Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-lr4q1aeg88
Target d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87
SHA256 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87

Threat Level: Shows suspicious behavior

The file d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 09:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 09:46

Reported

2024-05-26 09:49

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422878768" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15C21121-1B45-11EF-9387-E25BC60B6402} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe

"C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
CN 124.223.107.201:8899 gcstcp.com tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 223.247.106.57:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1296-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-1-0x0000000000400000-0x0000000000A5D000-memory.dmp

memory/1296-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-3-0x0000000000200000-0x000000000020B000-memory.dmp

memory/1296-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-0-0x0000000000200000-0x000000000020B000-memory.dmp

memory/1296-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-50-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1296-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1296-53-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1296-55-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1296-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1296-58-0x0000000010000000-0x000000001003E000-memory.dmp

\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 b6bffed88dc920f4daccf1a83dbf7f8b
SHA1 9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA256 88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512 d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 1f176fd422d932b3f73c59cd0e8a4d0b
SHA1 e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256 f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA512 7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 49f36aa007f23eb6c74c4a2a1a3a33b1
SHA1 24bc012bf366135ed5b87fa1fae78d5a2995536f
SHA256 2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb
SHA512 6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 be1ed890b76305de558c92cdec4ac2bb
SHA1 f9886e1bcb55dcfcb06294141496d8ac9eb7e014
SHA256 bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb
SHA512 0060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 1d67dafae0fcabbdc7ffaa3095ca3b61
SHA1 6ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA256 51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512 b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 0e66900340fc19323c256461904893d9
SHA1 daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA256 3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA512 2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

C:\Users\Admin\AppData\Local\Temp\CabABD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarC3B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 141603264d2f50139acb0f01c127e988
SHA1 f81f1b42a454f18a7ef2385369ea4918fbd9f861
SHA256 7220890f4eec742620c2390f5181f18422c8c27cc13cc02a024861855ac968be
SHA512 5aefc24f6ab1048d7f110c0b9294253123318b26c26154bee30d33d71d258b5209d713733946ee3eec866be5924be95aefb1dff9730db316d6b3308bd51aebfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2306fa97fe981cf11d53ecca6d660abc
SHA1 7f6e9404d84234da72edee6608906381d1b85553
SHA256 1548527dc33588fb5465cfaffd511c6f9f837d527f37bcc7212ede644f2f234a
SHA512 e8bf7f6f382f879ada3a7019e7c53e6fbf35451cebc54dd5b76ede57dc190c87ef882cd3c28c30ea88fec98dcabe9c89733ae2e658b027b51b07ed8c9214d5b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2299c0d0345aa3e03108e80de1c7bb68
SHA1 b429ce61f400c0620ac98be06b2821721773361d
SHA256 e774a2ba4e3e82a1b660789df61b3efaa32a1695708b4211a611a537b17549f5
SHA512 d6fef97a3a767903412e6cf773b1ea9980ea05f20f806f07993157c0bcb7e38cb25443b0ad8f1e38fb6434b70af4302f8eb9c429055a51fb930663a74e49b8d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cccc470da00eba179700299d71243f86
SHA1 2b494a43cc593497a854f3bf63d414f26211ed61
SHA256 5c2b7632d1ee9d766e890ab0b8d395a7fb2075746962ed5b2241bc4ebd5afa64
SHA512 7d34b016e4313fa6db1c9c9ea5dd941c53f5cf611f7e32fc9c51a11a35fca3491e40632e57c7c6dae4b5bf109f4bf87f2c2dc4f129ec4945db59243619730763

