Analysis
-
max time kernel
135s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 13:08
Static task
static1
Behavioral task
behavioral1
Sample
点击安装(飞机)简体中文语言包_v34.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
点击安装(飞机)简体中文语言包_v34.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
英文客户基本聊天用语4d.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
英文客户基本聊天用语4d.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
话术大全@88.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
话术大全@88.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
资金盘切客前的裂变话术@.exe
Resource
win7-20220901-en
General
-
Target
英文客户基本聊天用语4d.exe
-
Size
288KB
-
MD5
6dd50e46cde774f81c2d9c2f1dd53286
-
SHA1
ed289db14f1ed2b49befbbde6d50d577c9f00270
-
SHA256
827a9591ae0e0c65c759b2f38aeea2d112bedf1317e2f577d4c4ff800f3468f1
-
SHA512
a759f889023cd730f6def0da96ff7eabf5c55565aff417327a96120dd52891ff771fabbc2fd70e298ab41cb4f84e1d63cbff941f02f2febc442265f841c39373
-
SSDEEP
6144:VFSaxPyF+czKRd6/fTZO4NHbjz7/7ssEPc:VF7xPe+c+ROTTNHblEPc
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
unzip.exetest.exepid process 1576 unzip.exe 1580 test.exe -
Loads dropped DLL 1 IoCs
Processes:
test.exepid process 1580 test.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
test.exedescription ioc process File opened (read-only) \??\Q: test.exe File opened (read-only) \??\R: test.exe File opened (read-only) \??\V: test.exe File opened (read-only) \??\Z: test.exe File opened (read-only) \??\G: test.exe File opened (read-only) \??\H: test.exe File opened (read-only) \??\L: test.exe File opened (read-only) \??\M: test.exe File opened (read-only) \??\Y: test.exe File opened (read-only) \??\K: test.exe File opened (read-only) \??\N: test.exe File opened (read-only) \??\U: test.exe File opened (read-only) \??\W: test.exe File opened (read-only) \??\S: test.exe File opened (read-only) \??\E: test.exe File opened (read-only) \??\I: test.exe File opened (read-only) \??\O: test.exe File opened (read-only) \??\P: test.exe File opened (read-only) \??\X: test.exe File opened (read-only) \??\B: test.exe File opened (read-only) \??\F: test.exe File opened (read-only) \??\J: test.exe File opened (read-only) \??\T: test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
test.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 test.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString test.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
test.exepid process 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe 1580 test.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
英文客户基本聊天用语4d.exetest.exepid process 1760 英文客户基本聊天用语4d.exe 1580 test.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
英文客户基本聊天用语4d.exedescription pid process target process PID 1760 wrote to memory of 1576 1760 英文客户基本聊天用语4d.exe unzip.exe PID 1760 wrote to memory of 1576 1760 英文客户基本聊天用语4d.exe unzip.exe PID 1760 wrote to memory of 1576 1760 英文客户基本聊天用语4d.exe unzip.exe PID 1760 wrote to memory of 1576 1760 英文客户基本聊天用语4d.exe unzip.exe PID 1760 wrote to memory of 1580 1760 英文客户基本聊天用语4d.exe test.exe PID 1760 wrote to memory of 1580 1760 英文客户基本聊天用语4d.exe test.exe PID 1760 wrote to memory of 1580 1760 英文客户基本聊天用语4d.exe test.exe PID 1760 wrote to memory of 1580 1760 英文客户基本聊天用语4d.exe test.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\英文客户基本聊天用语4d.exe"C:\Users\Admin\AppData\Local\Temp\英文客户基本聊天用语4d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\unzip.exe"C:\Users\Public\Documents\unzip.exe" -o 1.zip2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\test.exe"C:\Users\Public\Documents\test.exe" -c2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\1.zipFilesize
2.2MB
MD5c376152b898dea84a4cd36c60b46abcc
SHA16794441e6c61caee63400a496cefef9211eedd3b
SHA256de8f45d56d0ff34705ec98918888af3f6b0f445ee0bb14d4791b15d8f8e3a561
SHA512430e8e1039a17cacfb5ad9f23d2fad6785dc34b08110961092d197d2a7e2439a898342e4cffe91fdc05a6861d187acc207a31848f68b8554d024972761ba5712
-
C:\Users\Public\Documents\svchost.txtFilesize
4.3MB
MD5a343421fc87ca5f5706f76d6f70af7a6
SHA1c8f3267d0307d356738c9cc60f17150dc850dadb
SHA256b9f0eedd1095b5439815e2a398d22ec3fe6a65fc2b9e7dddbd6d76b85a15d991
SHA51273af0b92cdf1146e982d6e14f1e5680bc335ffbe4443f95788a55776ae07a60690e41fb7130443b95e60de17db1e73cd7379514fb6a8dfedcbd2bc9633e60b6c
-
C:\Users\Public\Documents\test.exeFilesize
97KB
MD5a3d7e08d9deaf34485a91d7fb64e5788
SHA1093e66fbf5380b158d9ebd29d58ed5eaa6cd2e14
SHA256caa1917ab59dc6a0631d7b8797a83e09fe3951ec9b84098682c986b8cc2cd831
SHA5121855d3b4392268a1ebb35e0a7d0e9ed4144eedb6b0f063c363b14e31e13c36a0b7fe7ea6c7e9d173a0873a338ef503e35777e7de082ac5a9ad8eea1dabf1101f
-
C:\Users\Public\Documents\test.exeFilesize
97KB
MD5a3d7e08d9deaf34485a91d7fb64e5788
SHA1093e66fbf5380b158d9ebd29d58ed5eaa6cd2e14
SHA256caa1917ab59dc6a0631d7b8797a83e09fe3951ec9b84098682c986b8cc2cd831
SHA5121855d3b4392268a1ebb35e0a7d0e9ed4144eedb6b0f063c363b14e31e13c36a0b7fe7ea6c7e9d173a0873a338ef503e35777e7de082ac5a9ad8eea1dabf1101f
-
C:\Users\Public\Documents\test123.dllFilesize
52KB
MD51d2778ba51cfb525dc8ed42099600d3f
SHA11f3272e7273da9f5c6fc1579d5fa3d723ac96593
SHA256df924b4efb20e6d97072e9d31c98044f7f693696cb5da640714397c7dca09ca4
SHA512f845e794320125c8cf56c84b6bdb4b5b6627d5e1b456a2ff8b6ad93232c919c8928981e6f3e29fd3a979cce77ef61b04879463aac9ffb6b8ca0f8faecf42e9a8
-
C:\Users\Public\Documents\unzip.exeFilesize
327KB
MD5de5892706deb04e581ca0c4f8ac965ca
SHA11f5e413ab776904880a66f19c2c06f4b0b0c0e6f
SHA25687c7ae15ed344aeb466f7bc10bbe3feadbe29531d44dc707aea9b293a16a153b
SHA5126f691da7d730ecca9041a8590658a3e616afe20376058c1ef5a118c7f539e35dc5b8df7c45971276075f7260e695f41ea8963aa9510f3e73b274df74186c5e43
-
\Users\Public\Documents\test123.dllFilesize
52KB
MD51d2778ba51cfb525dc8ed42099600d3f
SHA11f3272e7273da9f5c6fc1579d5fa3d723ac96593
SHA256df924b4efb20e6d97072e9d31c98044f7f693696cb5da640714397c7dca09ca4
SHA512f845e794320125c8cf56c84b6bdb4b5b6627d5e1b456a2ff8b6ad93232c919c8928981e6f3e29fd3a979cce77ef61b04879463aac9ffb6b8ca0f8faecf42e9a8
-
memory/1576-55-0x0000000000000000-mapping.dmp
-
memory/1580-59-0x0000000000000000-mapping.dmp
-
memory/1580-64-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1580-65-0x0000000000BC0000-0x0000000001010000-memory.dmpFilesize
4.3MB
-
memory/1580-69-0x0000000000770000-0x0000000000BB8000-memory.dmpFilesize
4.3MB
-
memory/1760-54-0x000007FEFB621000-0x000007FEFB623000-memory.dmpFilesize
8KB