Overview

overview

8

Static

static

8

GameHardware.exe

windows7_x64

8

GameHardware.exe

windows10-2004_x64

8

IP地址修改器.exe

windows7_x64

3

IP地址修改器.exe

windows10-2004_x64

3

VMwarehardware.exe

windows7_x64

8

VMwarehardware.exe

windows10-2004_x64

8

hardware.exe

windows7_x64

8

hardware.exe

windows10-2004_x64

8

一键修....exe

windows7_x64

7

一键修....exe

windows10-2004_x64

7

分区序....exe

windows7_x64

1

分区序....exe

windows10-2004_x64

1

网卡MAC....exe

windows7_x64

1

网卡MAC....exe

windows10-2004_x64

1

Analysis

  • max time kernel
    48s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    一键修改系统信息.exe

  • Size

    1.7MB

  • MD5

    0692e1b606617ee36a5bff5a919bac66

  • SHA1

    aa29d6e9049c125084c8b78c6f816a5ffaed0bee

  • SHA256

    a114ea8d11c12e66d1fb2ddd31ce91aa24ec9355dc6b3ab3fe2840cdf6a3f96b

  • SHA512

    b45a6438d7bc3039520bcc3abd97530fd776036e1b5756117fc3dfaa980bc7633adaea0b61c173e3a066083f7d4522a89d782c14a56eb5349920b68407773deb

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks system information in the registry 2 TTPs 10 IoCs

    System information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe
    "C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1464
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe
    "C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1464
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe
    "C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1464
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe
    "C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1464
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe
    "C:\Users\Admin\AppData\Local\Temp\一键修改系统信息.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1464
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads