Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01-10-2022 13:08
General
-
Target
资金盘切客前的裂变话术@.exe
-
Size
560KB
-
MD5
70af047bd1f94a5a73629ef27bde5fab
-
SHA1
61caa47e65ed8a7c68863b608fe3fb71eb85e43f
-
SHA256
e88911e434654723cc1d9a1b248f9c67fe9b96a2259502822ab5634bd7ea184c
-
SHA512
d92d1b9bccd5e0b29b419200a7a29e497240281e554665ec0cf0b1929094615e7f1ffd36144fc78ba7299e1f3d3787e796c0eedf95cb89a022832a875449975e
-
SSDEEP
12288:Qm/xg6QD7AMZ/9WY+iuMMHGHzlkdaaRwz5GQMq+y2vXqsyOtCriP8Wh:hKj/9WYzuMuGTlHcQl2vry+Crih
Malware Config
Signatures
-
Detect PurpleFox Rootkit 4 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 4 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 51 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\资金盘切客前的裂变话术@.exe"C:\Users\Admin\AppData\Local\Temp\资金盘切客前的裂变话术@.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Public\Music\gqohka2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\odtre\hncy.exe"C:\Users\Public\odtre\hncy.exe" C:\Users\Public\odtre\xup.zip -d C:\Users\Admin\AppData\Roaming2⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Public\Pictures\Vrice\epvxtp\srkdlv.exe"C:\Users\Public\Pictures\Vrice\epvxtp\srkdlv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SHELL.TXTFilesize
1.2MB
MD56c31255e56b22ff932555778af8798d7
SHA14cd2c651c1bb4d8bf861d6acf379c8f6e7a25b8a
SHA2569bb3e1d29f1527268455a26c640fd09bca608b2bc1559dc9deda94aa2221abcd
SHA5129880a646ae7db6b395a0605f15daaab1f9c7d890167e68b395981f4feefb4c9d824f943fa0b7b692a89622920a034386e4a1540d7c2220db29f00e7f2ca61b4f
-
C:\Users\Public\Music\gqohka\bdiexo.lnkFilesize
1KB
MD5c4cc8e31423e89fc577257f00844c601
SHA12f750bd43758fe7931878722bcf2ddddb04a7262
SHA256a52507ef992227906bacea4f7ef8d9cf303cc3794266d0dfa1fb99992f8126bd
SHA5124c8c0c8c1a6ccffe75fa78ff3fe5fd66fba33f6c1d9082d4b05205b305267ed693d307185d61acf6fb794da10566c1b3b1a734e046c82adf0955f321477deaf9
-
C:\Users\Public\Music\gqohka\fdgcgbg.urlFilesize
136B
MD52513d2b61fc04f62f2ec5f7df301bf04
SHA14705d9d40303824dd275bfb6c9585b0cf0b4151f
SHA2561fb5a75f17e601313d8803a0b30f711bfa771735e47b6ca505d3093da50864ae
SHA512c0c6c466e7b016f7ce7ec365c027354fe9e30c1f518188e3dc3bf9e7af15d3ffc7637d4b9f7a853f8f4623e422d61b95f83ffd929e9a3564a9d64ac6376f09a5
-
C:\Users\Public\Music\gqohka\grxwwpm.urlFilesize
136B
MD52513d2b61fc04f62f2ec5f7df301bf04
SHA14705d9d40303824dd275bfb6c9585b0cf0b4151f
SHA2561fb5a75f17e601313d8803a0b30f711bfa771735e47b6ca505d3093da50864ae
SHA512c0c6c466e7b016f7ce7ec365c027354fe9e30c1f518188e3dc3bf9e7af15d3ffc7637d4b9f7a853f8f4623e422d61b95f83ffd929e9a3564a9d64ac6376f09a5
-
C:\Users\Public\Music\gqohka\hpavscb.urlFilesize
136B
MD52513d2b61fc04f62f2ec5f7df301bf04
SHA14705d9d40303824dd275bfb6c9585b0cf0b4151f
SHA2561fb5a75f17e601313d8803a0b30f711bfa771735e47b6ca505d3093da50864ae
SHA512c0c6c466e7b016f7ce7ec365c027354fe9e30c1f518188e3dc3bf9e7af15d3ffc7637d4b9f7a853f8f4623e422d61b95f83ffd929e9a3564a9d64ac6376f09a5
-
C:\Users\Public\Music\gqohka\pharvx.lnkFilesize
1KB
MD52fbf0bbd8061fcccac809feed0910d4d
SHA109df9aa7906b6077e3f8e2aedbca6921cdb34b8e
SHA25681814bffbcedba2f52a93c975fb29a4d5d680a337cc75693fddd8309508e7e42
SHA51288ce2315ba4d347b8e8f4575586e91299298e206f056a20943121f2ea6a99ef62128e82853288e0655aeaeb411a06390b55fd0d53b4947a8da447b9f59128527
-
C:\Users\Public\Music\gqohka\pwucrxq.urlFilesize
136B
MD52513d2b61fc04f62f2ec5f7df301bf04
SHA14705d9d40303824dd275bfb6c9585b0cf0b4151f
SHA2561fb5a75f17e601313d8803a0b30f711bfa771735e47b6ca505d3093da50864ae
SHA512c0c6c466e7b016f7ce7ec365c027354fe9e30c1f518188e3dc3bf9e7af15d3ffc7637d4b9f7a853f8f4623e422d61b95f83ffd929e9a3564a9d64ac6376f09a5
-
C:\Users\Public\Music\gqohka\rhwgos.lnkFilesize
1KB
MD5ed74b0186c164cb459dbd05dd338b9e6
SHA1d3aa8abf3b8b9366bdbd4cfaed3f0d9c5a567556
SHA25614447af3636160084e749202e2e1e084006032508ec2cab41e79c6f07497ddfd
SHA51259de450626eb8f1df98369bf38af58860f5a53d44d14258c0a2a3429b97473f527afa31c78f5f763ed2e555ab13c6d369a7d73379f58c8c22a26199085827b4a
-
C:\Users\Public\Music\gqohka\sdgeqh.lnkFilesize
1KB
MD5a40766d3e3b297b869a991fbb909b6d1
SHA123de1aee47aa907b86b427879c49a4d862c10327
SHA25643753725b1c46f4206cfa618d618f08c77259041096cabbb2549961f82d081ee
SHA512c9295c41767213e95af025eae63d0e07e6b179769e57787b72e38d94be3f47e518c7aef9c9ac092aa17137b86848a8be28f2662f53d3d59768a989c16be75411
-
C:\Users\Public\Music\gqohka\waaftu.lnkFilesize
1KB
MD5ea0a092bcba797900de3793116ac7c5d
SHA14276d927fb4e542c16ca021871280524515d2d8b
SHA256fbce4aa4b03eca028843e80b28f778a548bedeb391f4ae3ec914bd5ea608e2d1
SHA51220575e35c96302e1781e188b6c8c2593a27e20461a7cf93268d4cb74413bfa5fca7f0a26cd8162fac5edf1a31d5269eead897f8bd38df9dd84571d4d7ed58a39
-
C:\Users\Public\Music\gqohka\wcfgyut.urlFilesize
136B
MD52513d2b61fc04f62f2ec5f7df301bf04
SHA14705d9d40303824dd275bfb6c9585b0cf0b4151f
SHA2561fb5a75f17e601313d8803a0b30f711bfa771735e47b6ca505d3093da50864ae
SHA512c0c6c466e7b016f7ce7ec365c027354fe9e30c1f518188e3dc3bf9e7af15d3ffc7637d4b9f7a853f8f4623e422d61b95f83ffd929e9a3564a9d64ac6376f09a5
-
C:\Users\Public\Music\gqohka\xctcekp.urlFilesize
136B
MD52513d2b61fc04f62f2ec5f7df301bf04
SHA14705d9d40303824dd275bfb6c9585b0cf0b4151f
SHA2561fb5a75f17e601313d8803a0b30f711bfa771735e47b6ca505d3093da50864ae
SHA512c0c6c466e7b016f7ce7ec365c027354fe9e30c1f518188e3dc3bf9e7af15d3ffc7637d4b9f7a853f8f4623e422d61b95f83ffd929e9a3564a9d64ac6376f09a5
-
C:\Users\Public\Music\gqohka\ygmhnp.lnkFilesize
1KB
MD5149f49cf37c103c05d317e7af93c8464
SHA17a333d3595773b3c13df5304c0a3c16dfb32fe10
SHA2560725e986eef31c133a088bb24ef92bdfe0ccc23025be0951b5c85181a661b3a6
SHA5122a4e45a145a39e86c328f16537931e206bab6f69bd238acba8edad8141938a6f2ba76f760ca077f3e1aca6d2ffa9a69d38f6d292fb0a4b6a813b0b2fe7195aeb
-
C:\Users\Public\Pictures\Vrice\epvxtp\libeay32.dllFilesize
432KB
MD537eb21285d987e42e8ba21654eae1435
SHA1a2eb5ff046a98490f2cef2512934b1a43a31412a
SHA2567ecab556edfe659cd0c07f22bc3594f4ea7e1f2321cee0992994052e41b38e11
SHA512336585da9288d892e12b9935e2de83f77af04673e65ef7bf2783dc078d882c444ca235d284348adf11b85cede3dfcc86f3590768644d37ffa60b11c9338c0203
-
C:\Users\Public\Pictures\Vrice\epvxtp\libeay32.dllFilesize
432KB
MD537eb21285d987e42e8ba21654eae1435
SHA1a2eb5ff046a98490f2cef2512934b1a43a31412a
SHA2567ecab556edfe659cd0c07f22bc3594f4ea7e1f2321cee0992994052e41b38e11
SHA512336585da9288d892e12b9935e2de83f77af04673e65ef7bf2783dc078d882c444ca235d284348adf11b85cede3dfcc86f3590768644d37ffa60b11c9338c0203
-
C:\Users\Public\Pictures\Vrice\epvxtp\srkdlv.exeFilesize
317KB
MD58103b92de5a64b71ff749f9d7244e4fe
SHA15e80bd53d3041a1369ebae2819c59cd031ac1092
SHA25694a8414100f07c00a751954aeed1b0415688372cb40f6201461266dcbce9c3e1
SHA5123789d3a093806810baf5f77107badf3e63b38497e73e3e6ab10ea6f9399102d4e7fab47756e8245999089303fc2437da09309aeac7e6e520ab3172170d5d14fb
-
C:\Users\Public\Pictures\Vrice\epvxtp\srkdlv.exeFilesize
317KB
MD58103b92de5a64b71ff749f9d7244e4fe
SHA15e80bd53d3041a1369ebae2819c59cd031ac1092
SHA25694a8414100f07c00a751954aeed1b0415688372cb40f6201461266dcbce9c3e1
SHA5123789d3a093806810baf5f77107badf3e63b38497e73e3e6ab10ea6f9399102d4e7fab47756e8245999089303fc2437da09309aeac7e6e520ab3172170d5d14fb
-
C:\Users\Public\Pictures\Vrice\epvxtp\ssleay32.dllFilesize
425KB
MD568e32ca1d7031ff1bfeaef5080a7806c
SHA18b43f487401145e188b9ee4bfdcfd263f0c50a5f
SHA256702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63
SHA512a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae
-
C:\Users\Public\Pictures\Vrice\epvxtp\ssleay32.dllFilesize
425KB
MD568e32ca1d7031ff1bfeaef5080a7806c
SHA18b43f487401145e188b9ee4bfdcfd263f0c50a5f
SHA256702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63
SHA512a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae
-
C:\Users\Public\Pictures\Vrice\epvxtp\wc.xmlFilesize
136KB
MD5bf6385ce92c88a240cfd0ac6d7980f2b
SHA188c677969da3b775e45ce029fbf027a69f3effaf
SHA2563b2c07519024d14113e3d2e500ccdba72c08f9778c5208f4e2719b0495b5249c
SHA512f672d949c0c9f1616e4355d298ceba41e2b53e9cf10a1cb970cc9393248d138e1d99ac0f9df391fa4988d171bb062e0ee0b9f5c0000ecf53f46ae2d330044e0f
-
C:\Users\Public\Pictures\Vrice\epvxtp\zlib1.dllFilesize
98KB
MD5d90dad5eea33a178bac56fff2847d4c2
SHA1cbbce727fd8447487c7fc68051b24df17d043649
SHA256104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf
SHA5128dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb
-
C:\Users\Public\Pictures\Vrice\epvxtp\zlib1.dllFilesize
98KB
MD5d90dad5eea33a178bac56fff2847d4c2
SHA1cbbce727fd8447487c7fc68051b24df17d043649
SHA256104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf
SHA5128dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb
-
C:\Users\Public\odtre\hncy.exeFilesize
40KB
MD5d3ed82f676591a9c47037a7b66908832
SHA149533ea0b019b76131c14936814f99b9794d506b
SHA2560ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455
SHA512c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986
-
C:\Users\Public\odtre\hncy.exeFilesize
40KB
MD5d3ed82f676591a9c47037a7b66908832
SHA149533ea0b019b76131c14936814f99b9794d506b
SHA2560ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455
SHA512c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986
-
C:\Users\Public\odtre\xup.zipFilesize
1KB
MD5d77274b8ba054bb26aff4a0b28ccce8d
SHA12238d334d4f17a9741ed50ae49e585a0f109aaa9
SHA2565a0df20414769da5ed49d74e4bc30033843816c7de7db57ee31dd2d836d8f180
SHA51210af86288d65ba691e807bc51a246f5d779f80101d2f7d25f9784514a45ccf4e2033f2472cfaf3e3e44d4d1f09ff1d7c2c6b0ae8b352b5b3f2fd39097d291cad
-
memory/756-140-0x0000000006190000-0x0000000006222000-memory.dmpFilesize
584KB
-
memory/756-139-0x0000000006740000-0x0000000006CE4000-memory.dmpFilesize
5.6MB
-
memory/2204-169-0x00000000039E0000-0x0000000003B85000-memory.dmpFilesize
1.6MB
-
memory/2204-161-0x00000000721D0000-0x00000000722FB000-memory.dmpFilesize
1.2MB
-
memory/2204-163-0x0000000010000000-0x0000000010023000-memory.dmpFilesize
140KB
-
memory/2204-153-0x0000000000000000-mapping.dmp
-
memory/2204-165-0x00000000039E0000-0x0000000003B85000-memory.dmpFilesize
1.6MB
-
memory/2204-166-0x00000000038A0000-0x00000000039D8000-memory.dmpFilesize
1.2MB
-
memory/2204-167-0x00000000039E0000-0x0000000003B85000-memory.dmpFilesize
1.6MB
-
memory/2204-168-0x00000000721D0000-0x00000000722FB000-memory.dmpFilesize
1.2MB
-
memory/3176-132-0x0000000000000000-mapping.dmp
-
memory/3308-142-0x0000000000000000-mapping.dmp
-
memory/3308-145-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB