ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Size

32KB
MD5

bead953595a4a3c373144063dfa8f885
SHA1

d1caecaacfc8b0cbf65fb50155c32fa2d141eee7
SHA256

ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366
SHA512

a1b40ac1872ca15b0001cc9e2f35e2d16728e617719fd90ab08648b8a30acd35cb045d5c16fd3bb8b7d720695ae5189c5a20f952891c73e16888b5e9f35797af
SSDEEP

192:p/Qn5smrSUcVRwLgyAOSfUML5dyfeqR6J+idTcXNwfKYfwDLXkk65oa2hTbP4oyP:ynaUczqSMxRhIT7EHXfSoa2d43eZZIl

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2160	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\XunJie	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41906A82-C6BE-4329-96D5-543B29A18BA9}	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\URL Protocol	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "XunJie"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\ = "Ñ¸½ÝÓÎÀÀÆ÷"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "XunJie"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\ = "XunJie"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "XunJie.Association.HTML"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\ = "XunJie.Association.HTML"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\DefaultIcon\ = "C:\\Program Files\\xunjie\\XunJie.exe,0"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\Command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "XunJie"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "XunJie.Association.HTML"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\DefaultIcon	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\ = "Ñ¸½ÝÓÎÀÀÆ÷"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = "C:\\Program Files\\xunjie\\XunJie.exe,26"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\ = "Ñ¸½ÝÓÎÀÀÆ÷"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "XunJie.Association.HTML"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\ = "XunJie Document"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\ = "Open"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\XunJie\command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41906A82-C6BE-4329-96D5-543B29A18BA9}\ = "IThunderMx"	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\Command	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\command\ = "\"C:\\Program Files\\xunjie\\XunJie.exe\" \"%1\""	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2160	2148	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe	30
PID 2148 wrote to memory of 2160	2148	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe	30
PID 2148 wrote to memory of 2160	2148	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe	30
PID 2148 wrote to memory of 2160	2148	ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe	30

C:\Users\Admin\AppData\Local\Temp\ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe
"C:\Users\Admin\AppData\Local\Temp\ecae75b32ba6635db07f3135c3ccb67fc7b7183db617aae884492ff10730a366.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ydlem.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ydlem.bat

Filesize
516B

MD5
a0b7b17f7bd6c90480cfe0a1d751abc7

SHA1
0122b4c482bd47fb76f8eee6ec5dd53aa4744dd1

SHA256
17aadf472911f8ddf9b6731013689823436d036a7ec529c85ec2af355d36ca28

SHA512
06161bca8ff6367cbbff1c3b2397606887fedaf4f789fb87637df87f8e14d5a56801adc4d839b393cd56bf487a74837d8e736e68c282f697d176c8f758b81c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydlem.tmp

Filesize
32KB

MD5
2cfc98934592134ecf0bdb05be569cc5

SHA1
a6280e3f1eeaac6eb421f0a79c1df7f62274735a

SHA256
00ac37d63a51297599d8b6ea479022d67b2f3d133c2799cf4e552774512e52d0

SHA512
284be35634cdff4ff0cce06388f9089057d66647901cd4a9d6aaf63def8cf521e4a088fec848a9880bf4c58c623fd8d2e1326b3a6f90db6433c696aad255185a

Download Submit