Overview
overview
4Static
static
人肉一�...ox.exe
windows7-x64
人肉一�...ox.exe
windows10-2004-x64
人肉一�...��.exe
windows7-x64
3人肉一�...��.exe
windows10-2004-x64
1人肉一�...��.exe
windows7-x64
3人肉一�...��.exe
windows10-2004-x64
1人肉一�...lp.dll
windows7-x64
3人肉一�...lp.dll
windows10-2004-x64
3人肉一�...ox.exe
windows7-x64
人肉一�...ox.exe
windows10-2004-x64
人肉一�...lp.dll
windows7-x64
3人肉一�...lp.dll
windows10-2004-x64
3人肉一�...��.exe
windows7-x64
3人肉一�...��.exe
windows10-2004-x64
1人肉一�...�.docx
windows7-x64
4人肉一�...�.docx
windows10-2004-x64
1人肉一�...�.docx
windows7-x64
4人肉一�...�.docx
windows10-2004-x64
1Analysis
-
max time kernel
151s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2022 13:12
Static task
static1
Behavioral task
behavioral1
Sample
人肉一件套/QQip/DrvIPBox.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
人肉一件套/QQip/DrvIPBox.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
人肉一件套/QQip/QQ查IP工具.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
人肉一件套/QQip/QQ查IP工具.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
人肉一件套/QQip/QQ查IP工具.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
人肉一件套/QQip/QQ查IP工具.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
人肉一件套/QQip/ipdbhlp.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
人肉一件套/QQip/ipdbhlp.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
人肉一件套/QQ查ip/DrvIPBox.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
人肉一件套/QQ查ip/DrvIPBox.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
人肉一件套/QQ查ip/ipdbhlp.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
人肉一件套/QQ查ip/ipdbhlp.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
人肉一件套/QQ查ip/梁山好汉抓包工具.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
人肉一件套/QQ查ip/梁山好汉抓包工具.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
人肉一件套/专属人肉教程.docx
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
人肉一件套/专属人肉教程.docx
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
人肉一件套/说明.docx
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
人肉一件套/说明.docx
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
人肉一件套/QQip/QQ查IP工具.exe
-
Size
212KB
-
MD5
4598a67b48e2398a6ec690ca077e0611
-
SHA1
39987619c8f6bb9d68425bef18631af43250e374
-
SHA256
2e786c546eb564e79135dd7b893711fc78f67de232eaf0727d88dbcb7016cd18
-
SHA512
c322148fa2096afbf7bd8c60cae66b40cb875658dad51e161eabaf035925869982672ce735e11f3b38318239a3c9d7c9c7a6963d439d055861a2cdf8ffc006aa
-
SSDEEP
3072:OeXJuJqjGJWJDKtfJFkk42l5ZhfBzcIoAz2X1O8xWMmrJslhmebQJQ6pGWFvW:OeGJi+9J742dW42X1OYWMLme0JFgWFe
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 14 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters QQ查IP工具.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters QQ查IP工具.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc QQ查IP工具.exe -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier QQ查IP工具.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier QQ查IP工具.exe Key opened \Registry\Machine\Hardware\Description\System\CentralProcessor QQ查IP工具.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor QQ查IP工具.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQ查IP工具.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz QQ查IP工具.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet QQ查IP工具.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3688 QQ查IP工具.exe 3688 QQ查IP工具.exe 3688 QQ查IP工具.exe 3688 QQ查IP工具.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3688 QQ查IP工具.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3688 QQ查IP工具.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3688 QQ查IP工具.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3688 QQ查IP工具.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3688 QQ查IP工具.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\人肉一件套\QQip\QQ查IP工具.exe"C:\Users\Admin\AppData\Local\Temp\人肉一件套\QQip\QQ查IP工具.exe"1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3688