Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-10-2024 15:50
General
-
Target
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe
-
Size
137KB
-
MD5
52aca881f673c6addcd9b9ddb989fba0
-
SHA1
0a8dd50f4a5c3bd7e5b67ec83f15d45ba86f39de
-
SHA256
0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4e
-
SHA512
f7e27b4a091f05b14c2d0af02a40b305290dfaff2136dd3d06407eeaca153996529a2bf69d202445b4c49652fa754811783d1afc4f1ee3fb3bc35a04efb6fc67
-
SSDEEP
3072:51i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU8T:7i/NjO5x0Xg+UGSYnuy3Oai/Nr
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe"C:\Users\Admin\AppData\Local\Temp\0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /im KSafeTray.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\sys.exe"C:\WINDOWS\sys.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /im KSafeTray.exe /f3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\sys.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\sys.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c del 0ef0fbb421d59cfe86cb2d50c01649c3135b011085528c319dd229f32acc3f4eN.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD52e5dbe34cbf815232f3ace4b002d8ce5
SHA1006b11640901373cd4a059228395e4f2b60fa09e
SHA25660fb3b0cb4481f1fd813c87ef3128c6aef01f821014eb64c648ecaf38b203fe0
SHA512a2f0a9d66fa639648b9ed005b7040eaaf5ad7bddd6d61542ec64fe5595ce629948698d47db48a413e0167998daf244ce5188420dce9dd4e839d1ff691e87f05d
-
Filesize
342B
MD574fd4017cf598d45d3c8c42b3dc6edd7
SHA1429965460bbd1f2a2c2d7067c87731d04f4ac519
SHA2567bb86aa4025aedd14315789b7b06b32b78bca63e5933fc23cccdcb1795e37f24
SHA512201ebf7e92d212f80df2e814e4f3e9273ea0cd059ea034450c3adf56cb207e28939b44dbb864254a87fb4b3780b0eaae510cf9bdb2b9a305fe0d7d49b4696fba
-
Filesize
342B
MD52f75e7acfcdd6cf1b48a84615e179c17
SHA1a657162f54a54c64d2f761c09e6122c68444e4a0
SHA256839250c39e3683cd115fe633009f16a34e4464188ea0243cf1731fa298d97aba
SHA512dafa22cce27939ceb51a64ef55a2194276db07b8f9fca4a7ec6d1269e9a8d71494a282e6297ac251364d2a28744f51b855382969495a0f9d6c9755df6397b1f4
-
Filesize
342B
MD5c739df82dd9729a7039af0c3f7acd938
SHA16178514145e82c87a584b604af099af16340fc84
SHA25662c268c588002d7084913965af409d6b21f422dbfd1f3b0fe3fbd8ccb8f10517
SHA512e4324ef92197fd9670cf2ebbc65b11292f07b9c939445c90137140ee6a695c728483f8a5f4b1059d9497766e142489dab3ef0072d95717399839c7871a37d538
-
Filesize
342B
MD588bb39ab1587583b06de7ef87c3ef8ee
SHA13e8d9c31c7098fd92728c7265e9d374bd12b7e0a
SHA256ea9e0528e2eb212d18b79806fde168fd97659c6a2d8079c57bfa314d512b4688
SHA51283382d5a2298022aaec1b8c2808888cc12697fdf1e2222fe8ff7596e5dec5e253205f70670e1a79be98443de8e4b4edd441a910b1030d0a08e2bf8629ecf3f9d
-
Filesize
342B
MD50c25172ea600b52592c42e67f421db6e
SHA1f1e60a3c90c6d531af6f9ffd4affe0ee7b19f643
SHA2566385e5289f0b389aa16c1a7158cbbf91ad5780e0df393788138f212f7d8e3a2f
SHA51282181f9584bfe32e2fb1fc05414626f9bca6aae04f0d30c3e5404cb8b9c3753cf187806f5e3b2848f9ba7afd324e57478b694a40f630019ceacca4e4e75c561a
-
Filesize
342B
MD571eb704a57ba3d1c2b08abc6fd54eb55
SHA130621c20d5b98c080860ade2c27b49a4680ac83d
SHA25682d334fc12de8cae030680e84e0c02b90ba05f3a79e661a5f463830af6ef53c2
SHA5122d50214714752bd3456c03acc981048452edb6688e9853c49a3ea042d92a6e0d3b923a7cc494467d0456ef1843fffc7fe0926a1844cbe88532b190823ddf7e22
-
Filesize
342B
MD558176c5e96de99656c3978acb8fde6e6
SHA1eb0ddd434fa0e4330e926e133a05a7a1f8ffafbf
SHA25651986240f0b317ecf31c1d143be98a5a5278448637adad2f0f029e13fda28651
SHA512297c25357dddc3f8c31ba37357317e41866814c6d23c31611cf116d11974ae28f1cdb28521a2140c0b5b2c1d1d3a4742b5d22b9c6f41c72e1005145f64596bba
-
Filesize
342B
MD5e2db2678af4e71726654bd118182bccb
SHA15eee915318584fff5d49ec5dd6573d5f838e671e
SHA2561b2236a096a097064b76053d6a03fc51c9b931cc4fa4955d83cfc8c7a3ab27f9
SHA51268e9fed0bd77b870611c26b1cd20ec2dee410b062bc837763c48decbf6bbe5b24c2a89e905889e0f1aabe1b3b55a3b8751cb0d8f948360a9e70d438dc48284a9
-
Filesize
342B
MD5edc15bc4f5c682a0fdffa9e15ae5ed42
SHA113b9f0dc45d183083c1d4f7cd6e63ee1780c4c67
SHA25651fb588939dc6dc4e6a5303236c35141f4ffca9f92b9892ade8bc7e3f88b04c8
SHA512dc91f4bc1b6c6b4548eae9861ae4433238a2692c679e17d85748a475a3db35519b9e38b7014fb4cefb3148d9cf37f99f750aa92c77f363e945e4efe925d51581
-
Filesize
342B
MD51ca89e4f60f303a4bdbd88b17665a978
SHA199c3653b064aee57469553e9483f8357edca728f
SHA256c38845cc99edd4ce8241f658becd203483fb376fffba3f1d6edb63696031bcc7
SHA5128989ffd1c9072e89163ab2095cbcdee724a6a3386a20c3191f985adaf6a1333d7102f3082f06550dce8a2c22fc948335ed543352568707536f2850af904a2d5a
-
Filesize
342B
MD5994a2bb27090148e6d6bd5b9195508a8
SHA160ea61dd392e3ddf25a0c3f7a446fe5f71e708e0
SHA25622f43678a950a04eecd6f7121c962b508f398065fa296c35c3999cc9cbde2731
SHA512056252a76911132d88c66033475dc511949bf17246609b2b8546eaf92c127e2d010b88fc1c3bf14359e39acff48609435315bbc3597fbf63fb8b20342ff4bc09
-
Filesize
342B
MD55fdf8535bb3a28f6631da0de5a6131ad
SHA1bf58f539570a090f5edc948759180fc8ad27eef7
SHA256a3133770c409c70791dea096b8a115aa0c929e9466dd8c6fc7b39845e8931fc6
SHA5129dec5cb070d29c9c59cf47126882f1f589dd1c945dad902b66de8e8bd59a9f51282ec98127b33321d87c41cb0401541fb103b54dbbbb61b85935968b98b26a3a
-
Filesize
342B
MD5f59d04acee6fd8f86f079f2ed32f8c05
SHA14e50ce0575b791fc33831b00c0e5c03887832d0e
SHA25699d72bcad37afb5ce7b739d478ad25cc22272c0e29f674ce94ac53f2faaa404a
SHA5127efc3b774c56ea45124d596a7b1a697d75485dbee7387654f9647eaddd40bdc517ed22896b2149abdcb72bab6f624a29f95abf3469ae34d7bae6f5a901354c2f
-
Filesize
342B
MD5df6d817e59c3297e60b19e9690e91304
