Overview
overview
10Static
static
7ha_xint4.3_lrh.exe
windows7-x64
7ha_xint4.3_lrh.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/nsweb.dll
windows7-x64
3$PLUGINSDIR/nsweb.dll
windows10-2004-x64
3$TEMP/123.exe
windows7-x64
7$TEMP/123.exe
windows10-2004-x64
7$TEMP/noui.exe
windows7-x64
7$TEMP/noui.exe
windows10-2004-x64
7$TEMP/zwsw.exe
windows7-x64
8$TEMP/zwsw.exe
windows10-2004-x64
8ReplacingNotepad.bat
windows7-x64
5ReplacingNotepad.bat
windows10-2004-x64
5uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7xint.exe
windows7-x64
10xint.exe
windows10-2004-x64
10非常世�...��.url
windows7-x64
1非常世�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 01:14
Behavioral task
behavioral1
Sample
ha_xint4.3_lrh.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ha_xint4.3_lrh.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsweb.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsweb.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$TEMP/123.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/123.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$TEMP/noui.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
$TEMP/noui.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$TEMP/zwsw.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
$TEMP/zwsw.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ReplacingNotepad.bat
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
ReplacingNotepad.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
uninst.exe
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
uninst.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
xint.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
xint.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
非常世纪资源网.url
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
非常世纪资源网.url
Resource
win10v2004-20240611-en
General
-
Target
$TEMP/noui.exe
-
Size
228KB
-
MD5
436a55217e8c3b8f1bf80d81a3965813
-
SHA1
59a85cdabea6c9162ecbfaa702446da2e2c73a1e
-
SHA256
271b52381c8c60b06b11c69b203b731cd425b52aaa0c446be0f7d1689f9132af
-
SHA512
d66309d5eb33476440dc35b6da3480cca14d9ff4c31c7e24a632f4b23630e9bf122136e55a99aa4a3f20e35878394c49a39909d055c1bd3c63cb80756f6b6b1e
-
SSDEEP
6144:m+UM++1Zi89gReEb36snZ+DsjtyVCyLBDgv7TCGuMo:A/Wi89gReI36EZCskVC2BFG
Malware Config
Signatures
-
resource yara_rule behavioral13/files/0x000500000000b309-1.dat aspack_v212_v242 -
Loads dropped DLL 1 IoCs
pid Process 3056 regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\band_s.dll noui.exe File created C:\Windows\SysWOW64\band_s.dll noui.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C} noui.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C}\send = "1" noui.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C}\loop = "1" noui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C}\name = "8200" noui.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2252 wrote to memory of 3056 2252 noui.exe 28 PID 2252 wrote to memory of 3056 2252 noui.exe 28 PID 2252 wrote to memory of 3056 2252 noui.exe 28 PID 2252 wrote to memory of 3056 2252 noui.exe 28 PID 2252 wrote to memory of 3056 2252 noui.exe 28 PID 2252 wrote to memory of 3056 2252 noui.exe 28 PID 2252 wrote to memory of 3056 2252 noui.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\noui.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\noui.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Windows\system32\band_s.dll2⤵
- Loads dropped DLL
PID:3056
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5140ca271c5d12f031ab2f3cbc98ee19d
SHA1034af3cf6762c155b5a104c242b68d7c5a7dd76f
SHA256b5187fb26ae50a447d935bcd618a721dc95e0d5d2eb74a38525a8bae6aa39e35
SHA512cf87048cd15117412c6bc0ced68923abd85cb940ffddc75a66651337340d41f98a1e8a0e19f5394031d4d4da4109399ab56a92da0205236ceeb3d1065ba1009b