Analysis
-
max time kernel
144s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:02
Static task
static1
Behavioral task
behavioral1
Sample
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe
Resource
win10v2004-20221111-en
General
-
Target
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe
-
Size
532KB
-
MD5
74c6e0df472160ebb8482729aaa1baee
-
SHA1
6e1634bb00213a7e557591c3d451baf56291e9de
-
SHA256
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3
-
SHA512
05e403abe730dbc7079e3e3cce5d9e6a797542aaec81c917ed84445e324421c725dc208d1af286234e72241a725b0e89e0e224cdfc67d813861422516835d345
-
SSDEEP
12288:+K2mhAMJ/cPlizen8lwBx7EshSpwreE+/8gfxsdjY9NhEi7D:v2O/Gliquw4P5E+/8gfxsFAEo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
手机验证码接收系统.exeKINSTALLERS_66_4538.exe官方.exe淘宝客PID劫持器.exepid process 1324 手机验证码接收系统.exe 4784 KINSTALLERS_66_4538.exe 3292 官方.exe 4120 淘宝客PID劫持器.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\官方.exe upx C:\Users\Admin\AppData\Local\Temp\官方.exe upx behavioral2/memory/3292-145-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3292-153-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe手机验证码接收系统.exe官方.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 手机验证码接收系统.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 官方.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
手机验证码接收系统.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 手机验证码接收系统.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
淘宝客PID劫持器.exepid process 4120 淘宝客PID劫持器.exe 4120 淘宝客PID劫持器.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe手机验证码接收系统.exe官方.execmd.exedescription pid process target process PID 3088 wrote to memory of 1324 3088 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe 手机验证码接收系统.exe PID 3088 wrote to memory of 1324 3088 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe 手机验证码接收系统.exe PID 3088 wrote to memory of 1324 3088 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe 手机验证码接收系统.exe PID 3088 wrote to memory of 4784 3088 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe KINSTALLERS_66_4538.exe PID 3088 wrote to memory of 4784 3088 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe KINSTALLERS_66_4538.exe PID 3088 wrote to memory of 4784 3088 2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe KINSTALLERS_66_4538.exe PID 1324 wrote to memory of 3292 1324 手机验证码接收系统.exe 官方.exe PID 1324 wrote to memory of 3292 1324 手机验证码接收系统.exe 官方.exe PID 1324 wrote to memory of 3292 1324 手机验证码接收系统.exe 官方.exe PID 1324 wrote to memory of 4120 1324 手机验证码接收系统.exe 淘宝客PID劫持器.exe PID 1324 wrote to memory of 4120 1324 手机验证码接收系统.exe 淘宝客PID劫持器.exe PID 1324 wrote to memory of 4120 1324 手机验证码接收系统.exe 淘宝客PID劫持器.exe PID 3292 wrote to memory of 2968 3292 官方.exe cmd.exe PID 3292 wrote to memory of 2968 3292 官方.exe cmd.exe PID 3292 wrote to memory of 2968 3292 官方.exe cmd.exe PID 2968 wrote to memory of 1116 2968 cmd.exe PING.EXE PID 2968 wrote to memory of 1116 2968 cmd.exe PING.EXE PID 2968 wrote to memory of 1116 2968 cmd.exe PING.EXE PID 1324 wrote to memory of 2240 1324 手机验证码接收系统.exe WScript.exe PID 1324 wrote to memory of 2240 1324 手机验证码接收系统.exe WScript.exe PID 1324 wrote to memory of 2240 1324 手机验证码接收系统.exe WScript.exe PID 2968 wrote to memory of 1660 2968 cmd.exe WScript.exe PID 2968 wrote to memory of 1660 2968 cmd.exe WScript.exe PID 2968 wrote to memory of 1660 2968 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe"C:\Users\Admin\AppData\Local\Temp\2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe"C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\官方.exe"C:\Users\Admin\AppData\Local\Temp\官方.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B040.tmp\setup.bat" "4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"5⤵
-
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe"C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"3⤵
-
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe"C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.VBSFilesize
398B
MD5b3515d5ceabbcf4ae352adf668e4aa26
SHA1cef8001c51225008419dcf98553ce4c8e693bb48
SHA256220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf
SHA51259db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5
-
C:\Users\Admin\AppData\Local\Temp\123.VBSFilesize
398B
MD5b3515d5ceabbcf4ae352adf668e4aa26
SHA1cef8001c51225008419dcf98553ce4c8e693bb48
SHA256220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf
SHA51259db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5
-
C:\Users\Admin\AppData\Local\Temp\B040.tmp\setup.batFilesize
34B
MD5e1b9eb7f7d775d0d49d8ace123a88fc7
SHA1a97bd323f7ba1d85fa53360e85137fc16a4de204
SHA25611d81cc1aeebb5ef06dcf2b90bfdbec35d689a4776838882410f2aca3b00b101
SHA51250ab4c7295ece4f6712bc488fffea83fa24a296c6d6538a554a4bedc2a90f54f359e304f3bf3975a27157c41cb45132b839e1efcb1e930e7fbd2fe16d21b65b2
-
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exeFilesize
58KB
MD5f729d886356835c780a1ec4486f60576
SHA140fafe8a61965919a4cc32a079ec5747fdddcd3e
SHA2567ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e
SHA512fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8
-
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exeFilesize
58KB
MD5f729d886356835c780a1ec4486f60576
SHA140fafe8a61965919a4cc32a079ec5747fdddcd3e
SHA2567ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e
SHA512fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8
-
C:\Users\Admin\AppData\Local\Temp\官方.exeFilesize
21KB
MD55a76883d66f3d880ca3e6a69ad693013
SHA1d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6
SHA25668d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5
SHA512dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02
-
C:\Users\Admin\AppData\Local\Temp\官方.exeFilesize
21KB
MD55a76883d66f3d880ca3e6a69ad693013
SHA1d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6
SHA25668d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5
SHA512dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02
-
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exeFilesize
456KB
MD5653564b090dac7f2896856c54dc17312
SHA17d1c31329d59ceb766e45c340b21985ea8d149b5
SHA256d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc
SHA512c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a
-
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exeFilesize
456KB
MD5653564b090dac7f2896856c54dc17312
SHA17d1c31329d59ceb766e45c340b21985ea8d149b5
SHA256d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc
SHA512c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a
-
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exeFilesize
772KB
MD513e8c8ed061b041e160c496fe8eb4ff2
SHA1cf65914ea3c6743b4d1c916c402c0f95f21498f4
SHA25652a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25
SHA512c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de
-
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exeFilesize
772KB
MD513e8c8ed061b041e160c496fe8eb4ff2
SHA1cf65914ea3c6743b4d1c916c402c0f95f21498f4
SHA25652a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25
SHA512c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de
-
memory/1116-149-0x0000000000000000-mapping.dmp
-
memory/1324-132-0x0000000000000000-mapping.dmp
-
memory/1660-152-0x0000000000000000-mapping.dmp
-
memory/2240-151-0x0000000000000000-mapping.dmp
-
memory/2968-147-0x0000000000000000-mapping.dmp
-
memory/3292-145-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3292-138-0x0000000000000000-mapping.dmp
-
memory/3292-153-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4120-141-0x0000000000000000-mapping.dmp
-
memory/4120-146-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/4784-135-0x0000000000000000-mapping.dmp