SHA18b5ea8461bb94b6b03e773b11d92710b48c129ee
SHA256c288dce75474223c59580bc98adb7e8fb06778f13d519b41e66921d8d446cbeb
SHA512cac1867a9a31b5a8613b0b04018f078c0e680bc167a5bc6ac7658504d79bd059212dc2ef25d3ffea842de3a6e91df8db3aafa1bb9c00122c88bee049b401aea8
-
Filesize
342B
MD58b425886f02f506a4cfc3c8d6a569adb
SHA171128e2cec26f6d8d110b03f31773998afc3bb26
SHA2562dc66bbadb03a1b18e6bece63c6b3343fcd64a90e64c4536b1e99956c2833eb3
SHA5124486811a226bac06bf8e40b803d1fb5a8fe6cb58dab1f0d71a0f524c762708291e6b0a7d6b011bc63b342d6baf5dac22fd06dc9a26b719ddfae81402d9580f9a
-
Filesize
342B
MD5fba1c9614d9220d8b17332a00e65c59a
SHA10124b4a96cdbb4e58be9ee971902eb7e4b9cbeec
SHA256abea308467ea03d8d201e8ce1d0ae94f456a7bb238164e8a85e891491ed64b3c
SHA512208d97fa88330d4a8ec99031b6085909ee1049f922b7ba78dcbffc021f95fba62e656263b91a7c77668dab149ef789e67bc2b3c6102023e3340e13c95c56eeaa
-
Filesize
342B
MD5afa6c3051227c87ec7e431d30a7a2760
SHA179b4804f1d8a382259ba1329aa3f62466ebe63d3
SHA256b5a2fed5a463b763aee10efefd653803950e34ee8b1137bd24cf572d087f24b3
SHA512403679c9b7254db4be7052bf00f1b9cbcf88e214109901ae7b8df38f9716e812abe917d0342a9270a6766629961662c76d594e081c80dd60edf7abb4834cd55d
-
Filesize
342B
MD5e8343fecd53cd8643f56dc3d262ed23e
SHA10063545fa5bf24909e6e3b8ceb1d56254509afde
SHA256d2d05ab4427a3ac3b9c6bedf77638032592b8b69eea32320a9545b30ce85fcf4
SHA512ec193e1881840b1c9c9e55e3bad12681056857ae2a58c279c784ac198923fece0f09f7ed3db293a4cc3db36c2e6b3ddeb56f9fa9a419d565e022385669d367d9
-
Filesize
342B
MD5f79a830b7e2e01d837eeb4eb5facd551
SHA190de33d6fd3d0107e17e4efba37e158a6a4dbf56
SHA25640fb4f62a029696573a43cda0dbafc12262067cf52df836f15bd0ff90d12112e
SHA512da4a6fcef208a6b322edb30438503ad5882d57ceb0b0c37f8989a66c25f973878743d4ac18ab3414c4d7f8e02906b0e422f36acc57276698ffe79ab7eb4c3bd6
-
Filesize
342B
MD50e8689589b8fe2207bb1fbd92cf27708
SHA1ace9f0bc7ca4f97e7be6b80e9888384b756d1852
SHA256077cc5b3a2d46e8b1be7a3e514d3ac782b1c3a9c58328c4708867197d7127a28
SHA512040a102514dd2ef005feed0d7ab35b40c298eea48e8127b64d650b87dac4a7a0cbe8edf65c2a720352ac59c16e3e1b4f16a867930c04bbff6b22f6d6fdf11bb0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
137KB
MD5f514d63802ca66e3d384cad7bf9206bc
SHA1368ad897415f0ab38259af4f838ec181c764418e
SHA256947a36ced94a4b008159a44b2685866b9165eb06b368888467106f5ba29202fa
SHA51260f841410e7087c1c2fe27e2bccc1cf511f2a20eb8147834ac05108450f6b417b5d311d184209d95d4fdc732a88c2211fe87831e33715d9e2b07a91fa4e022fb
-
Filesize
137KB
MD53b78672dd934a42f591a4eddecfe4442
SHA12c5abac4d7d65f83f1691fc6e63c88618dcd47cf
SHA25605d6bcc83bea02dae9aa36b28bd52ab5a650ddab42a98842c7732d4761d4e081
SHA5123426ca2049793c2b9b172e5789ceecb4a3a846bbd5b7977d6c3e3be336b97e683399deb9e1c79ade36838fd8b464ce0699a2cd9aa734303350308792e95eef81