Overview
overview
10Static
static
7ha_xint4.3_lrh.exe
windows7-x64
7ha_xint4.3_lrh.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/nsweb.dll
windows7-x64
3$PLUGINSDIR/nsweb.dll
windows10-2004-x64
3$TEMP/123.exe
windows7-x64
7$TEMP/123.exe
windows10-2004-x64
7$TEMP/noui.exe
windows7-x64
7$TEMP/noui.exe
windows10-2004-x64
7$TEMP/zwsw.exe
windows7-x64
8$TEMP/zwsw.exe
windows10-2004-x64
8ReplacingNotepad.bat
windows7-x64
5ReplacingNotepad.bat
windows10-2004-x64
5uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7xint.exe
windows7-x64
10xint.exe
windows10-2004-x64
10非常世�...��.url
windows7-x64
1非常世�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:14
Behavioral task
behavioral1
Sample
ha_xint4.3_lrh.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ha_xint4.3_lrh.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsweb.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsweb.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$TEMP/123.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/123.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$TEMP/noui.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
$TEMP/noui.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$TEMP/zwsw.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
$TEMP/zwsw.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ReplacingNotepad.bat
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
ReplacingNotepad.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
uninst.exe
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
uninst.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
xint.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
xint.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
非常世纪资源网.url
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
非常世纪资源网.url
Resource
win10v2004-20240611-en
General
-
Target
$TEMP/zwsw.exe
-
Size
529KB
-
MD5
2bdd806d45b5a9e1e734875630d4caed
-
SHA1
bbb0d626d73a716635044158450eed18aee42d49
-
SHA256
fa91895f07bd633328d862db0dcd09e94298b21e10d92d3da684656981d5416f
-
SHA512
ff02928a65e0c380565c9e5c2cf2014c81ee8d39177b4c228fa5c5a40599b60821f9c41b6b62e2e8301f11bb96d760a801f20ccc0dfaf0528088914c8b3c8e25
-
SSDEEP
12288:9Nuwup8S36yKNO4WGmqACUfMMHorpecceHBSM25xTCP:gio6FnWGZATfFye77
Malware Config
Signatures
-
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\fad.sys zwsw.exe File opened for modification C:\Windows\SysWOW64\drivers\hProcess.sys zwsw.exe File opened for modification C:\Windows\SysWOW64\drivers\aabhor.sys zwsw.exe File created C:\Windows\SysWOW64\drivers\hafiq.sys zwsw.exe File opened for modification C:\Windows\SysWOW64\drivers\Anfad.sys zwsw.exe -
resource yara_rule behavioral16/files/0x000a00000002328e-3.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 3028 rnq4894.tmp 4084 48D2.exe -
Loads dropped DLL 5 IoCs
pid Process 1944 zwsw.exe 1944 zwsw.exe 4084 48D2.exe 4084 48D2.exe 4084 48D2.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ntsvrs.exe zwsw.exe File opened for modification C:\Windows\SysWOW64\ServeHost.exe zwsw.exe File opened for modification C:\Windows\SysWOW64\ntabhor.exe zwsw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2} zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BB936323-19FA-4521-BA29-ECA6A121BC78} zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Compatibility Flags = "1024" zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\Compatibility Flags = "1024" zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\Compatibility Flags = "1024" zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6231D512-E4A4-4DF2-BE62-5B8F0EE348EF} zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D157330A-9EF3-49F8-9A67-4141AC41ADD4} zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4EDBBAEA-F509-49F6-94D1-ECEC4BE5B686}\Compatibility Flags = "1024" zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\Compatibility Flags = "1024" zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1B0E7716-898E-48CC-9690-4E338E8DE1D3} zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4EDBBAEA-F509-49F6-94D1-ECEC4BE5B686} zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6231D512-E4A4-4DF2-BE62-5B8F0EE348EF}\Compatibility Flags = "1024" zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2}\Compatibility Flags = "1024" zwsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B83FC273-3522-4CC6-92EC-75CC86678DA4} zwsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Compatibility Flags = "1024" zwsw.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1944 wrote to memory of 4364 1944 zwsw.exe 81 PID 1944 wrote to memory of 4364 1944 zwsw.exe 81 PID 1944 wrote to memory of 4364 1944 zwsw.exe 81 PID 1944 wrote to memory of 3028 1944 zwsw.exe 82 PID 1944 wrote to memory of 3028 1944 zwsw.exe 82 PID 1944 wrote to memory of 3028 1944 zwsw.exe 82 PID 3028 wrote to memory of 4084 3028 rnq4894.tmp 83 PID 3028 wrote to memory of 4084 3028 rnq4894.tmp 83 PID 3028 wrote to memory of 4084 3028 rnq4894.tmp 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\zwsw.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\zwsw.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s "C:\Program Files (x86)\SearchNet\SNHpr.dll"2⤵PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\rnq4894.tmpC:\Users\Admin\AppData\Local\Temp\rnq4894.tmp2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\48D2\48D2.exe"C:\Users\Admin\AppData\Local\Temp\48D2\48D2.exe" 000004023⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5b9d4e392e8ac6a4420f126cc88d8c0c1
SHA13fa9755060979a13973927906222a4929bb4c80f
SHA2563d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064
SHA51203fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128
-
Filesize
84KB
MD51f2d2dbf570ecc45a9e2ce45f264199f
SHA1bf0656f98e26754f48eb5908319067641ae51d8d
SHA256766ebfa9689728c545a45cc82cce611a9343bc544fc712dc31881d0f2854296c
SHA51296e41545336d21bf289d203a56e3bf27ed4d3abcbd23332a590f38adc6568a81f3d10f129539e4efdd751be4e02a7d95052b455c04b6ba0a11c8d4c21a2411a0
-
Filesize
52KB
MD59076a436c1a5cfdc687714982a6cb86f
SHA166357580e2264f23648714254941b7a61d214237
SHA256000d138eec71e8c16d40a9930c3f0939f7608175f68588d34c07f3a74e71dbde
SHA5124956ddaabb0fa9a783012102d069c3ee05fa64f25bc9c02b4ff86f15e26b0abb5ce9aa5cdfc3a4844a68123eac64784d4b20c774de0d36aa0b71e35e97c3b834
-
Filesize
144B
MD53ab47841cbacd4f95fcc14e5adb758be
SHA11e8c5f3d741f94f5c85afe4af77d9ce2ddf9e19c
SHA256c7c926fd1865f3c2dccb3ec9bd8aac72da8c80036df874e38fb2644159d6f381
SHA51251e633fcf74383e72a11b266e500c440062a9760850c3e6ac80ab1ae8673cc9428b913cd3c8961a46fb854d561b2eccfb30077b9c3f68706b87924b6db38e997
-
Filesize
46KB
MD5bf503cb6fe413cb3ba2ebda4ca0d96f8
SHA140f3e827c2ef381e894cb1e592ef08f0ce0277e5
SHA256fafd103b6fab2b2b243284bdcfcccb2bea87f66fac4cfbc072eef84d72bf4eaf
SHA512bc0ec882d90acbb215fb4d89a7c138a79f6cc46736fc56f870297069b15f3bfda0b6fdf162c67a4fe8211c8419e520c2e25c91cbe22bec307690c042c2a85788
-
Filesize
455KB
MD534287b9bad575dfe21ce5364755b63af
SHA115503e83525a14ac31058eb01850f6177a72a706
SHA25627edccdf0def484aa1727d1c6883a9fa1b243b4d55e784b221ae39f68eb6b95f
SHA5125f7595616fb9188c9f0032c215d1d822de6396895e0f8a3a0f8de491a91974f93b6244149d36331e79226891ec512c1287f9039c606000da2df44980244478eb