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a9a977bbceaca2f8346ab556f425c28
SHA1 265fab9c5c31ff133f9a22f2c152f716a07d2a6a
SHA256 f3ccac2df0d16d6d1bcd8c4f4d6713fbeec6d979f6bf15eea5541e5ed2bffd37
SHA512 80b25b5db192bd181bf085934a14fea4ed8f2d8037ad924b0239cea069b8e198416355f1c73322ae2c51310bf9df1f73a13d0a31133865547dc6a6cec205fcdc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae73692010ad474a6e6520ab5b2ebc1
SHA1 fbf18746743af535f729144e7163435be97fb18c
SHA256 6e6e2730d73ecebcd9d5ba2bad45c5f79bbf53bd0d38aee9faaad288fb4e20e2
SHA512 4666e0ba265639023af4d5de0453d97c0178c5021e18dd31115de9884e9f761b7cbfc11c51659bdc2a9f756ddbc7e4bc7241e8caf63c75c37bb1497454565d11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ee1bd812988007ea1d48a689989b100
SHA1 b4b1cc7716fb19ec2720ee20e614a64d16bd4e8e
SHA256 6a9e16b61d2d3d68a472882b069fc56f873efe8e2d0a1b7c7d4f5bdd415bc116
SHA512 5668f54a0a36c02e73b78f64490dd253b43c1da73a02880e0b1301beb04eb708dd678499192a509b8a152699472e540986694f5518224d9f29fa6e51a123a1d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d5752c4b30f860fb2829fdac630a787
SHA1 dc39faa0bafabd73df240f8dce38fed615b627bd
SHA256 13fd0da1e77d23cfbc96ab6a363e81a341665148178e5fdd162df00b102d21f1
SHA512 d0dac4985d29b44a6b4e53b7fa45364144cd6bf3a641537a37d4d77562476f8d5b0bb1b854ee67c4519895f7716db74e992af35016a00f9c059e933709f737e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e84af480ef855b4f88f833d16b3142a
SHA1 d62f9124b0ce3cd9c12a918de863fc57249bab5d
SHA256 04a62da831b80fe65cae209c1ede945c8f34d49593bbdde8daab2324fad108a8
SHA512 11bb8246e72df286268ea0850bfcb70ac60384b5a7dff83be23fbaf6b9e94f6a4780c16ad17f11a7ee4a31e4b5ccf8a56f4f6daf9ee9934b17c4e99a33726eaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e9deb9f99563b87298fc8da4d456fc1
SHA1 7220f1d6063561e81b6bc2dcb58cd5ed1567ec63
SHA256 a7a8a30667b9251b9b7ea28b42c6d1f3a6377cc851a102a18aebed1239ef7d44
SHA512 60c562fa86c26aaaef13549345b90eae2c5f651d29f07eda6bff32fda7dec9a3278c2d847db211eb068d1ce0d1a5b3a56fcabd398e4950a0e7d5d8f1bc8a9363

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52ad3336f5967f32bdc902d90deffba4
SHA1 4b637ce8910019a393686c2e9f98ca8d770d1a87
SHA256 0bfaf1001c39ae90b1bc2768d681a45ef6e7edc8b779e5e6f0036be20753c70f
SHA512 68b3cd8a49ed4abd4e270680ab9126939c86201bab1e941de02f41c4ad5d011f0f66d3022af3853428708e5b55eff48e47a7a21645939984ecc6e40c74316e64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2ead49ee2facba79a32ba930ed2c7fe
SHA1 3f5ce7321db60e742077b3dde5305af2a1504647
SHA256 3f30f7dc7f4254bc57f728f212975bea5d5686501133bf963fa92b4218aca94c
SHA512 00096273c2ad2162b8827b933eb5edd4bd5ba1b36327e51ede997c73ef10f90f15044c954470cf07ed4d64ee9f89ad9c3ec20256b0e93fab1150099bd93efad9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7e25b4a1bc86bbbb2070fdf0a7e8022
SHA1 e7a0d06751318eb03f5e67acd6734154d8ce667c
SHA256 1a0d1b98f2b2deaff8ce7d9820e86e87a3a92557df4992f4b6c5c2ebbfdad9ed
SHA512 3b5f68b7020ce775ae3412aa15a604d4d793fe66fbd05008bdaf65358ece511f5827cc16ec855b14bf6b55a92f6012eccf424cd1655ce839a319fa72d8296222

