Overview
overview
10Static
static
7ha_xint4.3_lrh.exe
windows7-x64
7ha_xint4.3_lrh.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/nsweb.dll
windows7-x64
3$PLUGINSDIR/nsweb.dll
windows10-2004-x64
3$TEMP/123.exe
windows7-x64
7$TEMP/123.exe
windows10-2004-x64
7$TEMP/noui.exe
windows7-x64
7$TEMP/noui.exe
windows10-2004-x64
7$TEMP/zwsw.exe
windows7-x64
8$TEMP/zwsw.exe
windows10-2004-x64
8ReplacingNotepad.bat
windows7-x64
5ReplacingNotepad.bat
windows10-2004-x64
5uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7xint.exe
windows7-x64
10xint.exe
windows10-2004-x64
10非常世�...��.url
windows7-x64
1非常世�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:14
Behavioral task
behavioral1
Sample
ha_xint4.3_lrh.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ha_xint4.3_lrh.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsweb.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsweb.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$TEMP/123.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/123.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$TEMP/noui.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
$TEMP/noui.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$TEMP/zwsw.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
$TEMP/zwsw.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ReplacingNotepad.bat
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
ReplacingNotepad.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
uninst.exe
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
uninst.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
xint.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
xint.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
非常世纪资源网.url
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
非常世纪资源网.url
Resource
win10v2004-20240611-en
General
-
Target
$TEMP/123.exe
-
Size
238KB
-
MD5
eb18db4401a41b7643dc2d20cd311a21
-
SHA1
f86498dbd02816979b4ca272b7f916e8f62e3c43
-
SHA256
aae2deac33f1548e95295238f4bd83af39a4abe7904f0455f1f7ecfd213a196f
-
SHA512
51b0a4419970bb1191694b5708a82ccb96e587954a77f19345ee95b8d2ffe9205fd13da747b4da76094b84c608f3d5bac56eb650d8f5d8a1888e57a0d90ae135
-
SSDEEP
6144:LhF2fYHipbBER+iH3vIEuiAvxJsKW4nflzxhRghOisOe:lUnRqgwvBu5wKvflFfiG
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 3148 123.exe 3148 123.exe 3148 123.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\BaiduInstall = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\baidu\\bar\\BaiduBar.dll,Install" 123.exe -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Àq* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\{* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\è|* 123.exe File created C:\Program Files (x86)\baidu\bar\BDBar_tmp\img\imglist.bmp 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll 123.exe File opened for modification C:\PROGRA~2\baidu\bar\BaiduBar.dll 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\€l* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\@n* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\˜* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\àÞ‹u 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\xhŒwð¡ˆwÀ 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¨º|w 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\€s* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ 123.exe File created C:\Program Files (x86)\baidu\bar\BDBar_tmp\img\logo.bmp 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ð* 123.exe File created C:\PROGRA~2\baidu\bar\BaiduBar.dll 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Øt* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\img\logo.bmp 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Àj* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\8z* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\@~* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ð€* 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\0… 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\img\imglist.bmp 123.exe File created C:\Program Files (x86)\baidu\bar\BDBar_tmp\baidubar.dat 123.exe File created C:\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\·;~w°ý~ 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\baidubar.dat 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\xhŒwð¡ˆw 123.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÿÿ 123.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3520 3148 WerFault.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\123.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\123.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
PID:3148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 7402⤵
- Program crash
PID:3520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3148 -ip 31481⤵PID:3704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD50c8ed82bce60e5e2860d9daa28289267
SHA15ea9dcfadc426463c51e0abfc736a42dfc31f3e9
SHA25689bc3949eb1ab805b49f2699f0623796997ba7bf0f5acf9402f90ae5cd630d13
SHA5122a6b90d1ee12d88a9866b774de5b52b329beebbb9ce0c1655455020aeaddd0824cd3c38804e76f777b81fa5b149744b392ea8f904ba2eb71c6db779a0ef85830