583ca7fcede98896533e02a88eff6a4576bedf0f619bc29d70525df2bc0cfe04

General

Target

3a192da93c34317d20c1646f3bcdb690N.exe
Size

890KB
MD5

3a192da93c34317d20c1646f3bcdb690
SHA1

e6f570866936bead9492fd3aaa054ab888375667
SHA256

583ca7fcede98896533e02a88eff6a4576bedf0f619bc29d70525df2bc0cfe04
SHA512

6f6a33d8c128b09ca80c471d1c252d6919d1cdfd83c303ba05781cac291934d877e727d1b90c78ec9a897a4915c70e2b796538d714bc1d4cf162259d31f49d78
SSDEEP

24576:cFE//Tct4bOsbDxA7r9q0Zz4/jUFR5LFA4:mSVxcE0xF9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1208	CF影子辅助网吧家庭通用稳定版1003-1.exe
1724	Msgbox.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-0-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/files/0x00090000000235ec-10.dat	upx
behavioral2/memory/1208-16-0x0000000000400000-0x000000000067A000-memory.dmp	upx
behavioral2/memory/1208-45-0x0000000000400000-0x000000000067A000-memory.dmp	upx
behavioral2/files/0x000a000000023603-51.dat	upx
behavioral2/memory/3368-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3368-86-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3368-193-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/1724-194-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3368-61-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3368-86-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3368-193-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/1724-194-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\game.ico	3a192da93c34317d20c1646f3bcdb690N.exe
File opened for modification	C:\Windows\game.ico	3a192da93c34317d20c1646f3bcdb690N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3308	1208	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a192da93c34317d20c1646f3bcdb690N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CF影子辅助网吧家庭通用稳定版1003-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Msgbox.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main	3a192da93c34317d20c1646f3bcdb690N.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.91duote.info/?w1"	3a192da93c34317d20c1646f3bcdb690N.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	3a192da93c34317d20c1646f3bcdb690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	3a192da93c34317d20c1646f3bcdb690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	3a192da93c34317d20c1646f3bcdb690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	3a192da93c34317d20c1646f3bcdb690N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3a192da93c34317d20c1646f3bcdb690N.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3368	3a192da93c34317d20c1646f3bcdb690N.exe
3368	3a192da93c34317d20c1646f3bcdb690N.exe
3368	3a192da93c34317d20c1646f3bcdb690N.exe
3368	3a192da93c34317d20c1646f3bcdb690N.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1208	CF影子辅助网吧家庭通用稳定版1003-1.exe
1208	CF影子辅助网吧家庭通用稳定版1003-1.exe
1208	CF影子辅助网吧家庭通用稳定版1003-1.exe
1208	CF影子辅助网吧家庭通用稳定版1003-1.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 1208	3368	3a192da93c34317d20c1646f3bcdb690N.exe	91
PID 3368 wrote to memory of 1208	3368	3a192da93c34317d20c1646f3bcdb690N.exe	91
PID 3368 wrote to memory of 1208	3368	3a192da93c34317d20c1646f3bcdb690N.exe	91
PID 3368 wrote to memory of 3216	3368	3a192da93c34317d20c1646f3bcdb690N.exe	97
PID 3368 wrote to memory of 3216	3368	3a192da93c34317d20c1646f3bcdb690N.exe	97
PID 3368 wrote to memory of 4292	3368	3a192da93c34317d20c1646f3bcdb690N.exe	104
PID 3368 wrote to memory of 4292	3368	3a192da93c34317d20c1646f3bcdb690N.exe	104
PID 3368 wrote to memory of 1724	3368	3a192da93c34317d20c1646f3bcdb690N.exe	109
PID 3368 wrote to memory of 1724	3368	3a192da93c34317d20c1646f3bcdb690N.exe	109
PID 3368 wrote to memory of 1724	3368	3a192da93c34317d20c1646f3bcdb690N.exe	109

C:\Users\Admin\AppData\Local\Temp\3a192da93c34317d20c1646f3bcdb690N.exe
"C:\Users\Admin\AppData\Local\Temp\3a192da93c34317d20c1646f3bcdb690N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\CF影子辅助网吧家庭通用稳定版1003-1.exe
  C:\CF影子辅助网吧家庭通用稳定版1003-1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1500
    3⤵
    - Program crash
    PID:3308
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.ailili.info/c/c.html?new_0_http://go.microsoft.com/fwlink/p/?LinkId=255141_http://www.91duote.info/?w1
  2⤵
  - Modifies Internet Explorer settings
  PID:3216
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.t6t8.com/fuzhu.html?g
  2⤵
  - Modifies Internet Explorer settings
  PID:4292
- C:\ProgramData\Msgbox.exe
  C:\ProgramData\Msgbox.exe /97sky
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1208 -ip 1208
1⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Msgbox.exe

Filesize
11.6MB

MD5
bbe6b032590e1880df632cf3df4647db

SHA1
d12583d4074bcbb5b82368b78df4cb75e9dcbff2

SHA256
766531f16bf59966afcf12cddcf6e98c15d2801dce7b1544478a9091ce4f34b4

SHA512
10a0f2075d24f30173d0e881b17d4b5a5c7568b9ded2c8f1f8e50481532bb2a5dc50f47ef58c55dfc6c46f3283724b5ea7c4af8dc323d89d36ae4f6ff79c4c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\cos-icon_99f656e[2].css

Filesize
15KB

MD5
d156cfcc559bf6185e4257b6894e77ff

SHA1
223560b78927ee325ac5866c268a5569951aa35c

SHA256
3ede21a5e4cfe5d122fd864452ab6517b510094fa60acfc8ed0c0a99a4e380ba

SHA512
f47ca01beb1b932a840c72320a0a3050f7e61a5e32390b8563958c22dd2d28645263685661aea79e4138706b8ec20cfb28f05a9438392b434ed0ba571bd81023

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3DFF.tmp

Filesize
590KB

MD5
d7c616e7c0c59624b0244768c48481b0

SHA1
aabd8950e57e4a6cc78e06a7ed39f4abe6c927bf

SHA256
e3da76b5e264123a45281cd04684003cb3e8e644e04f5a26fd48dcec92560074

SHA512
7ec4f9679b141e8334cf3eaeddb80659320522697ad0ba191ed764656b49f4fc15c07495b991fb4b065fc0ac396e7de3bafa9f8cb052729342417bf04bdfb4ea

Download Submit
memory/1208-16-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1208-45-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1724-194-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3368-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3368-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3368-86-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3368-193-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads