Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 09:53

General

  • Target

    e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe

  • Size

    6.0MB

  • MD5

    e56dd93a4f2f623d858265b2563c2d9f

  • SHA1

    005b23bc55513aa6b1e264cc967769677c5b1737

  • SHA256

    e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca

  • SHA512

    936ff010d4a80b513a1f471d000fec3eff57a712f6e159ea74c7878ae12692afcd5deea0feb0d41c6583cbf5073fc5d6d0698eea5e400f5129b22f449553a9ae

  • SSDEEP

    98304:fbdhDqohDS1F+CRcB27OgUWZHw8VQjr+/bJBAUZLD:fbdhDD23a2sWKjr+TJVf

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe
    "C:\Users\Admin\AppData\Local\Temp\e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3044

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          207d95fb1c239f9f5e13b8de8f473094

          SHA1

          a1846b8c1e6b20cdc6fab02a7cd664ff001faa3f

          SHA256

          69c95313963aaebd2a58ca93477c7d2ad28701440c9c9264c70b97a13244b529

          SHA512

          f85a2b98033e937b5dc4456fa73379c6c5d5cc31e6ef3746f12e049a6e8973dca94f59cefdb86c5504002d2018cf787f4db080f269a7ee5e4ef482208323ac6b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          367f79d16572b7ae307b87359797c82a

          SHA1

          163138efeeb83139d4489d3214bb22dade634cf8

          SHA256

          889a50aeaefd8e8c236ff03871c2bad72fb1a865da6513779351c2743c73b0e7

          SHA512

          d94142614ad2186e08890050ae3b9618d11acf3f81aaf243ea39a6e3c694c34c519b23a171dbeb96b75200a84007e92288688208cd143593a65f6f6b4552b11f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          a1a7bc78b78139e59dedbb1d1283f2dd

          SHA1

          723e0d876760f46c4ca31f2e5e889802bced1b62

          SHA256

          21d27ca2ee09a22e34a4836d6b23dea6f5a9dbc958fe84c6fc9d55b8c03425b4

          SHA512

          8c3501c9e939ce99d41484ac23e0e4a998c7cf5bfbbaba934c28857eb6a304cea5d04e7bd1acd5b6bdebd89c39e76d99c2d1feea2cf4944c1699929214bd7a14

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b294453d5e69f1b0451f14436305d017

          SHA1

          0158e45f990f1fa43bd9aece3e9c07e3eaee6c74

          SHA256

          41146830168576f99c3a138eade6f738b9858441bb6739b3a536d7a5e5c3470a

          SHA512

          67a515cdb56cad0148550960aaa6cb38083536384d7bed065a816302a78e8da828b0226b60be74a3504d13010529f88c6e537bf0fe03d27a7b0158857957277f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          701bb0207fe2d76c1f3ee766f19509d7

          SHA1

          1349f6151090f7111aaf2cc8146b14a6b8d81c7a

          SHA256

          777966a5c2e920bd2a9a73bdf0954242384f3181fd34f629cbb4c4ae11c0860e

          SHA512

          29997f015b1d30171b9e42461422695280a49c568da11dfa51628a230a0a05ab7c201eb6b090c5e8df19341643f724b46521119c0ae5ef77447f6f482dfee2ef

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          6bdb86f6a20ad8ee3a2efad8471d01e9

          SHA1

          cb0744477ae3acae688e8eaed1c0b851a9e9f626

          SHA256

          98fbba8f45d1da6454fb4abaf59f4370bf6c77971bff3cc419cec37d4608c2db

          SHA512

          b3b7aee6ecfa210e14e28d0ee4fcd063e4b2828688e497ccd4a7cae30a4aa4ecc3c642572e2d6487e85c22bfba8d35770fe44213c36eb768abafdd40668011e2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b48db50da1ff8783453f53f8bda963e6

          SHA1

          11b943f777887f0b9415021836ff8c83a957b399

          SHA256

          bfb8ff2713f9813b20ad588c630229412dc32d5889da6956b921849b39fd9120

          SHA512

          2fea8a6b4a9acee4545a494a5bcbb258bf1c36476e2a5def52a62a75ec11416136655e25e35851d539ac1489559bc18eda948c33619946a4d665c42e6d53743f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          ad0725eb1685cfd2ccf6c408dd72a3c0

          SHA1

          e5b6ba9b2a9ab6968e37e2ae17c365fc86a9d970

          SHA256

          5d60f0b5cb0736c941c7f47bf7121d0c4f01728c28e3aabe234d366657c8674f

          SHA512

          8a50403fba79b3274c476c1509c0b67115517afcf8ea38f0353ca674e5c3cfbb83d82cce5315a243af2974b94801799367faeb19ca50fc90bf3ce37c4d1afa73

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b9cd71fe6ea5b5a5dbaf694715e2099b

          SHA1

          55d1dbd7ddd42e301f27e4efae5a825edf1b7c15

          SHA256

          9963d938c5f321277163a484756e21bb9ad789160307342c6ab28f683c4d9da9

          SHA512

          830666212f1425b900934106c5a7cd12367b8bf10b1231e022fbd5c25b16f7e7ba275f3af938a26b1a53d524dec20362c4bd1f0e5a5ccc1190f42667cd0dccd7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          ad066e992b045f89d862ed636605e8a4

          SHA1

          4727eaa3f0f9a132dbaf9fa2ddeb35cbfcafb165

          SHA256

          a8be7c5a231ddadde84d946ecc41de70f587131fd306c393e6c9e09946ae9f14

          SHA512

          7e6cd6d6454f969adad3c148d18325742ba78ca5556d3aeec16ff4e24e5e4a767695d1cb5aab09f8178056e9d9b216cd19dbe4044f01d36d31f48af2f1f72242

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          449f19a9be27ffb401b7aeacc5f55bdc

          SHA1

          821bcb3013ec45ed4edbabcb166e5ed81ce2f9ea

          SHA256

          aba829ca8857f364d3a6c8d5d0a2ae1bcac9dfcf07cfa2f9cb839a9140aa8c97

          SHA512

          7505006b4e188d515edbec6f1c6d53be29431da687d12a3c68976d9f88037a2cb2629452c1a1711303df3676d5e1a7d5a658d644321cb9a5c1e67895b65bb767

        • C:\Users\Admin\AppData\Local\Temp\Cab6B73.tmp

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\Tar6BD3.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

          Filesize

          10KB

          MD5

          842d9e10867153ad73a1a80d79afef13

          SHA1

          33a49d893273182e8aba6e9531c3077d4ab86516

          SHA256

          2823197bddf0203ea011003a4e70f2687da234a3388b5090a76da2c2562d33e4

          SHA512

          e6e10f63c7d3e65358bd6e66a7328f7d06d096b2ed936cd4504cfb8c6b5f4081dd55884bb915191156965b0eb9b3fda6a97b5b1a1eee45d59a41a4e375d1e518

        • C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

          Filesize

          8KB

          MD5

          16ef8177433976c14d23f839a8c1152a

          SHA1

          2b653ca841498be9292cbbc8b5119504e225f56d

          SHA256

          2a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855

          SHA512

          9cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e

        • C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

          Filesize

          189B

          MD5

          322f59ce015ff2f1f00ecbe4fdfce380

          SHA1

          eb4756a5bb023f6d1feacdbeac6e94013e15d5b0

          SHA256

          c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1

          SHA512

          2610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          246B

          MD5

          b06ddcfdb64cc28ca0a0ef609de5f05f

          SHA1

          bd95d141935795e249d2ab00824839fd42c8f505

          SHA256

          da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00

          SHA512

          a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5

        • C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

          Filesize

          260B

          MD5

          924bf7a4ce305dad87743ba3c5773aa9

          SHA1

          12d0fddb472394b23e5176ab4ede38974e723b81

          SHA256

          01faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd

          SHA512

          2380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e

        • \Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

          Filesize

          1.5MB

          MD5

          ef48d7cc52338513cc0ce843c5e3916b

          SHA1

          20965d86b7b358edf8b5d819302fa7e0e6159c18

          SHA256

          835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

          SHA512

          fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

        • memory/2372-28-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-20-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-10-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-8-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-6-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-4-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-3-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-2-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-49-0x0000000000370000-0x0000000000371000-memory.dmp

          Filesize

          4KB

        • memory/2372-52-0x0000000000380000-0x0000000000381000-memory.dmp

          Filesize

          4KB

        • memory/2372-51-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

        • memory/2372-55-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-14-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-16-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-18-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-12-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-22-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-24-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-26-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-0-0x0000000000400000-0x0000000000A6D000-memory.dmp

          Filesize

          6.4MB

        • memory/2372-30-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-32-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-34-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-36-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-38-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-40-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-42-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-46-0x0000000000360000-0x0000000000361000-memory.dmp

          Filesize

          4KB

        • memory/2372-44-0x0000000010000000-0x000000001003E000-memory.dmp

          Filesize

          248KB

        • memory/2372-45-0x0000000000290000-0x000000000029B000-memory.dmp

          Filesize

          44KB

        • memory/2372-1-0x0000000000290000-0x000000000029B000-memory.dmp

          Filesize

          44KB