f2de7f0a7eb198a2b892c97d07225ecd9830778e3e904989c998225a21004de9

General

Target

sogou_pinyin_guanwang.exe
Size

181.3MB
MD5

6c77c94d2978dd56518397023e426a22
SHA1

d239c58cbe6d33612c2742203c20a447f592e9ea
SHA256

f2de7f0a7eb198a2b892c97d07225ecd9830778e3e904989c998225a21004de9
SHA512

1a14c72444c4f84367b429d7be13a8a0a7dc25bd01779553f847ded13847a7974b5b6ddb54f1f63f1b0a5bbc7a4281831a18d4d6efe3742e3bd616c9b6be1ea9
SSDEEP

3145728:U/kfnZZRUWXNShZNxlb3oeUFRGp/K3GgUCoQKAQ6h398AWXNOQ14BDndvdXmT3Ot:nnTLXwXNf4eUSJK39U8KAQ6hN8AW9H1U

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1328	wngeyvw.exe

Loads dropped DLL 8 IoCs

pid	Process
1160	sogou_pinyin_guanwang.exe
1160	sogou_pinyin_guanwang.exe
1160	sogou_pinyin_guanwang.exe
1160	sogou_pinyin_guanwang.exe
2168	sogou_pinyin_guanwang.exe
2168	sogou_pinyin_guanwang.exe
2168	sogou_pinyin_guanwang.exe
2168	sogou_pinyin_guanwang.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wngeyvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
15924	PING.EXE
15936	PING.EXE
18924	cmd.exe
24596	PING.EXE
11344	cmd.exe
5128	cmd.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
15936	PING.EXE
24596	PING.EXE
15924	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1328	1160	sogou_pinyin_guanwang.exe	31
PID 1160 wrote to memory of 1328	1160	sogou_pinyin_guanwang.exe	31
PID 1160 wrote to memory of 1328	1160	sogou_pinyin_guanwang.exe	31
PID 1160 wrote to memory of 1328	1160	sogou_pinyin_guanwang.exe	31
PID 1160 wrote to memory of 2168	1160	sogou_pinyin_guanwang.exe	32
PID 1160 wrote to memory of 2168	1160	sogou_pinyin_guanwang.exe	32
PID 1160 wrote to memory of 2168	1160	sogou_pinyin_guanwang.exe	32
PID 1160 wrote to memory of 2168	1160	sogou_pinyin_guanwang.exe	32
PID 2168 wrote to memory of 4020	2168	sogou_pinyin_guanwang.exe	33
PID 2168 wrote to memory of 4020	2168	sogou_pinyin_guanwang.exe	33
PID 2168 wrote to memory of 4020	2168	sogou_pinyin_guanwang.exe	33
PID 2168 wrote to memory of 4020	2168	sogou_pinyin_guanwang.exe	33

C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
  "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
  "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
    "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe > nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:18924
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:24596
- - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
    "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
    3⤵
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
      "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
      "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
      4⤵
      PID:11716
    - - C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        5⤵
        
        PID:11744
    - - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        5⤵
        
        PID:11768
      - C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        6⤵
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        6⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        7⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        7⤵
        
        PID:11780
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        8⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe > nul
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:11344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:15924
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        8⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        9⤵
        
        PID:23204
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        9⤵
        
        PID:23780
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        10⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        10⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        11⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        11⤵
        
        PID:20216
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        12⤵
        
        PID:19120
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        12⤵
        
        PID:25512
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        13⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe > nul
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:15936
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        13⤵
        
        PID:24716
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        14⤵
        
        PID:14944
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        14⤵
        
        PID:17068
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        15⤵
        
        PID:9544
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        15⤵
        
        PID:14272
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        16⤵
        
        PID:16012
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        16⤵
        
        PID:13300
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        17⤵
        
        PID:17488
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        17⤵
        
        PID:11076
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        18⤵
        
        PID:14868
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        18⤵
        
        PID:26348
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        19⤵
        
        PID:10648
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        19⤵
        
        PID:19840
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        20⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        20⤵
        
        PID:16132
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        21⤵
        
        PID:16896
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        21⤵
        
        PID:21224
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        22⤵
        
        PID:23772
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        22⤵
        
        PID:17848
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        23⤵
        
        PID:26376
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        23⤵
        
        PID:22296
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        24⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        24⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wngeyvw.exe"
        25⤵
        
        PID:33440

C:\Windows\SysWOW64\Dtldt.exe
C:\Windows\SysWOW64\Dtldt.exe -auto
1⤵
PID:6360
- C:\Windows\SysWOW64\Dtldt.exe
  C:\Windows\SysWOW64\Dtldt.exe -acsi
  2⤵
  PID:13884

C:\Windows\SysWOW64\Dtldt.exe
C:\Windows\SysWOW64\Dtldt.exe -auto
1⤵
PID:24024
- C:\Windows\SysWOW64\Dtldt.exe
  C:\Windows\SysWOW64\Dtldt.exe -acsi
  2⤵
  PID:24888

C:\Windows\SysWOW64\Dtldt.exe
C:\Windows\SysWOW64\Dtldt.exe -auto
1⤵
PID:17104
- C:\Windows\SysWOW64\Dtldt.exe
  C:\Windows\SysWOW64\Dtldt.exe -acsi
  2⤵
  PID:10464

C:\Windows\SysWOW64\Dtldt.exe
C:\Windows\SysWOW64\Dtldt.exe -auto
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QFhUimF0.exe

Filesize
1.4MB

MD5
acbb38ad7a5080f946f2b52c557ddb8d

SHA1
1bb5c2feb9dcfbeabe95a08b53eeb17596abe596

SHA256
38a43887ce091509b3bcc588912c49a5692b4329e5024fff1491177d362b8d76

SHA512
4c05bfc02b9a3e7bef4a8658b4987aaba617ec92c3f758b4a0bdfeb1ce873868d0a7957764efa8da241c66a08e2e19e84f3b0556c0d0b0ff8adeee7456cab35a

Download Submit
\Users\Admin\AppData\Local\Temp\wngeyvw.exe

Filesize
27.5MB

MD5
533d850489f356c37abd269c47e57d1d

SHA1
59697ad75f1ee2758b62f9707f7e2bd2586a1356

SHA256
1a03e49c1d3e121d435402e3925e2bc334ca6b49d09dfefc6df6b9f8e876858b

SHA512
4196096d126b87343c606dba6fcb0a3b9535e9e1e3b1209aa821fec66e81be2d99cc91603b71bcbc387c14eca5074e576f22a563067e716d084f5f0d3a199563

Download Submit
memory/1160-22-0x0000000003F50000-0x0000000005ADA000-memory.dmp

Filesize
27.5MB

Download
memory/1328-23-0x0000000077490000-0x00000000774D7000-memory.dmp

Filesize
284KB

Download
memory/1328-833-0x0000000003E90000-0x0000000003FA1000-memory.dmp

Filesize
1.1MB

Download
memory/1328-836-0x0000000003E90000-0x0000000003FA1000-memory.dmp

Filesize
1.1MB

Download
memory/1328-3642-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3640-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3638-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3636-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3634-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3632-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3630-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3628-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3626-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3624-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3622-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3620-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3618-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3616-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3614-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3612-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3610-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3608-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3606-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3604-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3602-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3600-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3598-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3596-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3594-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3592-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3590-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3588-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3585-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-3584-0x0000000002170000-0x0000000002211000-memory.dmp

Filesize
644KB

Download
memory/1328-834-0x0000000003E90000-0x0000000003FA1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads