Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 09:46

General

  • Target

    d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe

  • Size

    6.0MB

  • MD5

    0f122f52f5cb0721168a95cf3fe7742b

  • SHA1

    d33d6bf44b4a39aad315b2b73706078b3938e713

  • SHA256

    d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87

  • SHA512

    2969dd8b3a0726b4cc2f1a7b3afbe830046608c68b8eea70b1a04a27c6abf3967af25c60532d1d954c0b69581c5afb78b55a426e49ce8f48cb3cd92072e6ca55

  • SSDEEP

    98304:c0G1E13HhStHxV8ItdWEZ3Xy3cB27OgUWZHwuS2JBAUZLM:nGxV8It/JiY2sWpJVA

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1496

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4301dcbb92a3d40820fc85245bc6ead0

          SHA1

          92579828197b41d0947245932cb6699c5c60461b

          SHA256

          c4280e0656d5215cf7f22925f305e6f2d920ac2efe50091937aef864c64706ba

          SHA512

          fa9e1ec47c5bba81bda0589cf1ea1249eabe51e0380e7d031c3f8ad69a3732a3ae2724b0839d63f53a9bcc0cf2bffb4379ee6d9464ca0a5125faeb8fc0633b3d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          141603264d2f50139acb0f01c127e988

          SHA1

          f81f1b42a454f18a7ef2385369ea4918fbd9f861

          SHA256

          7220890f4eec742620c2390f5181f18422c8c27cc13cc02a024861855ac968be

          SHA512

          5aefc24f6ab1048d7f110c0b9294253123318b26c26154bee30d33d71d258b5209d713733946ee3eec866be5924be95aefb1dff9730db316d6b3308bd51aebfa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          2306fa97fe981cf11d53ecca6d660abc

          SHA1

          7f6e9404d84234da72edee6608906381d1b85553

          SHA256

          1548527dc33588fb5465cfaffd511c6f9f837d527f37bcc7212ede644f2f234a

          SHA512

          e8bf7f6f382f879ada3a7019e7c53e6fbf35451cebc54dd5b76ede57dc190c87ef882cd3c28c30ea88fec98dcabe9c89733ae2e658b027b51b07ed8c9214d5b7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          2299c0d0345aa3e03108e80de1c7bb68

          SHA1

          b429ce61f400c0620ac98be06b2821721773361d

          SHA256

          e774a2ba4e3e82a1b660789df61b3efaa32a1695708b4211a611a537b17549f5

          SHA512

          d6fef97a3a767903412e6cf773b1ea9980ea05f20f806f07993157c0bcb7e38cb25443b0ad8f1e38fb6434b70af4302f8eb9c429055a51fb930663a74e49b8d7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          cccc470da00eba179700299d71243f86

          SHA1

          2b494a43cc593497a854f3bf63d414f26211ed61

          SHA256

          5c2b7632d1ee9d766e890ab0b8d395a7fb2075746962ed5b2241bc4ebd5afa64

          SHA512

          7d34b016e4313fa6db1c9c9ea5dd941c53f5cf611f7e32fc9c51a11a35fca3491e40632e57c7c6dae4b5bf109f4bf87f2c2dc4f129ec4945db59243619730763

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8a9a977bbceaca2f8346ab556f425c28

          SHA1

          265fab9c5c31ff133f9a22f2c152f716a07d2a6a

          SHA256

          f3ccac2df0d16d6d1bcd8c4f4d6713fbeec6d979f6bf15eea5541e5ed2bffd37

          SHA512

          80b25b5db192bd181bf085934a14fea4ed8f2d8037ad924b0239cea069b8e198416355f1c73322ae2c51310bf9df1f73a13d0a31133865547dc6a6cec205fcdc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          dae73692010ad474a6e6520ab5b2ebc1

          SHA1

          fbf18746743af535f729144e7163435be97fb18c

          SHA256

          6e6e2730d73ecebcd9d5ba2bad45c5f79bbf53bd0d38aee9faaad288fb4e20e2

          SHA512

          4666e0ba265639023af4d5de0453d97c0178c5021e18dd31115de9884e9f761b7cbfc11c51659bdc2a9f756ddbc7e4bc7241e8caf63c75c37bb1497454565d11

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          0ee1bd812988007ea1d48a689989b100

          SHA1

          b4b1cc7716fb19ec2720ee20e614a64d16bd4e8e

          SHA256

          6a9e16b61d2d3d68a472882b069fc56f873efe8e2d0a1b7c7d4f5bdd415bc116

          SHA512

          5668f54a0a36c02e73b78f64490dd253b43c1da73a02880e0b1301beb04eb708dd678499192a509b8a152699472e540986694f5518224d9f29fa6e51a123a1d7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          0d5752c4b30f860fb2829fdac630a787

          SHA1

          dc39faa0bafabd73df240f8dce38fed615b627bd

          SHA256

          13fd0da1e77d23cfbc96ab6a363e81a341665148178e5fdd162df00b102d21f1

          SHA512

          d0dac4985d29b44a6b4e53b7fa45364144cd6bf3a641537a37d4d77562476f8d5b0bb1b854ee67c4519895f7716db74e992af35016a00f9c059e933709f737e4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          2e84af480ef855b4f88f833d16b3142a

          SHA1

          d62f9124b0ce3cd9c12a918de863fc57249bab5d

          SHA256

          04a62da831b80fe65cae209c1ede945c8f34d49593bbdde8daab2324fad108a8

          SHA512

          11bb8246e72df286268ea0850bfcb70ac60384b5a7dff83be23fbaf6b9e94f6a4780c16ad17f11a7ee4a31e4b5ccf8a56f4f6daf9ee9934b17c4e99a33726eaa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4e9deb9f99563b87298fc8da4d456fc1

          SHA1

          7220f1d6063561e81b6bc2dcb58cd5ed1567ec63

          SHA256

          a7a8a30667b9251b9b7ea28b42c6d1f3a6377cc851a102a18aebed1239ef7d44

          SHA512

          60c562fa86c26aaaef13549345b90eae2c5f651d29f07eda6bff32fda7dec9a3278c2d847db211eb068d1ce0d1a5b3a56fcabd398e4950a0e7d5d8f1bc8a9363

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          52ad3336f5967f32bdc902d90deffba4

          SHA1

          4b637ce8910019a393686c2e9f98ca8d770d1a87

          SHA256

          0bfaf1001c39ae90b1bc2768d681a45ef6e7edc8b779e5e6f0036be20753c70f

          SHA512

          68b3cd8a49ed4abd4e270680ab9126939c86201bab1e941de02f41c4ad5d011f0f66d3022af3853428708e5b55eff48e47a7a21645939984ecc6e40c74316e64

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          a2ead49ee2facba79a32ba930ed2c7fe

          SHA1

          3f5ce7321db60e742077b3dde5305af2a1504647

          SHA256

          3f30f7dc7f4254bc57f728f212975bea5d5686501133bf963fa92b4218aca94c

          SHA512

          00096273c2ad2162b8827b933eb5edd4bd5ba1b36327e51ede997c73ef10f90f15044c954470cf07ed4d64ee9f89ad9c3ec20256b0e93fab1150099bd93efad9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e7e25b4a1bc86bbbb2070fdf0a7e8022

          SHA1

          e7a0d06751318eb03f5e67acd6734154d8ce667c

          SHA256

          1a0d1b98f2b2deaff8ce7d9820e86e87a3a92557df4992f4b6c5c2ebbfdad9ed

          SHA512

          3b5f68b7020ce775ae3412aa15a604d4d793fe66fbd05008bdaf65358ece511f5827cc16ec855b14bf6b55a92f6012eccf424cd1655ce839a319fa72d8296222

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8bbf4716a6f63d12c2a8f3504e3590ba

