Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 01:48

General

  • Target

    d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe

  • Size

    88KB

  • MD5

    43c6fd6fc51136632b47a8672de41034

  • SHA1

    a22897d94f9d1ef123cbb1e372a619113327c214

  • SHA256

    d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80

  • SHA512

    f64b041b5a6afb4412496b526be0059814e4aac587764b36aa5b553ebe9d92533a162f484adc4b705853d65f59f262a91ad8888b84f6c1b7ac1099725fdd4e6a

  • SSDEEP

    1536:dXNXdlRH+Dwk4cSGesvhC8plnQ85+HwClgfTQqPTFTCtOQ8CcfiWX:ddtlRH+UxGzh3HQ85+QqoTBfi6

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe
    "C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\windows\svchosts.exe
      C:\windows\svchosts.exe auto
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2672
    • C:\progra~1\Intern~1\iexplore.exe
      C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=232138804165&isqq=3
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2724

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8591bfb7acd9a74512dc4fa6fa5f3142

          SHA1

          5d06407c8f8334586759a4a84b60bac34fc987cd

          SHA256

          70cf0a12e6c3edcde7393624cde7c769509ad32d64c860debe7f217d3694beb4

          SHA512

          2b92a2d8185749ec723e5a83b6cec0e712eaf877abe119879dde1cb83c45159dc34e0c2eed6f5985cb31a21e12dc3cb5d78d84ca8df6dbe034edc570255546fc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          dd0faaafa983552b9958a35b22fabf89

          SHA1

          4e120f3f8af0865246b48d91f4faa0e2781e53a6

          SHA256

          986d0595cdfe708a8490e5208654cee15beee2e9e2fb2b23485c37d2ed1d041e

          SHA512

          390d0f0822e5b12291d9640661633cbadbd65f9df2187dfb49707fb9a888f8d898f54d64418eee4462b7e9513ee7fbd992ab4adc95590fb7dcd03880a0f3ef58

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          863540eeebd4a24ef6b46ea16e84c377

          SHA1

          cdaf1cede948118fb912ee8114f90b5398b060e9

          SHA256

          3ea0d3198760262a1096a772016a77717ea0901ced5efb0fabca7cc1b63a16cd

          SHA512

          f3905cb680f43518ffd171d0d4d33f0b221ea55144300b2c1b7231f0b57673bb91a3b4f0549faee803b2e3beb2fca1ce0a00ca7f4c33b2a3898ab69e7f4f19ce

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          36c2a0e0f79b15745d837edcb876ca1f

          SHA1

          f61d6dc9edb1c82fea1030256e89d965bbb295bf

          SHA256

          f41309a12612c4ff403e718ad8766acb3d9be5316e350a93450415f2a7b88df1

          SHA512

          1a667f3cb0a7df6a63bcfce659311cbbc274c08ea6dcc6e988efd6e5f0c30d6368e5d781661b21838f65d0130b40b2ccd63a9150118e0856c084724510982538

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4f6587acdcc479b859b83e84e38dec6a

          SHA1

          caa5bf7409caaf89fcd3a5921784c86c7200f60e

          SHA256

          ac4807a63df04a78e3af350d02a0c090439d1ed66ec92f1c5dc563e770ab6d93

          SHA512

          5c568b17fc3794de729fe63e546ae3780233155cec5c5bbf8969aec0897205d64c3a576b8a59b7374640b8a197eca4134107086ca694d441438afeb00d66a3ea

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          98c4c46c149ab4c45203beedd151bc45

          SHA1

          cfc2e5832ce2f3708b9ee9e437961dd78afb3c99

          SHA256

          ea37c828efae6c5ccee563145ed5b6be61e488176c2560422ad059b871d709f6

          SHA512

          3be675b13f23cc78b0266611bdd55033e46fdb73cc3318b980a80a9ea822c2df06464739454a89f50c61da2039ddc62d44dfbf4981897f5d981e7e820a855d31

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8168def6641ec09741fb7fdd9ce754f0

          SHA1

          2ccada6abeb00a14febd23ec3cb0c7b5f7842632

          SHA256

          78a67b704194ad9827369907930320bdd74b9948bf7dc5f1a0ae6fc8ff3141cc

          SHA512

          41ae205699764d0331b8ece9b0fab281e1eb1ff69c7a016b6e8dba0123c63e7a552aeb82a547b3411fc479c1d0ad5eebb6e5b45495ce77465044e61d30b19ddc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e2599cd85e9b6211afa8be29f04a2820

          SHA1

          8988eb07b6f0c040f3533e38ba967bde5092b207

          SHA256

          e5073ecfcd88368d819179e210630dd0635549ba9bfa2e5e6d83d445e57877ef

          SHA512

          e821fc737d3fb17e62748a2ba36b2f8399d78b45ce6136b4e1645394f3d3fbf7d215267a10185158ad36c7a64044924762ab1b64cf5a61edbad7d55a34f7847a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          affbb1a670f0b1e795e882dc7ebda2a5

          SHA1

          a651114465e21c43c37491b08f10ef8dfbe401f7

          SHA256

          f7434f0b34f632d4ea64a9aff751fec10f73468e766d94255301ffe91276001b

          SHA512

          519ba8b5d44f1d286de2e5019271670ef614ef595618f11f3cae261418fc3677387fafa001c472ffd1e962fc4ad0489479c10348cfc172bf44ecb08d5ec826a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0fbe089e0f60d37edbc8bac72d3c864f

          SHA1

          6e31d9c63748cd20a3bc95fc779e4a6256b5c9b4

          SHA256

          d041d8a06fc5c41a5ffb516a3a7cb5947a5317f8e9ff797deb4078f1dc54d258

          SHA512

          e150e77b04d17fb7e2ccccabb9a08f3eacc5f4903b20178d454f9f8ed8d094de24817b8e679de898ca0bb25e93441ad417ca1104cf32022768e106906025fdeb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4f79e56b22c0987748b6707649d0ff99

          SHA1

          684f7bfdaf190392d99e7b1ed4c1c8fc047cfbe0

          SHA256

          547895acc5577dc07b2827c5a5687e143a2dd961270778cd598fd3ff6e7feb7a

          SHA512

          dc2b3d06e727e5613bb3f7f6b7dd0f3f5f6550bb55da4ef05de87e264884e6304f3717fda3b694470a9e9ba8df779573189090bb5d4c622a2b0fbce31fc2a78a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          98cdb8289787d7c109ace76e86d8abfe

          SHA1

          a4eca105bcf37a3583f21cce5e9052fe707dc168

          SHA256

          9fadb74e08a0354a5f9eb524c63b97b3e9db29c726511bc69714adb89452a6d9

          SHA512

          cc0c22eabfb9954bcec943fe66fbd6b38d5174f1ee2440f2c60b2f3841c3b89776d7d2c32355b69a35468e30909b0ead148b88d5a00ecf2d0547bf74d7b1e114

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ab85ee73c19d2a476a0dfc8afe9b1451

          SHA1

          45225162bda702e40957dc3824c61460f72bde75

          SHA256

          de74b91ee9c9d0bf253ea5b892b9ddd6a98e3950d28a69a09802329fac9124b1

          SHA512

          dc9f64bcc335f49ed15515bc29dd6295962ae8d654a75ae54f242832e2358aefe1fc075440dfe2b8ea90d287fc97f64f712945a1d8004ce6370850f325b94958

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          770283ce670ffc6524a74876c4eb22b8

          SHA1

          c5105143c65dea1661f03ab23a424ed7553e2b04

          SHA256

          429c60203c6120e195c88d7531161c87f57ab5e038937815955a3015a6ff3e8e

          SHA512

          fbfd15ff937213b0f519299a8385d89f22fc2e43fab1e369558ae8458b1310c8af6d83e5a0d5a267fa3a6462a4ffa193257421a0420d6f966108872bd476ed35

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0ce5f6bae519dc3a2e31b87437cb269f

          SHA1

          c436309010b605e858aebc36277104246e89476c

          SHA256

          fe8887f60a677201a923fb8f950db1ecac35cabb0beedf399e38e05ada4cc038

          SHA512

          0fc74e047629c107b83a333f39490f65c428793429c2cd58a459ab2060a904f63865f1924bda5f5b1f012890b0f1a3a459162a4641763ed09eed5a6f34c7b32a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a52cf5fcd2caa3920172fa6570992c3f

          SHA1

          b36002b33b6944b39e5b01a8d08ace5be563d7eb

          SHA256

          7ae39795746aab4a33176f55c55d54b1899c7d1959cba08cdd8d3a9dcb632059

          SHA512

          e0acd39b007e6f5d2389513e76b83fa113602358e084623ee190f062a428b3fae88a39f17686f29a33ea291ae2d91db8b8175fe444941041ed380d3f6e269570

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          54630075ba50dfc2b2ee9990ac6e6abe

          SHA1

          7414d0ededc50174e05ed4f766cf55c260d50813

          SHA256

          87ac21d81143cb4a9d2dccf6ab0a9ac39476528dd4371364b6af2f3dc7f25f84

          SHA512

          900493c73eac8f31a57728b8ac0d1b47edb17bd31d943c59bce56bd83d816e4d2833a0df5a1f67c32af2c90449297ea3a62024952c59c5fb39f30c298cb5f67a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          26814d8d9aa0b6d2f2b0157111e5d8be

          SHA1

          dce35cbd572c760c9d2f67366b165a06819679d0

          SHA256

          5cd2bbd4010ccdcb6675a27fe77d8ab54b94c19a4ab4d1d8f9ce98de295d9f2f

          SHA512

          7e8fe1377aab38cb4a86de362df74c3a9b03638bc7c327b56d19d0ac7c2195996b88d96cc4789147e24b15988b36ae83973fe4674a32f0e5768a9f449fb70112

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c88a74151e16cd71c049eaa7c5353294

          SHA1

          8948b5326ed611047f88af58284966b740b9d10f

          SHA256

          071a496c481f70249d25c261e1a1772b6b8fb065082985f8842082901b57d991

          SHA512

          1487d5009a8f043456ee6ea17a56b5cf058f0ab2e27259faca664e73286b3779a38ec4b3d62a2f29a24a123b35d07ac50428fac2f6a440e4a95364cd87131fe6

        • C:\Users\Admin\AppData\Local\Temp\CabF93F.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarF9A1.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Windows\svchosts.exe

          Filesize

          88KB

          MD5

          43c6fd6fc51136632b47a8672de41034

          SHA1

          a22897d94f9d1ef123cbb1e372a619113327c214

          SHA256

          d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80

          SHA512

          f64b041b5a6afb4412496b526be0059814e4aac587764b36aa5b553ebe9d92533a162f484adc4b705853d65f59f262a91ad8888b84f6c1b7ac1099725fdd4e6a

        • memory/2672-450-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2672-12-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2672-21-0x0000000000320000-0x0000000000322000-memory.dmp

          Filesize

          8KB

        • memory/2812-15-0x0000000003200000-0x0000000003210000-memory.dmp

          Filesize

          64KB

        • memory/2844-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2844-1-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/2844-11-0x00000000001C0000-0x00000000001F1000-memory.dmp

          Filesize

          196KB

        • memory/2844-20-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB