Overview
overview
10Static
static
7ha_xint4.3_lrh.exe
windows7-x64
7ha_xint4.3_lrh.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/nsweb.dll
windows7-x64
3$PLUGINSDIR/nsweb.dll
windows10-2004-x64
3$TEMP/123.exe
windows7-x64
7$TEMP/123.exe
windows10-2004-x64
7$TEMP/noui.exe
windows7-x64
7$TEMP/noui.exe
windows10-2004-x64
7$TEMP/zwsw.exe
windows7-x64
8$TEMP/zwsw.exe
windows10-2004-x64
8ReplacingNotepad.bat
windows7-x64
5ReplacingNotepad.bat
windows10-2004-x64
5uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7xint.exe
windows7-x64
10xint.exe
windows10-2004-x64
10非常世�...��.url
windows7-x64
1非常世�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
128s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:14
Behavioral task
behavioral1
Sample
ha_xint4.3_lrh.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ha_xint4.3_lrh.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsweb.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsweb.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$TEMP/123.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/123.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$TEMP/noui.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
$TEMP/noui.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$TEMP/zwsw.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
$TEMP/zwsw.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ReplacingNotepad.bat
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
ReplacingNotepad.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
uninst.exe
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
uninst.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
xint.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
xint.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
非常世纪资源网.url
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
非常世纪资源网.url
Resource
win10v2004-20240611-en
General
-
Target
$TEMP/noui.exe
-
Size
228KB
-
MD5
436a55217e8c3b8f1bf80d81a3965813
-
SHA1
59a85cdabea6c9162ecbfaa702446da2e2c73a1e
-
SHA256
271b52381c8c60b06b11c69b203b731cd425b52aaa0c446be0f7d1689f9132af
-
SHA512
d66309d5eb33476440dc35b6da3480cca14d9ff4c31c7e24a632f4b23630e9bf122136e55a99aa4a3f20e35878394c49a39909d055c1bd3c63cb80756f6b6b1e
-
SSDEEP
6144:m+UM++1Zi89gReEb36snZ+DsjtyVCyLBDgv7TCGuMo:A/Wi89gReI36EZCskVC2BFG
Malware Config
Signatures
-
resource yara_rule behavioral14/files/0x0008000000023299-1.dat aspack_v212_v242 -
Loads dropped DLL 1 IoCs
pid Process 1128 regsvr32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\band_s.dll noui.exe File created C:\Windows\SysWOW64\band_s.dll noui.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5048 1128 WerFault.exe 82 -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C} noui.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C}\send = "1" noui.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C}\loop = "1" noui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79CABF6E-22D8-4733-A08F-9C35A1A3679C}\name = "8200" noui.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3336 wrote to memory of 1128 3336 noui.exe 82 PID 3336 wrote to memory of 1128 3336 noui.exe 82 PID 3336 wrote to memory of 1128 3336 noui.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\noui.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\noui.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Windows\system32\band_s.dll2⤵
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 6643⤵
- Program crash
PID:5048
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1128 -ip 11281⤵PID:4056
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5140ca271c5d12f031ab2f3cbc98ee19d
SHA1034af3cf6762c155b5a104c242b68d7c5a7dd76f
SHA256b5187fb26ae50a447d935bcd618a721dc95e0d5d2eb74a38525a8bae6aa39e35
SHA512cf87048cd15117412c6bc0ced68923abd85cb940ffddc75a66651337340d41f98a1e8a0e19f5394031d4d4da4109399ab56a92da0205236ceeb3d1065ba1009b