Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 07:36

General

  • Target

    b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe

  • Size

    6.0MB

  • MD5

    33b6b28c4f80dc5cfb84098dac02f6e2

  • SHA1

    4668cf2b493b753e536d5f4c900a3ba39d33e0bb

  • SHA256

    b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb

  • SHA512

    d215c02bf91a7d3058dd441f97a42368240485e957901979490eec21287ca88f356412652c7c2760e2c18eb7906b82de42982f947d067e2a1f65ff8b31bca4ad

  • SSDEEP

    98304:fbdhDqohDS1F+CRcB27OgUWZHw8VQjr+/bJBAUZLr:fbdhDD23a2sWKjr+TJVP

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe
    "C:\Users\Admin\AppData\Local\Temp\b52eb743ad381910bc3685abe5508dccf6cfcbda2348f69f29b42da9a2433fcb.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1096

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          adf615e8d05e1e2381bdb2c2f757f684

          SHA1

          71fe77043f290eda948397b03ea2b637ca4f18c8

          SHA256

          961ae62f1cc8165e941452e12fdfff687d7bd45e4183f5d6ecd20be69d9ae5e2

          SHA512

          962ff12f77ba1ea9303d65955ecc20314e19144bfb4922a78c4311a1cf2bc2cd6a1b7880135973c7edf30807917777d5dba5050f5c0c239631dec6a24bd97a9c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          06224ffa24bc795aeabbc641d333cbfe

          SHA1

          bd7a0437fe268065e208044279c7090629d80066

          SHA256

          7d630fcbeddd8eb75e8e0a79fae13b61135eb238a900d39289d7bfdfcf36ed41

          SHA512

          657688cfdbafcf0995edebc7a4f0dc03dd13e6e9fa43d21cb8a0dc2b5eeedcbdd73b5bda5312574169fe7c418dc6755a580695b53502e0f83e527fb671e96768

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          d0dea16f590a04d145ac83470055ebaf

          SHA1

          4f34d6d98b2438ab414366eef46c65c941c185fe

          SHA256

          72854bf7523557f8ce2121841c94c112b18378a86f74c774a5ca91c7c6ae049e

          SHA512

          17b46f81f986b4b5e2d270eeed7546221450110f5c94c2bf853a8c9e6567ec1b78cfb2ed90075fbf2e9c340f64bd36201f4dd51f9f8e9e033f2050801ec30126

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          2ae35dc8c8743291f7a9c160ef956c9e

          SHA1

          9a19d101e0bcd16222e23b7313731c12ad88e484

          SHA256

          746765d3a5410dbf1adb0f3b8368e501432787ca4971c58303327652dc690d60

          SHA512

          a6ef310db1df3f8a5fa7745e93a6cddddbb214e3131bcecde9b86c5da2d624fa5f4c18e2a3cda1fc3735734ab648e68164a55e01410c31e464c69c5a04d96aa7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          578d0caf84f90a32fc1509c6cbf9d579

          SHA1

          c040b589ddf295291a3ab9026c798791628bde1c

          SHA256

          5a9f87a1455386334ecc2d89e2aa2a6c6fa4b7d3a4adae1ce344eecc8370913a

          SHA512

          45567e8f3e2339dc02066d35a40df4371a60d7fbbd927c1a346dc48b07321f7d847d0fed9b0360306a8ab2554ad95a762fcf18947a62d56e045ca7fd6a5c9041

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8c8d52de41246f1e44452ecbea2c4fe6

          SHA1

          c6e465f6e2a8cfa0d2c7922df7e66ee0e9a36ed9

          SHA256

          ded60afa995708a07bea4c04eba8a04d81bab9d7db2b9bf172cf5597c4b317c1

          SHA512

          42c0c4d2567e97e2faaed84f933823376f820258b472ea9aef41ef819cb2131ac95341178038114e7813bd2fc10d51e7d183133ebd696b87fb836284d8748f80

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          95d90903537f1fcc34ce3e7d20243803

          SHA1

          32304e974c113327227276880954362f834de869

          SHA256

          96597cef8717465d7751ec7420c25423e7854a66fae7708f77528cde5d05f377

          SHA512

          cc3ece1f6e9ba678d9b070390f6402f9eec4e29e916cb7582837c0af8b3da962a237c81e6522480daccc3c11d710e80a8c8f1611c02409c27c0d9841e14bb124

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          dc58bf317df20313efd27e57931ac7c0

          SHA1

          4549978530df0381ccd927746061ad46f9ab0b13

          SHA256

          7f6f599daccfde1affddf34d541d0dd25dd46d71a3480b2b3ac4d5903cb7df41

          SHA512

          988e375a6bc6493fa9f909b7dc500f9cec0cfa54c372db53b135fb9a7516363b77fe43b5fa42c96816510dc346c23425c5c528eacf9616acb7bb952e22511830

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          24b50bd79ec58729852b5e263b34201e

          SHA1

          b7aaa4034ccebb9d22f98d2d3a00cb1147880cbb

          SHA256

          bfe3911d624f91f4aade22469fa9dd67d1ad7887758714be6cd9dc428b695a73

          SHA512

          23be89a113844ac3205baae66234764925185828b6e2a489567f1070ab8c2c6b359b533623a2facd28d3eab35870497c2884062a96174fe4c8c26ff7cba50495

        • C:\Users\Admin\AppData\Local\Temp\Cab5286.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar5359.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

          Filesize

          10KB

          MD5

          e734f59ce5a42bd8f84002eca6efa12b

          SHA1

          42422a0a962f22cb3c9ec07a5a5931ee3a357e81

          SHA256

          e862887df230a65e212f1e0f006b321480b9474a5216d59055757425eb7e447c

          SHA512

          322fc673b61da931317b03522f536ad091981854d2f6f542db114135f27fa490efb0dfbfb2af970731abdccf785d7273967be8eae0a4b891d19b6cb4e58c6027

        • C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

          Filesize

          8KB

          MD5

          4c2da88b009234a8297f35482c949fb1

          SHA1

          29500e1e0ed2bac5201a68bc0326c44d65bc7c16

          SHA256

          b342c964c8eaf0c10b06c8d00522db21022a5ad878b677d9f3d19f38fb7fde2d

          SHA512

          4d538b1107f4a261cbe43fa828fc9dbe02a76b17038e372970b2de06c04df8b316a84238566ade01089162c196f733c161d0647e514bf23aa5ac561467adf177

        • C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

          Filesize

          189B

          MD5

          322f59ce015ff2f1f00ecbe4fdfce380

          SHA1

          eb4756a5bb023f6d1feacdbeac6e94013e15d5b0

          SHA256

          c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1

          SHA512

          2610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          246B

          MD5

          b06ddcfdb64cc28ca0a0ef609de5f05f

          SHA1

          bd95d141935795e249d2ab00824839fd42c8f505

          SHA256

          da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00

          SHA512

          a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          260B

          MD5

          924bf7a4ce305dad87743ba3c5773aa9

          SHA1

          12d0fddb472394b23e5176ab4ede38974e723b81

          SHA256

          01faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd

          SHA512

          2380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e

        • \Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

          Filesize

          1.5MB

          MD5

          ef48d7cc52338513cc0ce843c5e3916b

          SHA1

          20965d86b7b358edf8b5d819302fa7e0e6159c18

          SHA256

          835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

          SHA512

          fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

        • memory/2512-14-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-47-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-42-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-40-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-36-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-34-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-30-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-28-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-26-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-25-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-51-0x00000000002D0000-0x00000000002D1000-memory.dmp

          Filesize

          4KB

        • memory/2512-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

        • memory/2512-53-0x00000000002F0000-0x00000000002F1000-memory.dmp

          Filesize

          4KB

        • memory/2512-57-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-44-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-48-0x00000000002C0000-0x00000000002C1000-memory.dmp

          Filesize

          4KB

        • memory/2512-38-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-8-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-10-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-12-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-0-0x0000000000400000-0x0000000000A6D000-memory.dmp

          Filesize

          6.4MB

        • memory/2512-32-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-16-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-18-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-20-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-22-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-6-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-5-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-4-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-2-0x0000000000270000-0x000000000027B000-memory.dmp

          Filesize

          44KB

        • memory/2512-3-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2512-1-0x0000000000270000-0x000000000027B000-memory.dmp

          Filesize

          44KB