Overview

overview

8

Static

static

8

U盘启动...ol.exe

windows7-x64

6

U盘启动...ol.exe

windows10-2004-x64

6

U盘启动...er.exe

windows7-x64

8

U盘启动...er.exe

windows10-2004-x64

8

U盘启动...�.docx

windows7-x64

4

U盘启动...�.docx

windows10-2004-x64

1

U盘启动...SO.exe

windows7-x64

3

U盘启动...SO.exe

windows10-2004-x64

1

U盘启动...ge.exe

windows7-x64

1

U盘启动...ge.exe

windows10-2004-x64

1

U盘启动...��.htm

windows7-x64

1

U盘启动...��.htm

windows10-2004-x64

1

U盘启动...��.url

windows7-x64

1

U盘启动...��.url

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    U盘启动制作工具包/MsgDiyer.exe

  • Size

    3.3MB

  • MD5

    6f7a4e93ae4a93d9bad2fdef7ef09832

  • SHA1

    275f3f8876140def920106f2be775c8b1f2304cc

  • SHA256

    7b6e4e165649e15323e01bb38124e14899e720ca7d2cf743a4ee166199c3fa79

  • SHA512

    776f3b8a7dea198659b01455f6a5575ad74efd0cd6528008a170c9a11837bbff36ff5d706d2b28a0453d0f74d650fd5aedb8645a1c77b46fdf4bd49a5b5133ac

  • SSDEEP

    49152:n6dUpqhtfLqGr0d3EWZockmSFayRG3Dj2ojYoiptpwIXcmCkcuGBKfDH5gVD/yQc:oUpqhlLqP9+ay0zS4QtDccc7KfEt3Yq

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\U盘启动制作工具包\MsgDiyer.exe
    "C:\Users\Admin\AppData\Local\Temp\U盘启动制作工具包\MsgDiyer.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c jieya.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
        cpio.exe -i
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\16x16.fnt
    Filesize

    419KB

    MD5

    8f64119f1795aef752fa9456946159e7

    SHA1

    eac57164e63db3838c79362fe7f548f166048e2d

    SHA256

    89fa6c39de2e6b79c1a182e7f87529a6583a05fd032bbb46f85070f6ce19afde

    SHA512

    bdb1f07c9d2a9fcafde463095386a53ccdfdaf05fb8166e7628be8f569aa57b686c314edac231714678749d3ffaf18982ec437c6f36492bf92629f3ffc259d7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\back.jpg
    Filesize

    92KB

    MD5

    668884fb8d4f5e33e7940a8cfb6ea853

    SHA1

    a92d4446f84c9a09af2f12cf2e6c1cb9abc8f1bc

    SHA256

    bef03bd75cfd3e7a9eda6e48acfd61a43f70d77a61c392ad0690d1b769e0d369

    SHA512

    a08d0a0e94dc7e7f4859bd6dbe1544ae984ddf477bf77a60ab9417c1f6ddb7051ceaa0594faa4bfdf69e90a5cb2a75d023440ba1fb9d9688c47efb9bf3962fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
    Filesize

    158KB

    MD5

    bf4826e42d3f7a0f663178d97b2bd923

    SHA1

    fc8db6821d8400efdcabb58a89f17413c1d0c986

    SHA256

    34b18b2cdd21efbf6954fa0f9042d2967fdc22b2cbaa8a72b5a0e2cb2123b922

    SHA512

    8615e8af72e0762983d623c727e94712ba237b942a24f7811c741d9feb94ed035e95d23252e3aad771578a92fe0725c044411ea49ae7c81843efdc6959b93e18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe
    Filesize

    158KB

    MD5

    bf4826e42d3f7a0f663178d97b2bd923

    SHA1

    fc8db6821d8400efdcabb58a89f17413c1d0c986

    SHA256

    34b18b2cdd21efbf6954fa0f9042d2967fdc22b2cbaa8a72b5a0e2cb2123b922

    SHA512

    8615e8af72e0762983d623c727e94712ba237b942a24f7811c741d9feb94ed035e95d23252e3aad771578a92fe0725c044411ea49ae7c81843efdc6959b93e18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\gfxboot.cfg
    Filesize

    618B

    MD5

    f4b957cf633b256498cf476be34a6fa0

    SHA1

    7fa4bf5d3267216974b063ea9306ce6da730adc8

    SHA256

    95a408d57193b1ff25726060c7a1c1bdb0e5fbbbbd43a53d9460a2215d261532

    SHA512

    9885f2d6161b0f395bfad1fe66ce493956a599120395c09207574ac1cd599b3dfbd2a1087169cc4c237e28ddd1fdbcb035b5a04c85c47290523fed2a88b4fe2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\jieya.cmd
    Filesize

    16B

    MD5

    bf80c4e2a7662ca4790e5eb2b94deb63

    SHA1

    7f4034ca5069a398b1fecc20076d20227629aa77

    SHA256

    af18207cb457354b44fa00be373e7a4506e34f1d777be842d75f72f769108a55

    SHA512

    f6dda989804faf8f5362ca55a3080a724a2ad6aa586cf820bd86ad2975e84d07fe9b56e0f41404aebf377db8770eb665a289e4884e5445ac6c567666e15275d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libiconv2.dll
    Filesize

    955KB

    MD5

    b6a9e9e63a6cbfc6a593493c943938cb

    SHA1

    8145e25be5d15ef3105073265ee05f04d836cd82

    SHA256

    72d73c3238e92208269b9d401b4598987116ea4fcafd91e249b3b9b558d022ff

    SHA512

    7a7f49811a1e0cbe0060a7334898ca6cfb9cc63f3c76af64445d178d46fad18db6fad024a84f284a2ee2170aa2d38fd79d925d1cc25592a77eeee9aec15567e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libiconv2.dll
    Filesize

    955KB

    MD5

    b6a9e9e63a6cbfc6a593493c943938cb

    SHA1

    8145e25be5d15ef3105073265ee05f04d836cd82

    SHA256

    72d73c3238e92208269b9d401b4598987116ea4fcafd91e249b3b9b558d022ff

    SHA512

    7a7f49811a1e0cbe0060a7334898ca6cfb9cc63f3c76af64445d178d46fad18db6fad024a84f284a2ee2170aa2d38fd79d925d1cc25592a77eeee9aec15567e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libintl3.dll
    Filesize

    101KB

    MD5

    d202baa425176287017ffe1fb5d1b77c

    SHA1

    192e597d8ff0192f6c4e4643361f84277ed51121

    SHA256

    f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0

    SHA512

    706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libintl3.dll
    Filesize

    101KB

    MD5

    d202baa425176287017ffe1fb5d1b77c

    SHA1

    192e597d8ff0192f6c4e4643361f84277ed51121

    SHA256

    f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0

    SHA512

    706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsgMTemp\msg
    Filesize

    763KB

    MD5

    968c337d23ea50d0f052438a6f0551ad

    SHA1

    c9e7472dd013cb5b059566bd8c49a0459dbd977a

    SHA256

    44e48f412fc1b7bb31786f3680cddbf98f5b22603bfb4a32918ba83f21db28b8

    SHA512

    a770b3d3b3cf724aa3f3bb59b0f8c7cf19dfed8d05fc1089733fe1626ec69c931e0849d96097437625a3965278c8c60a2421ce860348c38409d8eac8ca30d983

    Download Submit

  • memory/2588-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4244-132-0x0000000000400000-0x00000000009FD000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4244-146-0x0000000000400000-0x00000000009FD000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4308-136-0x0000000000000000-mapping.dmp

    Download