36b34079854256865591ac9e70a2da55b4b01e806a70d71cc6faf364c7b4cf8e

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Baidukongjianrenqiwang.exe
Size

1.3MB
MD5

a08c45488228c75a96d9b3c100481b25
SHA1

a1ea78b322598a51e5ae4f72bccdf19c12789560
SHA256

1d6a1d75a9e3293547d6976da5dc07bdd9c529b50635221e02433ffda9ccbb0b
SHA512

83577d8bd3f07d41c0e4a825bb28aedf4b76fbcc13924341b9df9e571a071348584178b091bd86d8e88e1c423aa15bcb07f06139a33ac5e141c89d5ed32dee19
SSDEEP

24576:V7uuFdWw/VMXG5OPVi0oIKKEJDaXteZpMXfln/j6mNM9KKk9dXLk:Nuuz+XGoPVu3KEdz4vN+Kf3

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
112	SeMiniSetup_silent_3170_1032.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-0-0x0000000051000000-0x0000000051341000-memory.dmp	upx
behavioral1/memory/2704-1-0x0000000051000000-0x0000000051341000-memory.dmp	upx
behavioral1/memory/2704-357-0x0000000051000000-0x0000000051341000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SeMiniSetup_silent_3170_1032.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2704	Baidukongjianrenqiwang.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	Baidukongjianrenqiwang.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2728	AUDIODG.EXE
Token: 33	2728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2728	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2704	Baidukongjianrenqiwang.exe
2704	Baidukongjianrenqiwang.exe
2704	Baidukongjianrenqiwang.exe
112	SeMiniSetup_silent_3170_1032.exe
112	SeMiniSetup_silent_3170_1032.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30
PID 2704 wrote to memory of 112	2704	Baidukongjianrenqiwang.exe	30

C:\Users\Admin\AppData\Local\Temp\Baidukongjianrenqiwang.exe
"C:\Users\Admin\AppData\Local\Temp\Baidukongjianrenqiwang.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- \??\c:\SeMiniSetup_silent_3170_1032.exe
  c:\SeMiniSetup_silent_3170_1032.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SeMiniSetup_silent_3170_1032.exe

Filesize
145KB

MD5
e0eb8ba5c8a5aea01cc8556459b00075

SHA1
7ed39205f63d720ee547d265bcbefcaf75305707

SHA256
008a0609d9caa187e81d86f7b76881f7e92227da579ff38c689d175aa66eb0b9

SHA512
2d54f71219f81f258f2bb4f94f1869a1045e2dee90e39dbcae22e8a8d602d10eb0de7400249350e47dfb3978ed5a5743502fef13d898991dbc77f7c05f4df0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\xp corona.ini

Filesize
13KB

MD5
7eca282e3eae667721e6561abc1bca9f

SHA1
cd8c56da648d3a0332bb52ac4a80dc34083b4878

SHA256
cffd8ee1978e4a5b60e8eb70291df1ccf3e92317fb22d3ff24b73688b108a1f3

SHA512
8f70e86177fb4fe56288ec90f50f8c3b728ce9eb33127c80a2dcaaa863c3cd2ba22746c91ecd8a03023512939a97bd3ecc2b56674d87324611e50a5ed55d3e98

Download Submit
memory/2704-0-0x0000000051000000-0x0000000051341000-memory.dmp

Filesize
3.3MB

Download
memory/2704-1-0x0000000051000000-0x0000000051341000-memory.dmp

Filesize
3.3MB

Download
memory/2704-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2704-357-0x0000000051000000-0x0000000051341000-memory.dmp

Filesize
3.3MB

Download
memory/2704-358-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2704-368-0x00000000735E4000-0x00000000735E5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads