1599c2228a1ef2167ba0ba197ed43ade129f4718a5d15ada2cd1492807381191

Analysis

max time kernel
130s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF2.0无视一切.exe
Size

1.5MB
MD5

b8338dc3aa0b76c4f479be13e7de93f6
SHA1

14a11740eaacd3d3a833540aa9b1923aaa10d242
SHA256

3f4c085480b95dd31da6577a85ce5d03e1a3651e665ede7ccb5650018e8bc5fe
SHA512

3c15345b5b9991cdd2b6bb2f06c2cdf11f7b8c47c3b539e634f378367ea56748f8d615dc217716fc6c3b1a34ba0ffc436a36ae101bd5a8f09e1fc3e5214615ae
SSDEEP

24576:8s5pCmBYCiHXmJc+KhYixOmqBkK+INuosZSYMkztp8qqNthT:8Ei3PxO4KA/Ffr8qqZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

CF2.0无视一切.exe

pid process

2496 CF2.0无视一切.exe
2496 CF2.0无视一切.exe

Drops file in System32 directory 2 IoCs

Processes:

CF2.0无视一切.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ESPI11.dll	CF2.0无视一切.exe
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	CF2.0无视一切.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

CF2.0无视一切.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CF2.0无视一切.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CF2.0无视一切.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\IESettingSync	CF2.0无视一切.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	CF2.0无视一切.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

CF2.0无视一切.exe

pid	process
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe
2496	CF2.0无视一切.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

CF2.0无视一切.exe

pid process

2496 CF2.0无视一切.exe
2496 CF2.0无视一切.exe
2496 CF2.0无视一切.exe
2496 CF2.0无视一切.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

CF2.0无视一切.exe

description	pid	process	target process
PID 2496 wrote to memory of 5480	2496	CF2.0无视一切.exe	netsh.exe
PID 2496 wrote to memory of 5480	2496	CF2.0无视一切.exe	netsh.exe
PID 2496 wrote to memory of 5480	2496	CF2.0无视一切.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\CF2.0无视一切.exe
"C:\Users\Admin\AppData\Local\Temp\CF2.0无视一切.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\netsh.exe
netsh winsock reset
2⤵
PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hongxin.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
memory/2496-0-0x0000000077DD4000-0x0000000077DD5000-memory.dmp

Filesize
4KB

Download