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bbf4716a6f63d12c2a8f3504e3590ba
SHA1 4783d39177f2b4b2005492fb02119aec48b74a08
SHA256 662d88269141a63494bdd174b5e909b795b32dfa7b5295f02dc41b05afa35b0e
SHA512 91eae6c870959bd54c42666203520adc1f2faf01c5cd970751f5b6960d9ae2e06f60c7b33cff98ea13d8caf9466b21b1a0f48fa42d88ec3c0906a4bddc07954e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03c1ec3ae3c1138e7a562292cb99556c
SHA1 c046ae422214a1985e8ba31df8f16a81dcdaf04a
SHA256 cb59aba56fdda562698880c4d8712d55218649a620b783f7e06b948079957570
SHA512 80973cb8a8eb625b39eeb531a775bfc15f8759b82adbac20fffa9f8a623ff8bd90ba210fc8f8b2098a364712e6e72f9500a402128aebb87448256a8c1efa9cc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ac84547e40c0519b4613853611cbbc1
SHA1 dc63e1cd9836fbbca4af27b340e0b583cdf991bf
SHA256 9f383b5d31d907e569463433a6eae7340f2b734154a4e6567e20687da75727c8
SHA512 75d3fdbc890d4401ea406425ca27d1deb2f54cff98506d65df1e5bb77235ae7ef7a6cba067f5fd82485dbdef048e92d83bd7f59aea1be2ceaf6d50439d224f06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4301dcbb92a3d40820fc85245bc6ead0
SHA1 92579828197b41d0947245932cb6699c5c60461b
SHA256 c4280e0656d5215cf7f22925f305e6f2d920ac2efe50091937aef864c64706ba
SHA512 fa9e1ec47c5bba81bda0589cf1ea1249eabe51e0380e7d031c3f8ad69a3732a3ae2724b0839d63f53a9bcc0cf2bffb4379ee6d9464ca0a5125faeb8fc0633b3d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 09:46

Reported

2024-05-26 09:49

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe

"C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3804 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5108 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5436 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=3688 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5692 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5396 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcstcp.com udp
CN 124.223.107.201:51388 gcstcp.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 124.223.107.201:8899 gcstcp.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 wwyp.lanzoul.com udp
CN 120.233.179.103:443 wwyp.lanzoul.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.17.251.21:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 21.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
BE 2.17.196.152:443 www.bing.com tcp
US 8.8.8.8:53 12.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 edge-http.microsoft.com udp
US 8.8.8.8:53 edge-http.microsoft.com udp
US 13.107.6.158:80 edge-http.microsoft.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 152.196.17.2.in-addr.arpa udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
US 8.8.8.8:53 changkongbao.lanzouq.com udp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp
CN 118.31.132.90:443 changkongbao.lanzouq.com tcp

Files

memory/3264-0-0x0000000000400000-0x0000000000A5D000-memory.dmp

memory/3264-1-0x00000000029D0000-0x00000000029DB000-memory.dmp

memory/3264-2-0x00000000029D0000-0x00000000029DB000-memory.dmp

memory/3264-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-49-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/3264-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3264-52-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/3264-55-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

memory/3264-54-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

MD5 ef48d7cc52338513cc0ce843c5e3916b
SHA1 20965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256 835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512 fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

memory/3264-86-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

memory/3264-85-0x0000000006450000-0x0000000006451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 49f36aa007f23eb6c74c4a2a1a3a33b1
SHA1 24bc012bf366135ed5b87fa1fae78d5a2995536f
SHA256 2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb
SHA512 6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

MD5 1f176fd422d932b3f73c59cd0e8a4d0b
SHA1 e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256 f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA512 7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 b6bffed88dc920f4daccf1a83dbf7f8b
SHA1 9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA256 88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512 d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 be1ed890b76305de558c92cdec4ac2bb
SHA1 f9886e1bcb55dcfcb06294141496d8ac9eb7e014
SHA256 bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb
SHA512 0060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec

C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

MD5 1d67dafae0fcabbdc7ffaa3095ca3b61
SHA1 6ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA256 51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512 b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

MD5 0e66900340fc19323c256461904893d9
SHA1 daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA256 3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA512 2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8