6e4a058967de8e8b73a0f3aa363bdf2aa6c1fa56c6c5ba1f4d5e78c3249a6de7

General

Target

IDM 激活工具.cmd
Size

25KB
MD5

419b8e559eb9f6de0fc42c5dae34356f
SHA1

e723bd40034e3486173840a4a38154548b1cee56
SHA256

7dd95b809be00973b158bbb749ebabd3cba95381661a7bc00c2cc9d4044314b8
SHA512

04c75326779a30cb1ac99ec5083b4d3991536c422f57d2b75e7516793e716210e49349d90ebbda7d033392c37b8459ceba1ff5e0f2dc4295a54f3c417be68f65
SSDEEP

192:ewVLk373E1zU0eRB/x56PmX+BFq+EOIyKatBBLiffE7myr5W0bt/8wVaTfCElzEd:E3739dRJqTg7YOgcugPZ5SAJkYltq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1816 reg.exe
1800 reg.exe
328 reg.exe

pid	process
1816	reg.exe
1800	reg.exe
328	reg.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1404 wrote to memory of 844	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 844	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 844	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1628	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1628	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1628	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1720	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1720	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1720	1404	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1712	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1712	1720	cmd.exe	reg.exe
PID 1720 wrote to memory of 1712	1720	cmd.exe	reg.exe
PID 1404 wrote to memory of 1496	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1496	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1496	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1540	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1540	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1540	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1780	1404	cmd.exe	find.exe
PID 1404 wrote to memory of 1780	1404	cmd.exe	find.exe
PID 1404 wrote to memory of 1780	1404	cmd.exe	find.exe
PID 1404 wrote to memory of 1508	1404	cmd.exe	mode.com
PID 1404 wrote to memory of 1508	1404	cmd.exe	mode.com
PID 1404 wrote to memory of 1508	1404	cmd.exe	mode.com
PID 1404 wrote to memory of 1312	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1312	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1312	1404	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1800	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 1800	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 1800	1312	cmd.exe	reg.exe
PID 1404 wrote to memory of 908	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 908	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 908	1404	cmd.exe	cmd.exe
PID 908 wrote to memory of 328	908	cmd.exe	reg.exe
PID 908 wrote to memory of 328	908	cmd.exe	reg.exe
PID 908 wrote to memory of 328	908	cmd.exe	reg.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1664	1404	cmd.exe	cmd.exe
PID 1664 wrote to memory of 1816	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1816	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1816	1664	cmd.exe	reg.exe
PID 1404 wrote to memory of 268	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 268	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 268	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 1904	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 1904	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 1904	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 1296	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 1296	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 1296	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 340	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 340	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 340	1404	cmd.exe	findstr.exe
PID 1404 wrote to memory of 776	1404	cmd.exe	choice.exe
PID 1404 wrote to memory of 776	1404	cmd.exe	choice.exe
PID 1404 wrote to memory of 776	1404	cmd.exe	choice.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM 激活工具.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
2⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" /v ExePath
3⤵
PID:1712

C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19
2⤵
PID:1496

C:\Windows\System32\reg.exe
reg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"
2⤵
- Checks processor information in registry
PID:1540

C:\Windows\System32\find.exe
find /i "x86"
2⤵
PID:1780

C:\Windows\System32\mode.com
mode 65, 25
2⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall
3⤵
- Modifies registry key
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall
3⤵
- Modifies registry key
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall
3⤵
- Modifies registry key
PID:1816

C:\Windows\System32\findstr.exe
findstr /a:07 /f:`.txt "."
2⤵
PID:268

C:\Windows\System32\findstr.exe
findstr /a:0C /f:`.txt "."
2⤵
PID:1904

C:\Windows\System32\findstr.exe
findstr /a:07 /f:`.txt "."
2⤵
PID:1296

C:\Windows\System32\findstr.exe
findstr /a:0A /f:`.txt "."
2⤵
PID:340

C:\Windows\System32\choice.exe
choice /C:12345 /N
2⤵
PID:776

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\'
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\'
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\`.txt
Filesize
42B

MD5
3b7939a5c1dfa88776d8383f755026b3

SHA1
ee64a23dd8d898962c777b15631cec84932ad449

SHA256
e5a1828df77774c461e591d1232c6c19126b88f764c7fb7d1bdfd4de8781703f

SHA512
b27c5bb2902408d5aa945e68402752cb8ddebe21af1d548014960c65af11c30f607a9c2c2d6015c7bbfc4288eaac4ab764699236096baa63bbff3fe8d04e8edf

Download Submit
C:\Windows\Temp\`.txt
Filesize
17B

MD5
cabc561b03f9a4ef0535932b6eaf08a0

SHA1
da58171d7dd97bbf8c6d38f64dcfda4cee3d465c

SHA256
d30e98e8b15e2388b0ea2a42677d26a2b0894506720ac8cbbae70662e76dfdd2

SHA512
dd0402ed32c8247b700aea2c7fdc4bd7e5cdc8979e1d9ae5953fe13b1b15622cb73dd1a749e3984027120456b1420548270002bdb3383cdd3c7aec2595f56682

Download Submit
C:\Windows\Temp\`.txt
Filesize
15B

MD5
4388ac7767c5a9f29cb1ba7cd68338bf

SHA1
02930012ae546abcf97021d381109f84343cb6b7

SHA256
dcd2da047ccc3bb6ea24d1fa2caca43b27668c65d0e03f04a94e4103b27afc37

SHA512
6b3d370790b284d91fb442073cbcc4f306d7a745773aa6bce399852e3f83ed4f5d18e8a37e43a4b0b76c23443e3e9ef3f4977ac5fd4a7e9403077a6f4fe9d863

Download Submit
C:\Windows\Temp\`.txt
Filesize
40B

MD5
83b20a41c2aee29f137d86131bf8833c

SHA1
71523bb2c2514458f2f0c1cffe81dd8c8c49fc3c

SHA256
7164f5410e90ffc72bc3e21dbfb671331222c5b2cb7a30e957a4c52b8109d2c1

SHA512
6af3491ef30a18c00d09e04951f3150da42437c2cd3908b04a0174b928eabd7a5107198f735fdd4bc33464126e0a55de0e731adcef8da1b3127414bc72007527

Download Submit
memory/268-68-0x0000000000000000-mapping.dmp

Download
memory/328-65-0x0000000000000000-mapping.dmp

Download
memory/340-76-0x0000000000000000-mapping.dmp

Download
memory/776-78-0x0000000000000000-mapping.dmp

Download
memory/844-54-0x0000000000000000-mapping.dmp

Download
memory/908-64-0x0000000000000000-mapping.dmp

Download
memory/1296-73-0x0000000000000000-mapping.dmp

Download
memory/1312-62-0x0000000000000000-mapping.dmp

Download
memory/1496-58-0x0000000000000000-mapping.dmp

Download
memory/1508-61-0x0000000000000000-mapping.dmp

Download
memory/1540-59-0x0000000000000000-mapping.dmp

Download
memory/1628-55-0x0000000000000000-mapping.dmp

Download
memory/1664-66-0x0000000000000000-mapping.dmp

Download
memory/1712-57-0x0000000000000000-mapping.dmp

Download
memory/1720-56-0x0000000000000000-mapping.dmp

Download
memory/1780-60-0x0000000000000000-mapping.dmp

Download
memory/1800-63-0x0000000000000000-mapping.dmp

Download
memory/1816-67-0x0000000000000000-mapping.dmp

Download
memory/1904-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing