Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:42

General

  • Target

    f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe

  • Size

    55KB

  • MD5

    48ff6c57d2e916036b40d137b227a9a0

  • SHA1

    4c31b5082e06afea0afe666f2e85bd5cf25bd14e

  • SHA256

    f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cf

  • SHA512

    9e2dd565ac011b612e797f2bd00b7a25aa1ca16f8cfed23b3b46a7e22358f3f3fa910fec2e34a2d7fa85f056104ce97bc4cfcc7ee13e683cc685c3683962556b

  • SSDEEP

    1536:KhBZ1b9c409y1G1i35Bo01i/gcU8eVTOK/YqjYYamvbtb:GZl2zoxV1i/NU82OMYcYYamv5b

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe
    "C:\Users\Admin\AppData\Local\Temp\f9e2fbc5b8c41b45412b0cd4b8e762d850831a1e4931567691def69a98c257cfN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2248
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2696
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2700
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2620
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1276
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      PID:2128
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:684

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          97d2edfb6ba4d1f55579432a56ae4b36

          SHA1

          2ec592504801bf3aafceb6ee9dd3f2556efa4b50

          SHA256

          a4bb90e195ec667d59b18de2e673a927e004455767404d91125a66e47e31adfc

          SHA512

          7790d68da2b8d91d0e19e62c701989784b2f8d02d93be13dbb98905538607e85f6eb503284c9476e8610dc98598c1872738b37e31749fba63db3f20cac3ab6df

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6ca1f66705aa2836101a9151fb0305b8

          SHA1

          8245040171191ee6360c335d4234a7b810a46303

          SHA256

          fb4bdf1d201eeed99834f412a525cc390e8fe662a9dea45b516f3514f9f34e90

          SHA512

          ca792c685cf68216c5f651537eba8bf32517468f1c85124863c8f81c3be0624f65a01d517e65a8078507814d8cf855ecf391e70c58328b291790873dce137be2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d1b2e82f6717d6e114ef65b18d9577fd

          SHA1

          98ae9542b0c353f72455b95bcef84f4fc3afe60a

          SHA256

          32106957dc0fbddf362de19a8972b02c78d12c13acc83846212946e5e74f7772

          SHA512

          e8dd96c03f708f9becadad97a51541fbd87fd85eee1b9d8b37c19fab45f23b810d6b5987f988ea66703e3ad31d83c09550497caaa55769f694110045c0105bdb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          34d3dec4b7c07e0eaaf5b5759945b849

          SHA1

          b28a02fdc3dbf9d080f76d7ad22a4011e276a81d

          SHA256

          8041fde8cfadd497d879db4f7402969fd87ca04c5c0b1c75bb05149bf419467b

          SHA512

          9910cf409581db1441589f5cb25cbc1e6ca1ca37c3e164e84c2be506f27449bd20d4dee6854961f7930afc44b83fec4fcc0b318040ea2b3aee86b91562db38af

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          44f171cc08cbb4626b83d725ad47c55b

          SHA1

          ca7dddefb1ec0422452b697ed92ff6c347ec84f3

          SHA256

          9b6dc8a8bb23de8f911560429a542bb0eaf27720c07eaabc1c12fe2a2c432419

          SHA512

          5ee2311f155e5c01936a04c92f9b1786d0e75e7f289a500cd9eddad986efcd0efc3753bbd5cbcc3ef9d879515ec264ee4d10307d48b420b662e8020cb8ddf9d0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4e26184a14ee75bffaab9789ce2f886f

          SHA1

          9f46abbc2d6aba0006dc28b841b514bc3bf1f900

          SHA256

          2e88941a6d5de5e33c3fc9622b27b2d2f9aaa799f342d7fbbdb19b9b5aa56bc0

          SHA512

          95b1886089fbab3063bdbb51e091ea3d0043a5f96879f03daec204c210b6f75f854c1bd60dd9c6cd7f873882887cb421ee947481eac855ab5b5ed4ec2c274239

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          19f1744a4491c49dd3c74565c7b0eb71

          SHA1

          f5cd9b99c96fdaee1b6ffa79abcf72103f325aa0

          SHA256

          d13c2574ca7ac773d48685a7ce0e02342e9c768ea6a7d374ae6a0124751fe2b6

          SHA512

          66073ccbf18c5441a1e4e24dac6d300dc2860882b765a2483c8f859d0e0e18dd5f41ca464d6aaabb30bb160d2f3ffdcc29cb87d491ed4641df33a14deb09d0ea

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1859e5ff7bc57788f92ac2b8f06600c1

          SHA1

          aadd6bd696a366b7351763ad75e05867ef3246e7

          SHA256

          2aa0daeb2dec2044622b2d688177d6316da93fdd35ce973067ce2a58bfc02e07

          SHA512

          f573d2b5867cba6459acc11eb2c292cff59311e521c8d76241fbfd65168d6faf34e1d70e479d2c1a38b27f733e71bb5c105abd0c424b0166b9f7e6f693cd48bc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d7b5e6f01afb7813adc65b18b78babf7

          SHA1

          bff3b3d49e376a7503413764ef2a6afc4bc01ec3

          SHA256

          c9b5afd41ad126c0698268ea8b274e853eed62098e34760f721999caf1244df8

          SHA512

          9863da4e800410d54595f6904a08333a84b6c6bd21c85444b28f9be106aa2b06e61b81d1f6ab9209e4422370f87b8330f63f638adcd8656a8db459ebff1832f5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a93e0afca020053e876199bf2ff3bdf6

          SHA1

          8c889ebcceac9e1a615c279f3989484d215585c5

          SHA256

          08e64b8e8ad23505a0af027f6532e5011e94182d6654cf9b1eea2ef3a2ec8290

          SHA512

          f0d913c55a962fcb7dc376e163b0b7e2cb186c305052b2a9160062d673008b6108870291550a06781f5b3f08ff125b602d8ab30c41c5a6cd02c26d85c0b85d8d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          aa0a1a19bb4d19b90ad9ca287e7b996d

          SHA1

          30151757d42ea89932f4687cf43f867a6d6d74af

          SHA256

          217d25934b50190385f61422946a201e8fad3d3896de9fd91cb679036fbd88c4

          SHA512

          5e93bd65b6fc11c9991451c67f6fd8ca862ccf099f2e37a53cd91e1c2f913c267999ea19069c06828d5af916b008e13fcbc632c4d9abf620ddd6512df4327815

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          11d9708fd4e068cff279ec6f20da2b3e

          SHA1

          f2760cfd924677b547e154f6d4db6064e8a7a059

          SHA256

          098fa1ac168a3c9c45230d7ba5ca7bdf83688b6a2ccd2598acf34f465292d28c

          SHA512

          dc7da6b4bf65388b6e2cac4c850b7345512c113bae4437dff2ff093a00912270f7f0b502c756f251fb9c94167e446e7a3400fe4617e7ebf2a238c43387eba6fd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e3e745774ffeececb7125fb387bdd505

          SHA1

          8cf3227ea216d63605b535ee96845beedc216b0b

          SHA256

          cde8f12fb57d5be60af0028bf503517df43a07caca484118fcafed4b48b37eee

          SHA512

          f491be482058dccb0045c5b4a939c327479bba0c85368c41e38c526c29a141dfb178e900c08281dce91906893c383dfe81adf4f51c05afa7482bd690254d15a4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8ad15e60db88ce568c01f32495df7e39

          SHA1

          266b57af608333079a03bf650fd5d7fe9624117b

          SHA256

          818cd129b5efa52d92f9459d078f6de180836e89aff8592585761cbf3825a3c9

          SHA512

          c1a67cefda5458fd024c8a0c48739a701594497f830ba17afee55ab5941ff34dcaa8c9df405b317dfab05bb584c80583c2fabdd43734ba2a104fb95e022ed8f5

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E05DA581-9731-11EF-AD58-7ED3796B1EC0}.dat

          Filesize

          5KB

          MD5

          0f99cb5d6a14803c98d9ffc0d2974ccf

          SHA1

          ae4e52943937df1438b3f609b3e30aac5556ab7d

          SHA256

          b3ae343696e17115a9c0f77d9d47f6f4ebcd08047f0eb2d9f15c2daa6d7fd370

          SHA512

          28917b5b03e1a935a4aaf7ed7130c6312fcd44ede2324c793f3c02c83e627649b1112756901544d8bc14c12239bdcde6083489103414ab29be1cb87452f5d0f5

        • C:\Users\Admin\AppData\Local\Temp\Cab9B4.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarA24.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\WINDOWS\windows.exe

          Filesize

          55KB

          MD5

          e21a79cb24361cea29cadacd5bff6ed6

          SHA1

          306f46ca40dc64a3dbe2a6e39a3c6052d52c636b

          SHA256

          7281731b637ac19f75a7824af6d2e063f99a2b19c06cc9b2c82cadc6942d8d68

          SHA512

          1849955dd3d78ef6a1ecc0e00856d4d6be295235ca6cbb659a39aa0783e045c4f5101ff1f6f5b30ab4aa62d07564a4d3e73fbacfddc255f8310cf1c8e78d9d61

        • C:\system.exe

          Filesize

          55KB

          MD5

          75b8c5314f6eb0e61dbadfa657ac0cec

          SHA1

          a3ba00420caf7a74faaa453ae3e1002e3c75aabc

          SHA256

          468c119eeafff3a185f417512225e7403ee93ed4785221ace3966a206984c674

          SHA512

          75e99346a0a772e048290505069335b1142eef14f3af0fcab74356e08462b81f9b53433b461165f51741f515c13e8c7e46a4ecd85d5940c975b880c0785f0dab

        • memory/2672-0-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2672-453-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB