Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe
Resource
win10v2004-20240426-en
General
-
Target
e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe
-
Size
6.0MB
-
MD5
e56dd93a4f2f623d858265b2563c2d9f
-
SHA1
005b23bc55513aa6b1e264cc967769677c5b1737
-
SHA256
e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca
-
SHA512
936ff010d4a80b513a1f471d000fec3eff57a712f6e159ea74c7878ae12692afcd5deea0feb0d41c6583cbf5073fc5d6d0698eea5e400f5129b22f449553a9ae
-
SSDEEP
98304:fbdhDqohDS1F+CRcB27OgUWZHw8VQjr+/bJBAUZLD:fbdhDD23a2sWKjr+TJVf
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe -
resource yara_rule behavioral1/memory/2372-1-0x0000000000290000-0x000000000029B000-memory.dmp upx behavioral1/memory/2372-45-0x0000000000290000-0x000000000029B000-memory.dmp upx behavioral1/memory/2372-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-2-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2372-55-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15EA5491-1B46-11EF-8C93-DEECE6B0C1A4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 856 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 856 iexplore.exe 856 iexplore.exe 3044 IEXPLORE.EXE 3044 IEXPLORE.EXE 3044 IEXPLORE.EXE 3044 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2372 wrote to memory of 856 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 31 PID 2372 wrote to memory of 856 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 31 PID 2372 wrote to memory of 856 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 31 PID 2372 wrote to memory of 856 2372 e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe 31 PID 856 wrote to memory of 3044 856 iexplore.exe 32 PID 856 wrote to memory of 3044 856 iexplore.exe 32 PID 856 wrote to memory of 3044 856 iexplore.exe 32 PID 856 wrote to memory of 3044 856 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe"C:\Users\Admin\AppData\Local\Temp\e4c90c8cd4374961de64f96bfd33fb271fb21b2e52b5ab52fad2fef4bee5f8ca.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://changkongbao.lanzouq.com/ikW9T1cfeg5e2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5207d95fb1c239f9f5e13b8de8f473094
SHA1a1846b8c1e6b20cdc6fab02a7cd664ff001faa3f
SHA25669c95313963aaebd2a58ca93477c7d2ad28701440c9c9264c70b97a13244b529
SHA512f85a2b98033e937b5dc4456fa73379c6c5d5cc31e6ef3746f12e049a6e8973dca94f59cefdb86c5504002d2018cf787f4db080f269a7ee5e4ef482208323ac6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5367f79d16572b7ae307b87359797c82a
SHA1163138efeeb83139d4489d3214bb22dade634cf8
SHA256889a50aeaefd8e8c236ff03871c2bad72fb1a865da6513779351c2743c73b0e7
SHA512d94142614ad2186e08890050ae3b9618d11acf3f81aaf243ea39a6e3c694c34c519b23a171dbeb96b75200a84007e92288688208cd143593a65f6f6b4552b11f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a1a7bc78b78139e59dedbb1d1283f2dd
SHA1723e0d876760f46c4ca31f2e5e889802bced1b62
SHA25621d27ca2ee09a22e34a4836d6b23dea6f5a9dbc958fe84c6fc9d55b8c03425b4
SHA5128c3501c9e939ce99d41484ac23e0e4a998c7cf5bfbbaba934c28857eb6a304cea5d04e7bd1acd5b6bdebd89c39e76d99c2d1feea2cf4944c1699929214bd7a14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b294453d5e69f1b0451f14436305d017
SHA10158e45f990f1fa43bd9aece3e9c07e3eaee6c74
SHA25641146830168576f99c3a138eade6f738b9858441bb6739b3a536d7a5e5c3470a
SHA51267a515cdb56cad0148550960aaa6cb38083536384d7bed065a816302a78e8da828b0226b60be74a3504d13010529f88c6e537bf0fe03d27a7b0158857957277f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5701bb0207fe2d76c1f3ee766f19509d7
SHA11349f6151090f7111aaf2cc8146b14a6b8d81c7a
SHA256777966a5c2e920bd2a9a73bdf0954242384f3181fd34f629cbb4c4ae11c0860e
SHA51229997f015b1d30171b9e42461422695280a49c568da11dfa51628a230a0a05ab7c201eb6b090c5e8df19341643f724b46521119c0ae5ef77447f6f482dfee2ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56bdb86f6a20ad8ee3a2efad8471d01e9
SHA1cb0744477ae3acae688e8eaed1c0b851a9e9f626
SHA25698fbba8f45d1da6454fb4abaf59f4370bf6c77971bff3cc419cec37d4608c2db
SHA512b3b7aee6ecfa210e14e28d0ee4fcd063e4b2828688e497ccd4a7cae30a4aa4ecc3c642572e2d6487e85c22bfba8d35770fe44213c36eb768abafdd40668011e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b48db50da1ff8783453f53f8bda963e6
SHA111b943f777887f0b9415021836ff8c83a957b399
SHA256bfb8ff2713f9813b20ad588c630229412dc32d5889da6956b921849b39fd9120
SHA5122fea8a6b4a9acee4545a494a5bcbb258bf1c36476e2a5def52a62a75ec11416136655e25e35851d539ac1489559bc18eda948c33619946a4d665c42e6d53743f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad0725eb1685cfd2ccf6c408dd72a3c0
SHA1e5b6ba9b2a9ab6968e37e2ae17c365fc86a9d970
SHA2565d60f0b5cb0736c941c7f47bf7121d0c4f01728c28e3aabe234d366657c8674f
SHA5128a50403fba79b3274c476c1509c0b67115517afcf8ea38f0353ca674e5c3cfbb83d82cce5315a243af2974b94801799367faeb19ca50fc90bf3ce37c4d1afa73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b9cd71fe6ea5b5a5dbaf694715e2099b
SHA155d1dbd7ddd42e301f27e4efae5a825edf1b7c15
SHA2569963d938c5f321277163a484756e21bb9ad789160307342c6ab28f683c4d9da9
SHA512830666212f1425b900934106c5a7cd12367b8bf10b1231e022fbd5c25b16f7e7ba275f3af938a26b1a53d524dec20362c4bd1f0e5a5ccc1190f42667cd0dccd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad066e992b045f89d862ed636605e8a4
SHA14727eaa3f0f9a132dbaf9fa2ddeb35cbfcafb165
SHA256a8be7c5a231ddadde84d946ecc41de70f587131fd306c393e6c9e09946ae9f14
SHA5127e6cd6d6454f969adad3c148d18325742ba78ca5556d3aeec16ff4e24e5e4a767695d1cb5aab09f8178056e9d9b216cd19dbe4044f01d36d31f48af2f1f72242
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5449f19a9be27ffb401b7aeacc5f55bdc
SHA1821bcb3013ec45ed4edbabcb166e5ed81ce2f9ea
SHA256aba829ca8857f364d3a6c8d5d0a2ae1bcac9dfcf07cfa2f9cb839a9140aa8c97
SHA5127505006b4e188d515edbec6f1c6d53be29431da687d12a3c68976d9f88037a2cb2629452c1a1711303df3676d5e1a7d5a658d644321cb9a5c1e67895b65bb767
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
10KB
MD5842d9e10867153ad73a1a80d79afef13
SHA133a49d893273182e8aba6e9531c3077d4ab86516
SHA2562823197bddf0203ea011003a4e70f2687da234a3388b5090a76da2c2562d33e4
SHA512e6e10f63c7d3e65358bd6e66a7328f7d06d096b2ed936cd4504cfb8c6b5f4081dd55884bb915191156965b0eb9b3fda6a97b5b1a1eee45d59a41a4e375d1e518
-
Filesize
8KB
MD516ef8177433976c14d23f839a8c1152a
SHA12b653ca841498be9292cbbc8b5119504e225f56d
SHA2562a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855
SHA5129cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e
-
Filesize
189B
MD5322f59ce015ff2f1f00ecbe4fdfce380
SHA1eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA5122610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c
-
Filesize
246B
MD5b06ddcfdb64cc28ca0a0ef609de5f05f
SHA1bd95d141935795e249d2ab00824839fd42c8f505
SHA256da0a5d79dc6a120811b556885b704f9fd158b1f19dd5a9c595719feb56065f00
SHA512a1dd3cc527ce6a6c4b0ea2c369d4370f6f1bf332c9255e1a8eebfd5986c133dacc2e6c6a55071e5bcf4724f37ff2920f2e17567ca32571e664b458e526be72b5
-
Filesize
260B
MD5924bf7a4ce305dad87743ba3c5773aa9
SHA112d0fddb472394b23e5176ab4ede38974e723b81
SHA25601faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA5122380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e
-
Filesize
1.5MB
MD5ef48d7cc52338513cc0ce843c5e3916b
SHA120965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9