Analysis

  • max time kernel
    140s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 04:26

General

  • Target

    bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe

  • Size

    55KB

  • MD5

    2d54ff543c33342641b636d0ad93b32b

  • SHA1

    8c469b687a6ea57c560873c8afefac0c6fcdd54d

  • SHA256

    bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b

  • SHA512

    36621147818e4f70fcf1131ed05e3f5cce8d0daa2d05844c83d1776a57da1f554d739a6ec39bd9e602a31c36cb70d64be88cdb3da77766beb1ef9e05bbc017eb

  • SSDEEP

    1536:RhBZ1b9c409y1G1i35Bo01i/gcU8eVTOK/YqjYYamvbtb:BZl2zoxV1i/NU82OMYcYYamv5b

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe
    "C:\Users\Admin\AppData\Local\Temp\bda35ce31a90542dac234b4a57a057e87af13fac84c41808b351552e676c351b.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1692
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      PID:2956
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1456

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          97068992ed64966401aff6105dc74228

          SHA1

          e401d9f3697aa03b2a756c0cfde5720c5a87e046

          SHA256

          b1669dc32c85fe27e7af8914aaa42c5f7a35729c66fb9a23afdcd76c4cff27e2

          SHA512

          2234538aa9499ce0c06cfe86ed73777d7a841432227dfa842a582396b806f04113464424f6c6105c3d0080bef09cb94012e4abc62b4bbf07c576ecb3e729e12d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1f6c972d8d724849430b704cac9c1298

          SHA1

          869437c5e0d32b5f0835b000b9dfb1412496589b

          SHA256

          8227c0887f7c5d2928d6d6cb9e3264ee9cf4d02968972bc4493e0c024a0ac597

          SHA512

          577f26759a5f5312d4c60a3923d345ba7e11f94d24d4cb5217b55d27a2a0f3f07fbdb0853426852b0acc99d9466e41f077c7105c6abec6883bb5c61608392caf

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2aa6d5d3b3e6f1504875ab58761781fc

          SHA1

          9eeb986f957ea8076bbd8b71ff487769e74ffcaf

          SHA256

          8e470d93dfc18a089c34b2611a4b64b09210b13150ce827c1446c13713a4a3db

          SHA512

          ae7bca8b15f7095e98ab4026a269db537a5122fc5945fd0b5c766a7230a23a7fd924ccf870df04a7c6ba6dbf4de27328f485266751b40d41bb1cf53a26f1da6b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          38affb8a0b9f8342f5b305c38b86d57b

          SHA1

          3ae788431e4e7d15f5f9c02cfb92224118a1f507

          SHA256

          46dd8a0276937d1bc0b4840328bca1bea7789b916dfe9e9063c55352cf185398

          SHA512

          75f9b3c6b4fe70da9090b588e1f5c4f7d7d8d47f2039b70c329100c4e5b6c8346268b42446fc85645b0e7eeac2eb4526c72365f624e6b495961f4fe1e16da74f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          685829012a04e6651100a17c43010dab

          SHA1

          161181f8509a23e98c70e0f0d3840f310db4e472

          SHA256

          f2362a671476aad1c67f5598ee583c44d5f6b0aa770bf82b70aac6e0a7773331

          SHA512

          622235df63f35a5a879e13c893e8869a8bbd5cff619dfb5485718c935b45d56e716675e30937fe05c3347705f7c64d6a40a5dd3288dd5c54af8e5e5b80a24209

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d3092bc69bb373ecab7ab9321397da1e

          SHA1

          d92c4ea70e585481b3c2089a15ca3da2b1f03fc0

          SHA256

          c5d02fb621d559e30435be9868286674eb88b45a68efb0e30ee54ee9aa5d10be

          SHA512

          2b6e92c60824b4cbe0b0ca3995381d0c87c9947b81d05a996d739b6e414d7752ee7a09cd5caec24f5928a33b79aebf660cd9472ea13555b4e14c3c14674a0260

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5bcde82a1e9e563c45715728b6786750

          SHA1

          29c04e2b6b22287c90945654e17ea55545436115

          SHA256

          ab59ce3400fdb1f98408aa9618521672efb7a8c67a52c4dfb3104ca327cd14e9

          SHA512

          339abb92b1b0437ea42b800d2050c99c07eed6d186d0372bdf43d893a21d3945af9333ddcac2bfb93b8edb31d1906823477c8d9c1f2df74b4f572944a02aa9bc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e9dd15371a909a064933a977a176cb09

          SHA1

          f22658e91e0195f84ebe7eac3fad51257fe2e9b0

          SHA256

          27b885efd19ffe2f45e05046506bab505864f33ae2c61a68cb4665fdb373edce

          SHA512

          7d21c31bbe63bb764b6008635436d187654082edb6ff1525b85cf5df7511cf0baf22402ea3d038d45d4b50acd8f5dfe25e3e3eedf95c2a76d15f1d4fc7dddda6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          fd6dbf8a14280dfa5d9f41377e366461

          SHA1

          8f0d01f0cc8358d30a159110402b7d339a483caa

          SHA256

          2ba1d43f4e1bc9909f853a891ff9b454f31f8c75d922ae262481e69b63f27198

          SHA512

          ac4764cf84f72be426bf6897581e5a1c2b0bf5383bc74738498f929db2be895e591592da15bdad0392873aca87b79d81c0232d4daecd7b86263a4a92838a1a6f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          554094881fe586c0ae29bb149e0116b0

