676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe
Size

4.8MB
MD5

10c9464211d8fc212bfeeb972ed579d6
SHA1

b095a0c0833d852a98ed554507ed24a4c9898e3f
SHA256

676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d
SHA512

b31c4534bfd66f52e11a85cd0eae9809a557459f45cfeff607fa90dec31e3680a6f33c6fd950ee3e23c8e21987874eb469e8e6526bf49f6932ff0af1615f36d3
SSDEEP

98304:Ba5gyXi3zjeZhr19f7gHi/kZgc8hrEB3Ii8GnraqlwyWoQcXGcm3Xmm9rWIcYop1:Ba5gyS3zjeZhr19f7gHi/kZgc8hrEB3a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1908	evb3341.tmp

Loads dropped DLL 2 IoCs

pid	Process
1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe
1908	evb3341.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1188	ipconfig.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\xinkao	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\xinkao\xinkao = " 10.127.0.198"	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1720 wrote to memory of 1908	1720	676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe	28
PID 1908 wrote to memory of 2672	1908	evb3341.tmp	29
PID 1908 wrote to memory of 2672	1908	evb3341.tmp	29
PID 1908 wrote to memory of 2672	1908	evb3341.tmp	29
PID 1908 wrote to memory of 2672	1908	evb3341.tmp	29
PID 2672 wrote to memory of 2536	2672	cmd.exe	31
PID 2672 wrote to memory of 2536	2672	cmd.exe	31
PID 2672 wrote to memory of 2536	2672	cmd.exe	31
PID 2672 wrote to memory of 2536	2672	cmd.exe	31
PID 2672 wrote to memory of 2532	2672	cmd.exe	32
PID 2672 wrote to memory of 2532	2672	cmd.exe	32
PID 2672 wrote to memory of 2532	2672	cmd.exe	32
PID 2672 wrote to memory of 2532	2672	cmd.exe	32
PID 2532 wrote to memory of 1188	2532	cmd.exe	33
PID 2532 wrote to memory of 1188	2532	cmd.exe	33
PID 2532 wrote to memory of 1188	2532	cmd.exe	33
PID 2532 wrote to memory of 1188	2532	cmd.exe	33
PID 2532 wrote to memory of 2648	2532	cmd.exe	34
PID 2532 wrote to memory of 2648	2532	cmd.exe	34
PID 2532 wrote to memory of 2648	2532	cmd.exe	34
PID 2532 wrote to memory of 2648	2532	cmd.exe	34
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2556	2672	cmd.exe	36
PID 2672 wrote to memory of 2556	2672	cmd.exe	36
PID 2672 wrote to memory of 2556	2672	cmd.exe	36
PID 2672 wrote to memory of 2556	2672	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe
"C:\Users\Admin\AppData\Local\Temp\676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\evb3341.tmp
  chushihua.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\ÐÅ¿¼³õÊ¼»¯¹¤¾ß\init.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\xinkao" /f /v "xk" /t REG_BINARY /d 01000000ad8967c6bdf588cad1ad05e31692dce185c0a0a741a1e9fd02bbfef8be39e0ef9459096d06269541893c8c4bf684b3139d0894517b68a9b784860939b5760e240ac2a53a7e8b90b7eb2c15ec08542d4e3eba6ae0fff3409c3803eb02faa043ea5164ecd9a3455bf6071e3508ae209ee5b97460b7cf33bff6acb20a9683f2941d
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:1188
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "IPv4"
        5⤵
        
        PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCR\Local Settings\Software\xinkao" /f /v "xinkao" /t REG_SZ /d " 10.127.0.198"
      4⤵
      Modifies registry class
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\xinkao" /f /v "xinkao" /t REG_SZ /d " 10.127.0.198"
      4⤵
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ÐÅ¿¼³õÊ¼»¯¹¤¾ß\init.bat

Filesize
677B

MD5
9882bbfe52711ee196a7db25542db5f2

SHA1
c394bf81e8b864f870f9ebeb42fb31d09161e79e

SHA256
47f5adbc69839363178fed391b0695dc94720cd90976ec606380a62c205feaaf

SHA512
e5be4f44ec22ebd5698f31438afd7000a86caad2a3212f4a8912075b05cbb00c0124d9b37f629fa74f0f4b62d36da8059014f93072a7cc83320e9f7d97e0817b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evb3352.tmp

Filesize
1KB

MD5
ca736ac5b4501ec417bdff79c9dcbbff

SHA1
2ec046c794c95798d196079e8c5a0dbe38ff599e

SHA256
33e38330ad4ffc0804ac286ea9c72be875da0085f7a1344597d9f6bc4b8bead2

SHA512
5b658eff6fa687695abe5c6924f4738e7c5dbc294d1f7f2760284b007b4d0fb487a706610c0304b571af88872b1ff5b54bea8f4b76c944265a36eb10e1d811a3

Download Submit
\Users\Admin\AppData\Local\Temp\evb3341.tmp

Filesize
1KB

MD5
fc804f040bc43e008743afcb677baad5

SHA1
2c23e78979a8178f246dec5452c7c1a8a9c052f5

SHA256
89a095c5c8db0209a7c6d8b838e8b1d51b0a1dc35555d0d318d9f6f76a4cdac7

SHA512
0633c9fec6afac07656e9e16909d3fa86e65318cb2742397f21c054a9f5bc30939151ff933879b492df71030689b235c11fb33ef2a812fb09a05ba5662e6a759

Download Submit
\Users\Admin\AppData\Local\Temp\nst33D0.tmp\nsExec.dll

Filesize
6KB

MD5
1f49d8af9be9e915d54b2441c4a79adf

SHA1
1ee4f809c693e31f34bc6d8153664a6dc2c3e499

SHA256
b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

SHA512
c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

Download Submit
memory/1720-15-0x0000000003B50000-0x0000000003B85000-memory.dmp

Filesize
212KB

Download
memory/1720-1-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/1720-22-0x0000000003B50000-0x0000000003B85000-memory.dmp

Filesize
212KB

Download
memory/1720-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1720-2-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/1720-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1908-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1908-30-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/1908-23-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1908-8-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1908-19-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1908-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-50-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download