Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe
Resource
win10v2004-20240508-en
General
-
Target
b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe
-
Size
6.0MB
-
MD5
33b6b28c4f80dc5cfb84098dac02f6e2
-
SHA1
4668cf2b493b753e536d5f4c900a3ba39d33e0bb
-
SHA256
b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb
-
SHA512
d215c02bf91a7d3058dd441f97a42368240485e957901979490eec21287ca88f356412652c7c2760e2c18eb7906b82de42982f947d067e2a1f65ff8b31bca4ad
-
SSDEEP
98304:fbdhDqohDS1F+CRcB27OgUWZHw8VQjr+/bJBAUZLr:fbdhDD23a2sWKjr+TJVP
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe -
resource yara_rule behavioral1/memory/2512-1-0x0000000000270000-0x000000000027B000-memory.dmp upx behavioral1/memory/2512-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-2-0x0000000000270000-0x000000000027B000-memory.dmp upx behavioral1/memory/2512-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2512-57-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB2C3931-1B32-11EF-B012-52ADCDCA366E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1120 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 1120 iexplore.exe 1120 iexplore.exe 1096 IEXPLORE.EXE 1096 IEXPLORE.EXE 1096 IEXPLORE.EXE 1096 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1120 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 31 PID 2512 wrote to memory of 1120 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 31 PID 2512 wrote to memory of 1120 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 31 PID 2512 wrote to memory of 1120 2512 b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe 31 PID 1120 wrote to memory of 1096 1120 iexplore.exe 32 PID 1120 wrote to memory of 1096 1120 iexplore.exe 32 PID 1120 wrote to memory of 1096 1120 iexplore.exe 32 PID 1120 wrote to memory of 1096 1120 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe"C:\Users\Admin\AppData\Local\Temp\b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5adf615e8d05e1e2381bdb2c2f757f684
SHA171fe77043f290eda948397b03ea2b637ca4f18c8
SHA256961ae62f1cc8165e941452e12fdfff687d7bd45e4183f5d6ecd20be69d9ae5e2
SHA512962ff12f77ba1ea9303d65955ecc20314e19144bfb4922a78c4311a1cf2bc2cd6a1b7880135973c7edf30807917777d5dba5050f5c0c239631dec6a24bd97a9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD506224ffa24bc795aeabbc641d333cbfe
SHA1bd7a0437fe268065e208044279c7090629d80066
SHA2567d630fcbeddd8eb75e8e0a79fae13b61135eb238a900d39289d7bfdfcf36ed41
SHA512657688cfdbafcf0995edebc7a4f0dc03dd13e6e9fa43d21cb8a0dc2b5eeedcbdd73b5bda5312574169fe7c418dc6755a580695b53502e0f83e527fb671e96768
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d0dea16f590a04d145ac83470055ebaf
SHA14f34d6d98b2438ab414366eef46c65c941c185fe
SHA25672854bf7523557f8ce2121841c94c112b18378a86f74c774a5ca91c7c6ae049e
SHA51217b46f81f986b4b5e2d270eeed7546221450110f5c94c2bf853a8c9e6567ec1b78cfb2ed90075fbf2e9c340f64bd36201f4dd51f9f8e9e033f2050801ec30126
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52ae35dc8c8743291f7a9c160ef956c9e
SHA19a19d101e0bcd16222e23b7313731c12ad88e484
SHA256746765d3a5410dbf1adb0f3b8368e501432787ca4971c58303327652dc690d60
SHA512a6ef310db1df3f8a5fa7745e93a6cddddbb214e3131bcecde9b86c5da2d624fa5f4c18e2a3cda1fc3735734ab648e68164a55e01410c31e464c69c5a04d96aa7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5578d0caf84f90a32fc1509c6cbf9d579
SHA1c040b589ddf295291a3ab9026c798791628bde1c
SHA2565a9f87a1455386334ecc2d89e2aa2a6c6fa4b7d3a4adae1ce344eecc8370913a
SHA51245567e8f3e2339dc02066d35a40df4371a60d7fbbd927c1a346dc48b07321f7d847d0fed9b0360306a8ab2554ad95a762fcf18947a62d56e045ca7fd6a5c9041
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58c8d52de41246f1e44452ecbea2c4fe6
SHA1c6e465f6e2a8cfa0d2c7922df7e66ee0e9a36ed9
SHA256ded60afa995708a07bea4c04eba8a04d81bab9d7db2b9bf172cf5597c4b317c1
SHA51242c0c4d2567e97e2faaed84f933823376f820258b472ea9aef41ef819cb2131ac95341178038114e7813bd2fc10d51e7d183133ebd696b87fb836284d8748f80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD595d90903537f1fcc34ce3e7d20243803
SHA132304e974c113327227276880954362f834de869
SHA25696597cef8717465d7751ec7420c25423e7854a66fae7708f77528cde5d05f377
SHA512cc3ece1f6e9ba678d9b070390f6402f9eec4e29e916cb7582837c0af8b3da962a237c81e6522480daccc3c11d710e80a8c8f1611c02409c27c0d9841e14bb124
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dc58bf317df20313efd27e57931ac7c0
SHA14549978530df0381ccd927746061ad46f9ab0b13
SHA2567f6f599daccfde1affddf34d541d0dd25dd46d71a3480b2b3ac4d5903cb7df41
SHA512988e375a6bc6493fa9f909b7dc500f9cec0cfa54c372db53b135fb9a7516363b77fe43b5fa42c96816510dc346c23425c5c528eacf9616acb7bb952e22511830
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD524b50bd79ec58729852b5e263b34201e
SHA1b7aaa4034ccebb9d22f98d2d3a00cb1147880cbb
SHA256bfe3911d624f91f4aade22469fa9dd67d1ad7887758714be6cd9dc428b695a73
SHA51223be89a113844ac3205baae66234764925185828b6e2a489567f1070ab8c2c6b359b533623a2facd28d3eab35870497c2884062a96174fe4c8c26ff7cba50495
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
10KB
MD5e734f59ce5a42bd8f84002eca6efa12b
SHA142422a0a962f22cb3c9ec07a5a5931ee3a357e81
SHA256e862887df230a65e212f1e0f006b321480b9474a5216d59055757425eb7e447c
SHA512322fc673b61da931317b03522f536ad091981854d2f6f542db114135f27fa490efb0dfbfb2af970731abdccf785d7273967be8eae0a4b891d19b6cb4e58c6027
-
Filesize
8KB
MD54c2da88b009234a8297f35482c949fb1
SHA129500e1e0ed2bac5201a68bc0326c44d65bc7c16
SHA256b342c964c8eaf0c10b06c8d00522db21022a5ad878b677d9f3d19f38fb7fde2d
SHA5124d538b1107f4a261cbe43fa828fc9dbe02a76b17038e372970b2de06c04df8b316a84238566ade01089162c196f733c161d0647e514bf23aa5ac561467adf177
-
Filesize
189B
MD5322f59ce015ff2f1f00ecbe4fdfce380
SHA1eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA5122610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c
-
Filesize
246B
MD5b06ddcfdb64cc28ca0a0ef609de5f05f
SHA1bd95d141935795e249d2ab00824839fd42c8f505
SHA256da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00
SHA512a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5
-
Filesize
260B
MD5924bf7a4ce305dad87743ba3c5773aa9
SHA112d0fddb472394b23e5176ab4ede38974e723b81
SHA25601faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA5122380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e
-
Filesize
1.5MB
MD5ef48d7cc52338513cc0ce843c5e3916b
SHA120965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9