3c67ab82720d3b7d1436b386b7240c9dcccf595137850ceab3135370038f83e6

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7v20201028
submitted
12-11-2020 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

插件升级.exe
Size

148KB
MD5

76da6b8def232c26d12c0d7510d395cf
SHA1

7bc2bdb08a9ef794d5ab454e43e31f003f953b91
SHA256

1ad6475af8ddde5f8b1be0ace9c7bc9db6edf5ed37f47bc0056e68e53d17227a
SHA512

1de410712646b7f3ed2e07db834a62467ce7e54e5816e635c6e0102997448bf0364871fd17d28d2aa926abf8d06f26ebab5b7957d61ebd8a11b2a2083fa084e0

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

winbody.exebooks.exebooks.exe

pid process

2004 winbody.exe
1184 books.exe
1816 books.exe

pid	process
2004	winbody.exe
1184	books.exe
1816	books.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\books.exe	upx
C:\Users\Admin\AppData\Roaming\books.exe	upx
\Users\Admin\AppData\Roaming\books.exe	upx
C:\Users\Admin\AppData\Roaming\books.exe	upx
\Users\Admin\AppData\Roaming\books.exe	upx
C:\Users\Admin\AppData\Roaming\books.exe	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\python27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\bz2.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32api.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\pywintypes27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\pywintypes27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\pythoncom27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\pythoncom27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI11842\win32com.shell.shell.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32com.shell.shell.pyd	upx

Drops startup file 2 IoCs

Processes:

books.exewinbody.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.dll-d1f22018eb4333fa4d3b6158c5759a37.lnk	books.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLib-E862D7FEA3037BA37E7E466DA0EA99D8.lnk	winbody.exe

Loads dropped DLL 13 IoCs

Processes:

插件升级.exebooks.exebooks.exewinbody.exe

pid	process
932	插件升级.exe
932	插件升级.exe
932	插件升级.exe
1184	books.exe
1816	books.exe
1816	books.exe
1816	books.exe
2004	winbody.exe
1816	books.exe
1816	books.exe
1816	books.exe
1816	books.exe
1816	books.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winbody.exebooks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsLib-E862D7FEA3037BA37E7E466DA0EA99D8 = "C:\\Users\\Admin\\AppData\\Roaming\\winbody.exe"	winbody.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows.dll-d1f22018eb4333fa4d3b6158c5759a37 = "C:\\Users\\Admin\\AppData\\Roaming\\books.exe"	books.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

插件升级.exebooks.exe

description	pid	process	target process
PID 932 wrote to memory of 2004	932	插件升级.exe	winbody.exe
PID 932 wrote to memory of 2004	932	插件升级.exe	winbody.exe
PID 932 wrote to memory of 2004	932	插件升级.exe	winbody.exe
PID 932 wrote to memory of 2004	932	插件升级.exe	winbody.exe
PID 932 wrote to memory of 1184	932	插件升级.exe	books.exe
PID 932 wrote to memory of 1184	932	插件升级.exe	books.exe
PID 932 wrote to memory of 1184	932	插件升级.exe	books.exe
PID 932 wrote to memory of 1184	932	插件升级.exe	books.exe
PID 1184 wrote to memory of 1816	1184	books.exe	books.exe
PID 1184 wrote to memory of 1816	1184	books.exe	books.exe
PID 1184 wrote to memory of 1816	1184	books.exe	books.exe
PID 1184 wrote to memory of 1816	1184	books.exe	books.exe

C:\Users\Admin\AppData\Local\Temp\插件升级.exe
"C:\Users\Admin\AppData\Local\Temp\插件升级.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Roaming\winbody.exe
"C:\Users\Admin\AppData\Roaming\winbody.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:2004

C:\Users\Admin\AppData\Roaming\books.exe
"C:\Users\Admin\AppData\Roaming\books.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Roaming\books.exe
"C:\Users\Admin\AppData\Roaming\books.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

MD5
d7f2a6f8ceef96a76dc55064c1d0d065

SHA1
336d2ad30f77baf2382a6d8d13618ecf918dff24

SHA256
95203f4fa2bb28f83939a8666ea6c975c8123b906a2eccae7f6d75ad9c77a84b

SHA512
14929cfbbedf8359be1e373ba69553335c700deff1951ecfa7a2bd53cb4fe157bd5c5d626edd97fcdbb2f3aa3e91ab076d79172673924828e6f59698e82e904b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd

MD5
fe9d1b72e0d336a8066d80423b2c63f6

SHA1
f78c95d1b0a8bfdbaa2ec3f353c7b295708a316b

SHA256
4a5b0119a05582cb85c35995d3f18c1a429461583c5cd1f2fd95a93ed2afe4ff

SHA512
201fc2c0b938128e6041256e8263b6e0da1fe4befcd4d525a1952b1f6e58e08bf645323d06a516774a30ab80769412e2941acbdd49e6dddefb1c43b27a7878d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\books.exe.manifest

MD5
521b79738d97bf62ce8383bdbadf5912

SHA1
cc87ac6b29303df511fdf1bce93219aa97605141

SHA256
3fbd99c265f1ec78763b80bc2da92498a8274de921b98ce7b5935020daa9ce75

SHA512
ee6c8308ffbc05954be0adc5132fb3473888cf69e2f81dc00e7a5b4f70e3faac58141dc4d44b9114171ee614e12d7da76dab3940cf9db25c2ad8c19019b77a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\bz2.pyd

MD5
291f0811eb4a4a7df13b499c2d701623

SHA1
8ebcfc6f172fce8d4e03688ea6e42428c65f7c79

SHA256
5aa88b01d0f37d0b2652a17698ef0c003d2b4e87648e368c19c19766c4b68501

SHA512
18a36d8cf2eee44c8fbe7eb454f7aa78d88e51cd5382a158e1dd910c5a121275b45c7bf8f0629cee3a959db7a09d61ad7f0b4a58dc8e5347e6a028be7a1e3db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python27.dll

MD5
6138016baaf592eec469d8c12ce4dc8f

SHA1
5c60a6678d5174bd9b5ee62af37fc9cdf1e4e66b

SHA256
97e3d69aee31bc6f3a2e42c37f5f71ce4847f95fed464f0009ad081e7d1046ef

SHA512
24455441e57fcc4b6b5f8a2086d6f56ec77549980f62fc028d00431db7d644a1cb008e7f8356873d701aa04caecf5c2d553fe708af10a5c0251d67f291077e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\pythoncom27.dll

MD5
b5e816d9d5b082ea838ff3c92c17e4eb

SHA1
c9cf16f2e5cab843f630120a315ac0ee386b2bd8

SHA256
2608e2dc017887d806212d99ee35b22c2d1e2cfb1500a9e42dabccb55d15a00b

SHA512
302f7e62c1ed5beb84abac166223849286c45ad2b37fd71f2cc3ecc38deaf2ef0c0d4b729e92361f719ec5f5f1bfe8ee22cac91c46ae62718ede780969d56e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\pywintypes27.dll

MD5
31e477b8317230a3d3b487cd7602415a

SHA1
f819b5c858db5fed1040a8576313917374ca944a

SHA256
021363d1945a8f1ec102bc29ecb32a11afa51023a42b4d951a9a50be5a2a42a9

SHA512
4f91f80c0d0cf671e637618b810c4e5cdc0699adce6b88ffa55058deb4fff98bdbb319712c6138e3692b9353ad33af9871abd643c63a791844653a9e980000d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32api.pyd

MD5
96bc06d86df79fcb05915aa7e9e1ca76

SHA1
76f6f814869b2b1519c23f8dea96a67646c96882

SHA256
f66ee4eac6a46133597eb85a48b1caf10df74db817a96629629e33ac4e68ad57

SHA512
5ab22e797bf2cb83b620bc1f84b8e1e31f60973d92ac3ada829f66defbe9c63fc1c107422ffe5cd3042abd0ad36ec9c0c3149470026b8c9fcebe6e361e4adf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\win32com.shell.shell.pyd

MD5
70b6a6e42eb081a629812393ab8b6dfc

SHA1
6d54a38b86ee4730fc6d24963ef56c8df95433c9

SHA256
6b6da79c99e28c32c7df3f85c96da029842fa0bcdbc20af08d4bc7644a772c36

SHA512
29873d11e596ebb95898be53f2e9ba2a7c2dadb9b5e51bdc89b9050f9beca574ebd855e5dd47ee88544028c4592c526f81308ff0f1906ea5fad7c97c7bb75b4f

Download Submit
C:\Users\Admin\AppData\Roaming\books.exe

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
C:\Users\Admin\AppData\Roaming\books.exe

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
C:\Users\Admin\AppData\Roaming\books.exe

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
C:\Users\Admin\AppData\Roaming\winbody.exe

MD5
b195e7e16f89ac53a504c5b8d80fdf43

SHA1
042894b9486a0f04884a0b26ed4a486ad8c77ef0

SHA256
41d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42

SHA512
aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8

Download Submit
C:\Users\Admin\AppData\Roaming\winbody.exe

MD5
b195e7e16f89ac53a504c5b8d80fdf43

SHA1
042894b9486a0f04884a0b26ed4a486ad8c77ef0

SHA256
41d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42

SHA512
aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

MD5
d7f2a6f8ceef96a76dc55064c1d0d065

SHA1
336d2ad30f77baf2382a6d8d13618ecf918dff24

SHA256
95203f4fa2bb28f83939a8666ea6c975c8123b906a2eccae7f6d75ad9c77a84b

SHA512
14929cfbbedf8359be1e373ba69553335c700deff1951ecfa7a2bd53cb4fe157bd5c5d626edd97fcdbb2f3aa3e91ab076d79172673924828e6f59698e82e904b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd

MD5
fe9d1b72e0d336a8066d80423b2c63f6

SHA1
f78c95d1b0a8bfdbaa2ec3f353c7b295708a316b

SHA256
4a5b0119a05582cb85c35995d3f18c1a429461583c5cd1f2fd95a93ed2afe4ff

SHA512
201fc2c0b938128e6041256e8263b6e0da1fe4befcd4d525a1952b1f6e58e08bf645323d06a516774a30ab80769412e2941acbdd49e6dddefb1c43b27a7878d0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\bz2.pyd

MD5
291f0811eb4a4a7df13b499c2d701623

SHA1
8ebcfc6f172fce8d4e03688ea6e42428c65f7c79

SHA256
5aa88b01d0f37d0b2652a17698ef0c003d2b4e87648e368c19c19766c4b68501

SHA512
18a36d8cf2eee44c8fbe7eb454f7aa78d88e51cd5382a158e1dd910c5a121275b45c7bf8f0629cee3a959db7a09d61ad7f0b4a58dc8e5347e6a028be7a1e3db0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\python27.dll

MD5
6138016baaf592eec469d8c12ce4dc8f

SHA1
5c60a6678d5174bd9b5ee62af37fc9cdf1e4e66b

SHA256
97e3d69aee31bc6f3a2e42c37f5f71ce4847f95fed464f0009ad081e7d1046ef

SHA512
24455441e57fcc4b6b5f8a2086d6f56ec77549980f62fc028d00431db7d644a1cb008e7f8356873d701aa04caecf5c2d553fe708af10a5c0251d67f291077e97

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\pythoncom27.dll

MD5
b5e816d9d5b082ea838ff3c92c17e4eb

SHA1
c9cf16f2e5cab843f630120a315ac0ee386b2bd8

SHA256
2608e2dc017887d806212d99ee35b22c2d1e2cfb1500a9e42dabccb55d15a00b

SHA512
302f7e62c1ed5beb84abac166223849286c45ad2b37fd71f2cc3ecc38deaf2ef0c0d4b729e92361f719ec5f5f1bfe8ee22cac91c46ae62718ede780969d56e91

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\pywintypes27.dll

MD5
31e477b8317230a3d3b487cd7602415a

SHA1
f819b5c858db5fed1040a8576313917374ca944a

SHA256
021363d1945a8f1ec102bc29ecb32a11afa51023a42b4d951a9a50be5a2a42a9

SHA512
4f91f80c0d0cf671e637618b810c4e5cdc0699adce6b88ffa55058deb4fff98bdbb319712c6138e3692b9353ad33af9871abd643c63a791844653a9e980000d3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\win32api.pyd

MD5
96bc06d86df79fcb05915aa7e9e1ca76

SHA1
76f6f814869b2b1519c23f8dea96a67646c96882

SHA256
f66ee4eac6a46133597eb85a48b1caf10df74db817a96629629e33ac4e68ad57

SHA512
5ab22e797bf2cb83b620bc1f84b8e1e31f60973d92ac3ada829f66defbe9c63fc1c107422ffe5cd3042abd0ad36ec9c0c3149470026b8c9fcebe6e361e4adf92

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI11842\win32com.shell.shell.pyd

MD5
70b6a6e42eb081a629812393ab8b6dfc

SHA1
6d54a38b86ee4730fc6d24963ef56c8df95433c9

SHA256
6b6da79c99e28c32c7df3f85c96da029842fa0bcdbc20af08d4bc7644a772c36

SHA512
29873d11e596ebb95898be53f2e9ba2a7c2dadb9b5e51bdc89b9050f9beca574ebd855e5dd47ee88544028c4592c526f81308ff0f1906ea5fad7c97c7bb75b4f

Download Submit
\Users\Admin\AppData\Roaming\books.exe

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
\Users\Admin\AppData\Roaming\books.exe

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
\Users\Admin\AppData\Roaming\books.exe

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
\Users\Admin\AppData\Roaming\winbody.exe

MD5
b195e7e16f89ac53a504c5b8d80fdf43

SHA1
042894b9486a0f04884a0b26ed4a486ad8c77ef0

SHA256
41d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42

SHA512
aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8

Download Submit
\Users\Admin\AppData\Roaming\winbody.exe

MD5
b195e7e16f89ac53a504c5b8d80fdf43

SHA1
042894b9486a0f04884a0b26ed4a486ad8c77ef0

SHA256
41d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42

SHA512
aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8

Download Submit
memory/1184-5-0x0000000000000000-mapping.dmp

Download
memory/1816-9-0x0000000000000000-mapping.dmp

Download
memory/2004-1-0x0000000000000000-mapping.dmp

Download