Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 01:01

General

  • Target

    9dcfce325dc82b713f9b3f228594cecb93900937eb946b8613f225fc2952f8b5.exe

  • Size

    55KB

  • MD5

    a9e6b6bde9bb9a8419ef3a4c8e68aa1b

  • SHA1

    2b5acf57d787ee092bd62366970059d714ad19d2

  • SHA256

    9dcfce325dc82b713f9b3f228594cecb93900937eb946b8613f225fc2952f8b5

  • SHA512

    ade7990ac36fb7bf3a1b8b96cca3962e71a03b69efc90217f643dc42c0dd3b78033f9ccbae7be8186ad26680b3699e673efd3c88d1cac6011d1e7eeb487fd9a3

  • SSDEEP

    1536:VhBZ1b9c409y1G1i35Bo01i/gcU8eVTOK/YqjYYamvbtb:NZl2zoxV1i/NU82OMYcYYamv5b

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dcfce325dc82b713f9b3f228594cecb93900937eb946b8613f225fc2952f8b5.exe
    "C:\Users\Admin\AppData\Local\Temp\9dcfce325dc82b713f9b3f228594cecb93900937eb946b8613f225fc2952f8b5.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2128
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2088
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2164
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      PID:2600
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9ad4619719dcaeeb4192f7440f696525

    SHA1

    0778bd7bc93969546b70374216269fd340c085b0

    SHA256

    0180b2d69227fbbaeca6adf28bffbcdc82fcd390d9a82dc94027139a13caf820

    SHA512

    5abc3bb1e083a55577d8c620ecc69941c6875e244ce3fc057de46ed79614fc92ad229554f5541d8bab0c6b40bd7bdf84ff86302c141382ade9c50fdb7f2af243

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    31f4f0699cd4452360bf404377720a49

    SHA1

    a796c8c789d6564aae29f699f43bfb997a4312b0

    SHA256

    17b9e55d2684a9b25b6488a37b0a83ca9054128290792f63a1b0165d2e6df69f

    SHA512

    281d0d0723163af1516d7b5f00647138396ffbf5e29e77cdcdee0bbd744833596d81b13dbb4273e3a8c6d45c13d74be54e5c683c8d2374eaef2dffa33d7b7ca9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d065fdcb1b49c845146a5a82997d9ea9

    SHA1

    4c4ea3b105ce0c1436d8978c4d0003c0aa4c5d10

    SHA256

    0152aeb559d959bed1d970335a1779a5ad148bb78287bd86557a40cc6cca4952

    SHA512

    c28c5fb9d967dc07183f7364dce50b62343f7f6ba8935e56515bbff6fca851af9f955ebe830a4ec7c0c4ea913b5d0594b0c2534091f66ef02537190d23615cf7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    05449bc9f199357e357569cf3a40eba6

    SHA1

    dd6f70ca849e8c7bda17c6359c0abaf6e0fd4e9d

    SHA256

    36c342165e71680aa293a4d6600adbc738f6ce930410804bb5bbe7440c14f519

    SHA512

    fd15a1663496aaff05dba5f0d267bdc59262c3a62fd2bffac26b9f5094895e8290aa1e4009890d83b0634fa4da8a10b7cee9d72c70e911de96e536bc0614b876

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    66ef72e23e21ce61336ba52f51df0fee

    SHA1

    6543a657745462773e118babb560fe524ce09b01

    SHA256

    bf43d8af2ed01b726b0464f4d8b79993410dbcaa8ee0595dcd71674588e2dee9

    SHA512

    2e3e486a987b277bb17353747f645072085285f6f1f13795ec518349b1f1de075dd3d2982540272b923eb7436a3a88ea95029541e862150085ad74ecc486f82b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5b3d3cf9dd57efad41a31120f839fa64

    SHA1

    a3ab23605e54db49739b8a381e01aa456e075a2c

    SHA256

    79b1fd44af1fc339c174bb3bd9e2ded3cd38527aea59a2316e2704846ce1f0dc

    SHA512

    fea32408c402e16e1cdb95788100cd1a9fb12d6a885c4f5652ee8a142d76887f8ebddb2f73fff7386386c6fafdc0fbc8336fa142c4bada65bd7eb92ac49289f2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b27713d22855acaf9dd0a4690f0fa7a0

    SHA1

    01ebfd194b838dd963647900914693e1f3a1cf4e

    SHA256

    caf6f077859eedc51cc878d7c9b5d7586e265c44d349b6fd809f88726f0b127e

    SHA512

    cf4667aab747ede77705b698f565069a33ec99db2519b6af95a75c3cf4e3c18b17c5f5422003c2c9660348c0cfcd19df1707cd128e3bb6f5ad97c26ba1d797eb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    785aa870269a77f80762013002c34925

    SHA1

    a13a096dad4a706bde02436863cdb6a4f6b41748

    SHA256

    4a03e82c6f6af5979a60742a5dfd298a93a9f6713447e9bc7b9c31f2ecab6df4

    SHA512

    82752599aa17b223ec8607f1931ea178feab8f47b261547a25e46f4891c173e89b7f0358223e12f3b47c2a9d2f964e7b1bee6c31c508f97bfa9f69dc57a931bc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cdc1092d8ca5433e4911b068814999d7

    SHA1

    1241527b66352b9a0a1bc5992a353621b7bd1de3

    SHA256

    1cd5fe145fdc58c3001d04c7c178d8f6e0b27b07c400ff1805f39b177a4912fd

    SHA512

    3b712a58a79179729f1f4037939d30cb3cb8bfa551d620976b04f7efd5c21b25193a32adde92a0200b7acd118134c257b306fbebbdae49be29697b5689efb4ae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    437ec738be4b5ac9c686fbf96656e5fa

    SHA1

    32a39c61f051ec74284c305d8ea7bbb2b29c8dba

    SHA256

    243ecea6ca21c49f62f85a59d069eb45764f01afa8260f7d352c2d12087c9710

    SHA512

    3e705e8f81e473d3a36a9e028e12cbb36ea681f9031dea1915eaa116c5aead4ee8459a28011e9f8e57ccf1a85227023668ba4733cf28797ccaf906f910795a5d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7f961edf1ad4806c7adaa9205172e77c

    SHA1

    796baffc10f4789153680cd2a056ceea4d90ff51

    SHA256

    423f8b9d72a4ca5315e74861542d52a2222a39c849cc08f73a50ac0100b18fe1

    SHA512

    96f82d7efa429c7bcdfaac22ad4e90f04b2708966d823b4d08964ab9476c7a511a1a565f376d6c07395ba6d69e322afad5a9a04a6c8ec5edc48bb041ea55554d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1662f2a78fa6c21b82bcfe24e6e24dad

    SHA1

    384492c5db22795e2c7149caaad9424f7649a1dc

    SHA256

    1bc8c166906c4dc31627fc9c0e2d3d4339bde9a93d1e59946e06ef2877aae215

    SHA512

    252f3767b3e82845a3b8eefd5cc777e7f1c4a1ddec8d644559d522791072d2287c5e160c0fa938686134fe43ca3a54f5c4b046c10a6cab2f588fe3537b14f1fd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    78fd4604b328d7e16be024af49e5c23c

    SHA1

    796882a015a8d7b9208c236d2c350189399ea171

    SHA256

    a51f1a3f13effcb3b59799fffc50d2bedcf713a32a3e77a03cec45fbd489954b

    SHA512

    0eca09c680982ea30c3f6ab9ef903426d6e4a9e8a6956db126ca579816f50fe605daf8c13577360832debd38352d27171927fcef474eb559294464f7a3dca66e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1a24472138d32c5451d9d8201b4c84d8

    SHA1

    382df381ab3e702a933c9ffb1e666e489791fb52

    SHA256

    6a1dd2cb83b7b230adb7734f410c8e937f669a915b57a3e129fb2216f21a3c6e

    SHA512

    c4c50bd3ba1bbf592c955349e86a05b0a9f1408fd9c9c7e634efc976ad1edc7d6e8a483e3dc0f1f2126c87c5f7a8e04954dee439590efd9472d29b1cd4b20bb8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d9257ad371c9530dd3176bc21be0cd6c

    SHA1

    27acedf3c407450d5a21a04dda3e067316f30650

    SHA256

    cf280ab9a5db81f90a4790a98274fd60511abffb3ea5c113ed7e4e25dcc701bb

    SHA512

    2fabc1cdf420792f57d62166a5d90279f5419fa37eee7b469291c8d0588b9a2d6cd1597d986a488c96f1ee37c292b56b6d9466da9b044eaf00719824e3d0e8ad

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1db03f51f3c587698cfa6cff84699e84

    SHA1

    7297d300d4102873aa24b8e29920f0f1262b0626

    SHA256

    068c18507f2147142fe8db1526a084e981abf65058cde9116b54868be25dd6f8

    SHA512

    5ce3d550affbd39aac571ac954d53aef72a0a49eda66bca6f0cc21d97d4f9eea21e38338fc71829963cc5065d49fedce9046340d8a4fafab1be54accfac5d5be

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9829b9baf1bc38f56825cc94e5ad6660

    SHA1

    734d63f87f420b3c3c87763efa0b78820ddbc3d7

    SHA256

    837d6781190c616aa7dda25511a1aab862a57a37185eb45b9d1e6f08c25b5136

    SHA512

    b5aaf662e45a6878c20a6b2dded49cde6bb41671ffb2afdb0a7552abd53b6bcb4ef327cf8e78e36671e2b4ef939bf743951ed3bf6ec8640a4193caa36c70973e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7820d54cf88901d76f4a044d50cd6a06

    SHA1

    69dae5307082af2e81781c29f04d914d22d23a48

    SHA256

    baf1c09f3b7cbc4675c7cdfe9a77e976218b534e8b7e26901cfa9dd3499e6ce6

    SHA512

    ec2d4ab6ffa8a0c5b13555c25fa743b273cae12d97a480c2ef7e330e6cf2cf03c685c16bda8372f4b699e55b0a264578172495cb18d7084d9f45ce97ddead022

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C14FCDC1-A15A-11EF-9DC4-5A85C185DB3E}.dat

    Filesize

    5KB

    MD5

    4f24a88026945adc51a443e50612ca5d

    SHA1

    547e089126878316fa9e859e3bb71f7d2375d644

    SHA256

    43bc27d154060d573fe462b1e0860aece97bd582ed8fe7bd57060cf17aecf23d

    SHA512

    ab0768e0fae2dfe17f4d117c59826075f273cccc7302a14b667dd6582d0ca60502f4ceaf5411ed00563b017afadf86014894d9b08119b735868851ffce5e8e5f

  • C:\Users\Admin\AppData\Local\Temp\CabF317.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF389.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\WINDOWS\windows.exe

    Filesize

    55KB

    MD5

    630fa0af5d1f76487be5cf1a797ba580

    SHA1

    94a61528ffdd803b8054e1ad59eecc721d391a93

    SHA256

    49c55858491cfefa02e89c6d9b1791cc5cec05d63240f571732c7332b94347c8

    SHA512

    c9ca065b2cf19b8897ca8a66f90f08ddd950ad9dcea9cff226167f1fb73d14794023b21260c39d567fcb51f8b8b7ba21adf67c55d59a1eea66bedbcda64ce44a

  • C:\system.exe

    Filesize

    55KB

    MD5

    49fc3adfc530242567c85823d0ca12d2

    SHA1

    c17f47ed45ca87342a0edc85f9d1365331d30dfa

    SHA256

    fb953aea72a809f320ca28250b006c09ed3be07571b2a39e422d890cbea24270

    SHA512

    1e48fed71ecf8b2cd9ad9f663295b75cd18b02f7ce9e7d97fdb8841313b4fc0b6842e717591c6f0e21acf9c0d31ec70278be02e1b90268aa2ddd5a7103cedc8c

  • memory/2356-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2356-25-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB