Overview

overview

8

Static

static

3

1cf2133dd2...8N.exe

windows7-x64

8

1cf2133dd2...8N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cf2133dd20051845e4feaea1d4dad15931a544398ddd7e3879b13627be90b08N.exe

  • Size

    137KB

  • MD5

    21640f9330847c3ad96d1736bdf66840

  • SHA1

    f8b6673a387641d14b71cd56680326b049f23214

  • SHA256

    1cf2133dd20051845e4feaea1d4dad15931a544398ddd7e3879b13627be90b08

  • SHA512

    cf5b5961e0b9bc0723b71e750f551ca17a5b0c9ab8dad2e42f573c0bf34af81309c95d2ecd9b290427efbf7313caa714f10c804e134f10f5ac42844525b9e752

  • SSDEEP

    3072:11i/NU8bOMYcYYcmy5d048g3nan3vx9kGSYng7+s5YmMOMYcYY51i/NU8T:ni/NjO5x0Xg+UGSYnuy3Oai/Nr

Score
8/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cf2133dd20051845e4feaea1d4dad15931a544398ddd7e3879b13627be90b08N.exe
    "C:\Users\Admin\AppData\Local\Temp\1cf2133dd20051845e4feaea1d4dad15931a544398ddd7e3879b13627be90b08N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im KSafeTray.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
    • C:\WINDOWS\sys.exe
      "C:\WINDOWS\sys.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /im KSafeTray.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3512
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4404 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1328
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4448
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1440
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2348
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\WINDOWS\sys.exe"
          4⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "c:\sys.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4432
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del 1cf2133dd20051845e4feaea1d4dad15931a544398ddd7e3879b13627be90b08N.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    9bf51918a12f03ca4f26d83e99645740

    SHA1

    9c83d4a1ee3ee73e734776e29009d37e2273183e

    SHA256

    c04f101c94199d3b225ad950b34b6a4d7e1d5392e01b01fde11adebfae33aa5e

    SHA512

    6c8e8ad3940371f69a04f56dfd8da664a2bfbbcf3dcfce35903faeb46d301a38c72fb6f65d812e5018b5dbdf74ee293520fd6a34976e2b98285ad62114b891ef

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    dfb40d53bed0955ba8d6ba257d6a2381

    SHA1

    3dafba9593550740594cd18b94ae5a5cf0355156

    SHA256

    13dedc76f36e27621e4bbc227caff4e1d8025218cb41a5e814181f31d727f82e

    SHA512

    c9d65396b9cc7246bb9b213e4d6c460b0d1febaa5b466dd3504be41d1e1b28b3a12caff392ed150fcbca8d58ea578443802fe75c93c659fe40709e84b0153aed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4292.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YUS9Q6F\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\sys.exe
    Filesize

    137KB

    MD5

    2c30064b731f668d015d78b313a10f66

    SHA1

    b2d886f8fc9409d46f59fc063ef6738943942f0c

    SHA256

    bddcce4021e17c6f18e0cb5720d41805127b66a07dd7b4dd64051d52c6e4611a

    SHA512

    d861edbefabb9cf4d879972c258fb6c2a868f8ab8904eef0ee12edf5e0b3dc41550c6cbfe4616a10d360b7ff093c76087d15c235c24717d8d2490fb13ba26eca

    Download Submit

  • \??\c:\sys.exe
    Filesize

    137KB

    MD5

    d7fb14c3f560dabf95fa4aac8913f2c4

    SHA1

    ee61dd97e33d01420e72d33a07c16233a252caf6

    SHA256

    9b9199b1ebcbc0cdcf58b0830a7decd49de28b1cef8d95e62982fd804130ebed

    SHA512

    98be947624629966288b2141587b5320599c4af830ca73f4d37f6a82e84cb80b2bf9b7a1f5ecf5574c3e0f415565fa0b416a4c6aa0a4c59cf61d0a70b476994e

    Download Submit