          SHA1

          6cf8cd47feffbc7c99f54226782301e8669c02d6

          SHA256

          0d6be37219e30d0f47a9dacb8822e2c9eacfc1d1ae07ec8e2b87dec30a555ba6

          SHA512

          728124eeb9310217f107118e67ac0792542fb6fee87d1cd7c4d7b0cfffdd3fc7fc29e78fd466bac11c2d5dbac29b53785ded0e7cca314ac81a44cb671395d4ea

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f360c041b048146ff6faf87ce927c011

          SHA1

          3afd76f107d2a0464ab2956b9b30236f67b131e5

          SHA256

          a0553dea98769121e713f0fff1edcb81edd5823633c853b605b539322b3cc011

          SHA512

          5abd5ac86baa61dadcdf9716cd4f9965449734b57cfd554715d786681e4a7900620e8f057d385b3287eae395ca44ff951b51285b9471555ce2ea18e55fbb0e0b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          db26b8c923007cadcee647e9357c5949

          SHA1

          864135a0dfb1d8477ca1afc2f652ddbbc97a4475

          SHA256

          9fe56b12fbc696354d7f22f157c1275a6417c4e7aa73c9a782afe45e1de0854e

          SHA512

          0d6c5c25454648412fc5b66be13ea7fcde1546549b8198e8d8197c17980932ac681fce3759275bf3e99aa6d4dbceb50d73c710cbb41acb5fcb9d343619e3180c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1b6a80773b969a427727f1160a323b3f

          SHA1

          b3a38568f6a45bb0ef31aac4f4f5debd33c474da

          SHA256

          ece87ca13efd4af78cfc901b8e893dd0d0402691efcd35d132524f8711153df0

          SHA512

          653f69d57e9795f1a7e7d12d368d888f5b05c1fe9c1c96680fa75e7909c5d3ef50dc6427fac8cf6eb85b93be06b30789ad01dab5ee10bb698459cba9a11482c5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1a872a84010b4f542ba8883c3b5b1ad8

          SHA1

          1cfef5483c939e935e89c54399a970e61508a51d

          SHA256

          02103ee074b75da809ee0b7029260e5e99118ecad123a5185d1b5940ba1a9e77

          SHA512

          4bc976a1d4584d0c03c181c250f53787756eae6ce380c6fddfb128e2f822ffa7d2ad23ddc0180de763e0e26e4ca68c81e41c80c215360fe9c796804a38f0ae19

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ae4d1244dd81d9a0b0145d855c616c99

          SHA1

          147c952a2042ad717d94d29af922607294a9bbff

          SHA256

          70577f4430c649a37c1ab0d92008b94be3a7c9f8af5520efc0cae2bf859add2e

          SHA512

          1f47088d666cfac8814c97e56a1063fb0b3ed5ba3bb1613d788a63adc2c6207df7661f64d17d881b71e05cc37f6ca067cca4f359f9fbf94699ba9b8f042bbef8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6eec9ed26284299866f26eef9b4507e5

          SHA1

          c714d2167e2a8cba6240af46b61762447b0c4039

          SHA256

          028983b3284a5722397c2f74bd93b6b6ada8c73d432ef659b5a5a811d4a12721

          SHA512

          282ff1be3b4022dfefdadb566f48353b66b7d886ddd9297bc3876b1de20c33a3bf2c8c2ac6e57cadeaa20eaf3ebae3cb0bc345049d2894c376b05a4f0103d1d3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          18df4f08c4b6ee0ab90285f7ba4a7bf8

          SHA1

          6b7d9d2bfd2c9718a24be191594f6495fcb4c0ee

          SHA256

          a75493b9b909d43f7503b93225e02c8967a6d86159b5d9c1019243b92a5cb313

          SHA512

          eec2b3c4bfbc60277dfb1aba6e0e0be08a3ea28196ae6b9f33137859966eaf7c530555cdec4dcb5675444d040526b0c7807031159cd172306e37066cff3fb1ce

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF0CB21-9740-11EF-A5FC-C670A0C1054F}.dat

          Filesize

          5KB

          MD5

          5c7d06241871b92c6743a4045b2b6a7a

          SHA1

          221601389dbb1dd1d982bbffd19ee7c84d4fae7a

          SHA256

          07a1196b9f908bba84e8b8a12058f4610aa849190959ddca5f9989a51ee9265e

          SHA512

          c30dced3884c6d90d281186aa000b37f9f85be64c9429972ba8e9cd9ec22acd7a2199f97741345a6a3d4812a1268d0f2496be3cfd0bc67b68cd058dc1141d0f2

        • C:\Users\Admin\AppData\Local\Temp\CabB69.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarC46.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\WINDOWS\windows.exe

          Filesize

          55KB

          MD5

          959580a2d105e6140652d2a3ec6e5630

          SHA1

          6d407fa2193dba88750a29aa2872f42fa6d939fb

          SHA256

          11c9d47686b80ee6ed67d479344368e7e115736461712bd335af225e650d4d71

          SHA512

          e7706fa6993e33543df08405eb019412015cf99da7f8034007c8740d2d890e96af211f51cb2aa72f03f72ee97aa745ee57cee1b8e09f54d49c3ec48f68ad26b6

        • C:\system.exe

          Filesize

          55KB

          MD5

          3125f9d1dc071b11b2ee21dcb8f844a7

          SHA1

          b98911e4c2ef5397245154fa3b914f5c756dea97

          SHA256

          16c93102e4b7efc4146b2d0d31da792026b38815be54409594a74677c99e5721

          SHA512

          8558e5fc790f0119867181ce4be488e0408a37b4067e5617e47a44aa7995dd9a87c2bbc3423fd116aad070b8f2a6b9f255f890f7837b7c93b8c5cbac527beb52

        • memory/516-0-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/516-25-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB