Overview

overview

10

Static

static

10

856d4cd820...72.exe

windows7-x64

9

856d4cd820...72.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    78s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 00:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    856d4cd820bb9a30746d153b9bc00b99f7f14edd0f279d36fba199298428c172.exe

  • Size

    232KB

  • MD5

    c5d47b7478befcb228693f79a4edff26

  • SHA1

    033cffbee60f52791e54a3d8e186da19421f123b

  • SHA256

    856d4cd820bb9a30746d153b9bc00b99f7f14edd0f279d36fba199298428c172

  • SHA512

    3adb37955f88ba6d351215f7519394f5c8c750cbe34504d19ce8b9c22c54fa5120ab340a3ec10201fd42d7d8d91b7db9a9d5b3e0982e1d470322e1eed0d33038

  • SSDEEP

    3072:P1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ti/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
9/10
persistenceupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\856d4cd820bb9a30746d153b9bc00b99f7f14edd0f279d36fba199298428c172.exe
    "C:\Users\Admin\AppData\Local\Temp\856d4cd820bb9a30746d153b9bc00b99f7f14edd0f279d36fba199298428c172.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1436
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:720
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:3868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:2356

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          ba5c07e84aaf8703c7f383a82d696ce7

          SHA1

          f51fbe8032555f84974ed041a09cc6211d8ee0af

          SHA256

          088079d3c0c9b9117e2427529a2e6ddd19bd694d1180dabf72cb80dfad1fbad3

          SHA512

          987db2bb8c1a95f754c724f5921152a3e1f6a4ca7b7c79f7b927eca93e9251e73eb91d8a972c094061a8dbfb6ad82e5133ed64ffb7d9c9de946b705f4081d31f

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          25330b0d189f83cb857a6a01b5c710d4

          SHA1

          c4af9a9b2b62ca5b5daf17ef1091035abdbb957e

          SHA256

          4c0472ac352782b311e6afa31b246e25c506db44e67c5700dbae7b42bc49e463

          SHA512

          a620d90b7dcd5fd3a5239edb030285405035715f4ef490ee39274473bf2b6dc0cd7cfc5f65a4318e4b953f3e6772002f0a0427ed4029c1e0975ecae10591fd00

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\favicon[1].htm
          Filesize

          776B

          MD5

          0542ad8156f4dfca7ddcfcb62a6cb452

          SHA1

          485282ba12fc0daf6f6aed96f1ababb8f91a6324

          SHA256

          c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f

          SHA512

          0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9HVBWIRO\js-sdk-pro.min[1].js
          Filesize

          33KB

          MD5

          24bb520e9517f2ed3ed987b46aeaf723

          SHA1

          846723563d7dd2bff3954f93633b11af0103adc8

          SHA256

          d1f1bfe698f2ffb7b3e7a885a301d58f9554d45df0a31c3e8b53c84b33c80d27

          SHA512

          31afbcd2ee87c84cc3e56355da8ddc741a69d918c2687984265745d8046deb18c494cbca6aaf8d4eae6b035e888e6f7cf9b0d59a255f2714963d7b3edbb3c87f

          Download Submit

        • C:\WINDOWS\windows.exe
          Filesize

          232KB

          MD5

          1a4f614c69c7f700034332454e726172

          SHA1

          81cf9d465546552ad895d7d52465da4fa2fc8e74

          SHA256

          431fcabcc4ff50be729308171056e64ef66c76203afbea9130306ec3fb6adcd4

          SHA512

          d4a683a9df3d355e4d21f9d0e08a3f5523f83afce23ff1a6eeae942e2a11744635eb6b6d689729cb886799bec9b952b67e3b1328141ae6177d4e61c9c0d58614

          Download Submit

        • C:\system.exe
          Filesize

          232KB

          MD5

          3166db2b79c7e4443dcd78f168c60575

          SHA1

          528ffa0e666a965db604b2bf7c8363a7c008de76

          SHA256

          b654de9906b35bc030a4fcddb39a9a6c11c73f6b08fa83cffcd06229640ceb17

          SHA512

          54695ebc982c69436d3df7540b1f7963f1cc69df63c97257a04a7bab2e9f47d176a9d6bdaa77cf20c16982066da44243fea8d943a0c02b86feceeaeae2298c5b

          Download Submit

        • memory/2272-0-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2272-311-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download