cfc88054aafe18988569ac3aa3a3764102de2f6bb98906af34b54df74bf635325f1831bb852643919ad7a11d4eb344853a6069874ca55ac718
-
SSDEEP
6144:ADLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:YQCyQ1LHk+zR7QHjGo
Malware Config
Signatures
-
Detects executables packed with VMProtect. 4 IoCs
resource yara_rule behavioral1/memory/3024-0-0x0000000000400000-0x000000000048C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3024-1-0x0000000000400000-0x000000000048C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3024-19-0x0000000000400000-0x000000000048C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/files/0x0008000000015605-21.dat INDICATOR_EXE_Packed_VMProtect -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2584 cmd.exe -
resource yara_rule behavioral1/memory/3024-0-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/memory/3024-1-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/memory/3024-19-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/files/0x0008000000015605-21.dat vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2637.cn/?56" 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe Token: SeShutdownPrivilege 1196 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe 1196 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3024 wrote to memory of 1196 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 28 PID 3024 wrote to memory of 1196 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 28 PID 3024 wrote to memory of 1196 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 28 PID 3024 wrote to memory of 1196 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 28 PID 3024 wrote to memory of 2584 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 29 PID 3024 wrote to memory of 2584 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 29 PID 3024 wrote to memory of 2584 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 29 PID 3024 wrote to memory of 2584 3024 97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe"C:\Users\Admin\AppData\Local\Temp\97a862e9d8fe4a678ef6cfab111d13097b12f479b6ba86c6040217087b0278b9.exe"1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat2⤵
- Deletes itself
PID:2584
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD53bed571d5d48a118003460109e4e1041
SHA143e4a824307c3a7185b18c8c2813a6d4eff01df0
SHA256a14eb01c175d7796053c6347adcd5e499831a89d58a38558dfd224988d9f2ea2
SHA512ee9db645eb7bb6f65158dc37fd7c60146423f6550cd11db5eeeda19a8ac81c471b3195f4bcd9533c260b0b850d88fd0ccaf278822f4449f4bdbe8ec466ed99a0
-
Filesize
337B
MD59fe5da7e754dc4f7057d7d974f5482f3
SHA14e5a152fbd0ace9e6f8ee29dad66e100c5d64ec5
SHA2566662d0cd26ea2e9d919c67226d508c951e9e141d82c7c28b7f3ef5399191549d
SHA5127a0283f6646227a9062e10de996be5067aff7d8d531a11ef142af6e36c21311eff27540ea40bcda4267d9dd46757e7e0bbe3ba349d3660f6147193efcc812a52
-
Filesize
2KB
MD5a1d921556cf3a3d9d26b2ef002a7f87e
SHA16d35761aa3c8d24ab25db1d6a6e8a964bebd7121
SHA256be7dfb47e11615f6b0cda24d8d568fccb6cea492112f723b8784ee26cbe5d309
SHA512282607c9fc123c57dff829e728c4b08fe7fa27a130903907856127c9aec7d7f2c83c8e6d812208291c495cf25af195404d9010391cf53fcd12f2647475acc049