          SHA1

          4783d39177f2b4b2005492fb02119aec48b74a08

          SHA256

          662d88269141a63494bdd174b5e909b795b32dfa7b5295f02dc41b05afa35b0e

          SHA512

          91eae6c870959bd54c42666203520adc1f2faf01c5cd970751f5b6960d9ae2e06f60c7b33cff98ea13d8caf9466b21b1a0f48fa42d88ec3c0906a4bddc07954e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          03c1ec3ae3c1138e7a562292cb99556c

          SHA1

          c046ae422214a1985e8ba31df8f16a81dcdaf04a

          SHA256

          cb59aba56fdda562698880c4d8712d55218649a620b783f7e06b948079957570

          SHA512

          80973cb8a8eb625b39eeb531a775bfc15f8759b82adbac20fffa9f8a623ff8bd90ba210fc8f8b2098a364712e6e72f9500a402128aebb87448256a8c1efa9cc2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          2ac84547e40c0519b4613853611cbbc1

          SHA1

          dc63e1cd9836fbbca4af27b340e0b583cdf991bf

          SHA256

          9f383b5d31d907e569463433a6eae7340f2b734154a4e6567e20687da75727c8

          SHA512

          75d3fdbc890d4401ea406425ca27d1deb2f54cff98506d65df1e5bb77235ae7ef7a6cba067f5fd82485dbdef048e92d83bd7f59aea1be2ceaf6d50439d224f06

        • C:\Users\Admin\AppData\Local\Temp\CabABD.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\TarC3B.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

          Filesize

          10KB

          MD5

          b6bffed88dc920f4daccf1a83dbf7f8b

          SHA1

          9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b

          SHA256

          88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b

          SHA512

          d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

        • C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

          Filesize

          8KB

          MD5

          1d67dafae0fcabbdc7ffaa3095ca3b61

          SHA1

          6ea71d27c8bf64ff601585c961a65c1adc9d7775

          SHA256

          51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e

          SHA512

          b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

        • C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

          Filesize

          204B

          MD5

          1f176fd422d932b3f73c59cd0e8a4d0b

          SHA1

          e944c5a2805bb8809ddef9402304a12e6d3a3751

          SHA256

          f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e

          SHA512

          7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          64B

          MD5

          49f36aa007f23eb6c74c4a2a1a3a33b1

          SHA1

          24bc012bf366135ed5b87fa1fae78d5a2995536f

          SHA256

          2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb

          SHA512

          6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          211B

          MD5

          be1ed890b76305de558c92cdec4ac2bb

          SHA1

          f9886e1bcb55dcfcb06294141496d8ac9eb7e014

          SHA256

          bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb

          SHA512

          0060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          225B

          MD5

          0e66900340fc19323c256461904893d9

          SHA1

          daf382f14a93f5cc7a839f0d2914a7fe699cbbee

          SHA256

          3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10

          SHA512

          2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

        • \Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

          Filesize

          1.5MB

          MD5

          ef48d7cc52338513cc0ce843c5e3916b

          SHA1

          20965d86b7b358edf8b5d819302fa7e0e6159c18

          SHA256

          835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

          SHA512

          fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

        • memory/1296-44-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-50-0x00000000002C0000-0x00000000002C1000-memory.dmp

          Filesize

          4KB

        • memory/1296-55-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/1296-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

          Filesize

          4KB

        • memory/1296-58-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-11-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-13-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-15-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-17-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-21-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-22-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-24-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-28-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-30-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-32-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-53-0x00000000002D0000-0x00000000002D1000-memory.dmp

          Filesize

          4KB

        • memory/1296-36-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-40-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-5-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-46-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-49-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-26-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-42-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-38-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-34-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-0-0x0000000000200000-0x000000000020B000-memory.dmp

          Filesize

          44KB

        • memory/1296-2-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-3-0x0000000000200000-0x000000000020B000-memory.dmp

          Filesize

          44KB

        • memory/1296-4-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-6-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/1296-1-0x0000000000400000-0x0000000000A5D000-memory.dmp

          Filesize

          6.4MB

        • memory/1296-9-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB