6e4a058967de8e8b73a0f3aa363bdf2aa6c1fa56c6c5ba1f4d5e78c3249a6de7

General

Target

IDM 激活工具.cmd
Size

25KB
MD5

419b8e559eb9f6de0fc42c5dae34356f
SHA1

e723bd40034e3486173840a4a38154548b1cee56
SHA256

7dd95b809be00973b158bbb749ebabd3cba95381661a7bc00c2cc9d4044314b8
SHA512

04c75326779a30cb1ac99ec5083b4d3991536c422f57d2b75e7516793e716210e49349d90ebbda7d033392c37b8459ceba1ff5e0f2dc4295a54f3c417be68f65
SSDEEP

192:ewVLk373E1zU0eRB/x56PmX+BFq+EOIyKatBBLiffE7myr5W0bt/8wVaTfCElzEd:E3739dRJqTg7YOgcugPZ5SAJkYltq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1640 reg.exe
4972 reg.exe
3712 reg.exe

pid	process
1640	reg.exe
4972	reg.exe
3712	reg.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4780 wrote to memory of 5100	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 5100	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 3104	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 3104	4780	cmd.exe	cmd.exe
PID 3104 wrote to memory of 1720	3104	cmd.exe	cmd.exe
PID 3104 wrote to memory of 1720	3104	cmd.exe	cmd.exe
PID 3104 wrote to memory of 1556	3104	cmd.exe	cmd.exe
PID 3104 wrote to memory of 1556	3104	cmd.exe	cmd.exe
PID 4780 wrote to memory of 4932	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 4932	4780	cmd.exe	cmd.exe
PID 4932 wrote to memory of 4844	4932	cmd.exe	reg.exe
PID 4932 wrote to memory of 4844	4932	cmd.exe	reg.exe
PID 4780 wrote to memory of 4828	4780	cmd.exe	reg.exe
PID 4780 wrote to memory of 4828	4780	cmd.exe	reg.exe
PID 4780 wrote to memory of 4892	4780	cmd.exe	reg.exe
PID 4780 wrote to memory of 4892	4780	cmd.exe	reg.exe
PID 4780 wrote to memory of 4632	4780	cmd.exe	find.exe
PID 4780 wrote to memory of 4632	4780	cmd.exe	find.exe
PID 4780 wrote to memory of 1072	4780	cmd.exe	mode.com
PID 4780 wrote to memory of 1072	4780	cmd.exe	mode.com
PID 4780 wrote to memory of 4160	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 4160	4780	cmd.exe	cmd.exe
PID 4160 wrote to memory of 1640	4160	cmd.exe	reg.exe
PID 4160 wrote to memory of 1640	4160	cmd.exe	reg.exe
PID 4780 wrote to memory of 1580	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 1580	4780	cmd.exe	cmd.exe
PID 1580 wrote to memory of 4972	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 4972	1580	cmd.exe	reg.exe
PID 4780 wrote to memory of 1780	4780	cmd.exe	cmd.exe
PID 4780 wrote to memory of 1780	4780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 3712	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 3712	1780	cmd.exe	reg.exe
PID 4780 wrote to memory of 2336	4780	cmd.exe	choice.exe
PID 4780 wrote to memory of 2336	4780	cmd.exe	choice.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IDM 激活工具.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
3⤵
PID:1720

C:\Windows\System32\cmd.exe
cmd
3⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" /v ExePath
3⤵
PID:4844

C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19
2⤵
PID:4828

C:\Windows\System32\reg.exe
reg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"
2⤵
- Checks processor information in registry
PID:4892

C:\Windows\System32\find.exe
find /i "x86"
2⤵
PID:4632

C:\Windows\System32\mode.com
mode 65, 25
2⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall
3⤵
- Modifies registry key
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall
3⤵
- Modifies registry key
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall
3⤵
- Modifies registry key
PID:3712

C:\Windows\System32\choice.exe
choice /C:12345 /N
2⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-141-0x0000000000000000-mapping.dmp

Download
memory/1556-135-0x0000000000000000-mapping.dmp

Download
memory/1580-144-0x0000000000000000-mapping.dmp

Download
memory/1640-143-0x0000000000000000-mapping.dmp

Download
memory/1720-134-0x0000000000000000-mapping.dmp

Download
memory/1780-146-0x0000000000000000-mapping.dmp

Download
memory/2336-148-0x0000000000000000-mapping.dmp

Download
memory/3104-133-0x0000000000000000-mapping.dmp

Download
memory/3712-147-0x0000000000000000-mapping.dmp

Download
memory/4160-142-0x0000000000000000-mapping.dmp

Download
memory/4632-140-0x0000000000000000-mapping.dmp

Download
memory/4828-138-0x0000000000000000-mapping.dmp

Download
memory/4844-137-0x0000000000000000-mapping.dmp

Download
memory/4892-139-0x0000000000000000-mapping.dmp

Download
memory/4932-136-0x0000000000000000-mapping.dmp

Download
memory/4972-145-0x0000000000000000-mapping.dmp

Download
memory/5100-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing