8bd05c7e27e65b921ae28194857ff2769f249dd942342a70ff0878e678a3ed22

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/02/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/hao123inst-taiwan.exe
Size

305KB
MD5

efd47a079976283cde2a1f9547689cde
SHA1

9f90940372c37d7d4125774190efcd5c8263a2c6
SHA256

4c52fc7d54f3b4cb1b4e7bcc66a778e9c704211f8406f382cfbb541db42398a1
SHA512

47fac55eb2bd937692048ceebaf5da8d1b72e9d7e6954c51082d2b753039a2c00a82c5db04d7216c412b4376e6da7126662e3f7e6734008333d6840b28301a53
SSDEEP

6144:gjbTUh/hQXxBvQ0utY3jNp1NZEE/1rEpYANhWx:gzGQXDo0utIjNHNqGrEKChc

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	hao123.1.0.0.1100.exe

Loads dropped DLL 6 IoCs

pid	Process
1840	hao123inst-taiwan.exe
1840	hao123inst-taiwan.exe
1840	hao123inst-taiwan.exe
1840	hao123inst-taiwan.exe
1840	hao123inst-taiwan.exe
1840	hao123inst-taiwan.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral23/memory/1840-0-0x0000000000400000-0x0000000000534000-memory.dmp	upx
behavioral23/memory/1840-61-0x0000000000400000-0x0000000000534000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123inst-taiwan.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	hao123inst-taiwan.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://tw.hao123.com/?tn=forf_hp_hao123_tw"	hao123inst-taiwan.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1840	hao123inst-taiwan.exe
1840	hao123inst-taiwan.exe
2644	hao123.1.0.0.1100.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2644	1840	hao123inst-taiwan.exe	32
PID 1840 wrote to memory of 2644	1840	hao123inst-taiwan.exe	32
PID 1840 wrote to memory of 2644	1840	hao123inst-taiwan.exe	32
PID 1840 wrote to memory of 2644	1840	hao123inst-taiwan.exe	32
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20
PID 2644 wrote to memory of 1156	2644	hao123.1.0.0.1100.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-taiwan.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-taiwan.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1100.exe
    first_exec_from_inst
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\hao123.lnk

Filesize
944B

MD5
20759fcdc97218cb611caa1abe23cffe

SHA1
c87e7d8bdbfeb61e02558b9505f8401854f75eb1

SHA256
454d6c8c06a94642c4699370724ea73c1032addbc5d745541f72546b23dfe110

SHA512
b974691447716685e3f7a9fd1bfff8710f934a307dd2ddd78ca7b9b4dd4526e4965507af289f9f44ee5b89f4dffeb6410cacd529d0302dc921dbe30eb1320bdd

Download Submit
C:\Users\Admin\Desktop\hao123.lnk

Filesize
992B

MD5
4431c8d24beadd1b3eea0b9e11c11687

SHA1
9afa5d195bfd2ebbe8eddd41c1f40ee836219259

SHA256
0c71029220017a72cd144c7fec079f59dffa8013ebb56abd1d60cd7ba65465b5

SHA512
f4b55ad5dd35be0496516302da10907debe710fc0decb885b0ae627bdb5b37778a89cabcddd5385f9ab9520aa36f63181d3b0fb417f1aa1ac0b229e4194d0bcf

Download Submit
\Users\Admin\AppData\Roaming\baidu\hao123-tw\hao123.1.0.0.1100.exe

Filesize
536KB

MD5
2d70d95d5aa1027ad772a35d2a95fe2c

SHA1
f2c05d81c507d29473bcd84a1b0ddaf12022d1db

SHA256
7fa96f4fdff5abb39587b3be3e969c1c0188a75cd9871ef25351c2becd1c1724

SHA512
e48e73984644f1a8095fc90fc1fc719fc9b07ccfa0ff1ae9a92f7a73cbe4f99b9c72912f7f1b0c4bd44b9ecc0f3d868d3cccfe6f9a74483feed2f582aacf6991

Download Submit
memory/1156-65-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1840-0-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1840-61-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2644-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-64-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download