Malware Analysis Report

2024-09-23 13:17

Sample ID 240613-cfpy2azhle
Target 9fa42f989e97c106d5054596fa90fbe2.bin
SHA256 573f4e04384a26e3f8e75d6c1f941a90c0cd8fa530923ba9eb7f61308b2d600a
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

573f4e04384a26e3f8e75d6c1f941a90c0cd8fa530923ba9eb7f61308b2d600a

Threat Level: Shows suspicious behavior

The file 9fa42f989e97c106d5054596fa90fbe2.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Deletes itself

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Runs regedit.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:01

Reported

2024-06-13 02:03

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
File created C:\Program Files (x86)\Common Files\TaoBao\СÓÎÏ·.ico C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RtkSYUdp.exe C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\version Vector C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\ C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)" C:\Windows\SysWOW64\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 4952 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe

"C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\$10943.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ttver.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/4952-0-0x00000000006F0000-0x00000000006F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

MD5 f9ce5c8a3059991babf4084151caa492
SHA1 26567f89a885b0e69f24309c3e5c58e8e938f841
SHA256 e82c214f33cad1b25146758e22fd887b15f63b1a7a8d716b358c50dc5c3d4e96
SHA512 cce48827588aa5968453a8a69baeab8435083dca1d625d079b01d4f9292c7bcb85ab1217f1cf96ea301eef49b7a96a76b58413d4496f1c35e234df7c7e5c9750

C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp

MD5 e65d0630e7c3363eff81fd64109c3dac
SHA1 062d18f42ff35760bed198d51c1056a42c22bfba
SHA256 286db12cc30d8834f18cbc2d72aab3cbc8ab4c515dc8f4e124c82eaa61e4061d
SHA512 d4921c73729c5a00f9f2348d93cd0db827ea17cb45295f0f0b05d99597a241dab7703b674dd107e7a9d15854765b279af7d4f6b7ab8c44a1e658e361c63c0559

C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

MD5 0cf180f20e716094bef34db0f1a39a04
SHA1 f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b
SHA256 2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26
SHA512 a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

memory/4952-24-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/4952-26-0x00000000006F0000-0x00000000006F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:01

Reported

2024-06-13 02:03

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A
File created C:\Program Files (x86)\Common Files\TaoBao\СÓÎÏ·.ico C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RtkSYUdp.exe C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\ C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86} C:\Windows\SysWOW64\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\regedit.exe
PID 2600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe

"C:\Users\Admin\AppData\Local\Temp\9fa42f989e97c106d5054596fa90fbe2.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\$10943.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ttver.com udp

Files

memory/2600-0-0x0000000000320000-0x0000000000321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

MD5 f9ce5c8a3059991babf4084151caa492
SHA1 26567f89a885b0e69f24309c3e5c58e8e938f841
SHA256 e82c214f33cad1b25146758e22fd887b15f63b1a7a8d716b358c50dc5c3d4e96
SHA512 cce48827588aa5968453a8a69baeab8435083dca1d625d079b01d4f9292c7bcb85ab1217f1cf96ea301eef49b7a96a76b58413d4496f1c35e234df7c7e5c9750

C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

MD5 0cf180f20e716094bef34db0f1a39a04
SHA1 f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b
SHA256 2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26
SHA512 a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp

MD5 25db315b7c4e03440fc39a45d0e696f4
SHA1 e676a65ddced682543871402c65745615866813b
SHA256 afebbcbfd45e044083133fd2f575f9cee59dbff403ae376b2d2307a89b97a26c
SHA512 d10afe733da4f6c33e2859078ca307e40cf15c0e2ddde9e48b8cb3962491cc73e6b47d2fb98c56d233bef268cf1d45ac68d5835885a8b5395ee4b0c6dd0ad3d4

C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

MD5 fe7ba024ac3c4431401fc96683f42425
SHA1 9564a4ebb611ba50d9423237928c4dd6d731381a
SHA256 395c28d051da994a0a2beccc2c43d34644949e7530ee5fc5389f80ae1f63150f
SHA512 817a7b1ca77aac9b360c322cd071f95ec0906c4c298d9196d8e45fe6dad59e630a7b5a9264e3325f2d7a3508af9978daf63159e5b5fe57323feb9c928066697e

memory/2600-25-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Windows\RtkSYUdp.exe

MD5 d0cd586c5c857850a188e778b971f25a
SHA1 3f584fd89e41151c389b4701d876d2bdd2885fc2
SHA256 2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb
SHA512 995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

MD5 1722b85f05faa97e09cc1d98002d0711
SHA1 0a2ec5d60f6c8af838fc004e8fbb0b436437887f
SHA256 2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21
SHA512 40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8