2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3

Analysis

max time kernel
144s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe
Size

532KB
MD5

74c6e0df472160ebb8482729aaa1baee
SHA1

6e1634bb00213a7e557591c3d451baf56291e9de
SHA256

2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3
SHA512

05e403abe730dbc7079e3e3cce5d9e6a797542aaec81c917ed84445e324421c725dc208d1af286234e72241a725b0e89e0e224cdfc67d813861422516835d345
SSDEEP

12288:+K2mhAMJ/cPlizen8lwBx7EshSpwreE+/8gfxsdjY9NhEi7D:v2O/Gliquw4P5E+/8gfxsFAEo

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

手机验证码接收系统.exeKINSTALLERS_66_4538.exe官方.exe淘宝客PID劫持器.exe

pid process

1324 手机验证码接收系统.exe
4784 KINSTALLERS_66_4538.exe
3292 官方.exe
4120 淘宝客PID劫持器.exe

pid	process
1324	手机验证码接收系统.exe
4784	KINSTALLERS_66_4538.exe
3292	官方.exe
4120	淘宝客PID劫持器.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\官方.exe	upx
C:\Users\Admin\AppData\Local\Temp\官方.exe	upx
behavioral2/memory/3292-145-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3292-153-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe手机验证码接收系统.exe官方.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	手机验证码接收系统.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	官方.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

手机验证码接收系统.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	手机验证码接收系统.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1116 PING.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

淘宝客PID劫持器.exe

pid process

4120 淘宝客PID劫持器.exe
4120 淘宝客PID劫持器.exe

pid	process
1116	PING.EXE

pid	process
4120	淘宝客PID劫持器.exe
4120	淘宝客PID劫持器.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe手机验证码接收系统.exe官方.execmd.exe

description	pid	process	target process
PID 3088 wrote to memory of 1324	3088	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe	手机验证码接收系统.exe
PID 3088 wrote to memory of 1324	3088	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe	手机验证码接收系统.exe
PID 3088 wrote to memory of 1324	3088	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe	手机验证码接收系统.exe
PID 3088 wrote to memory of 4784	3088	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe	KINSTALLERS_66_4538.exe
PID 3088 wrote to memory of 4784	3088	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe	KINSTALLERS_66_4538.exe
PID 3088 wrote to memory of 4784	3088	2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe	KINSTALLERS_66_4538.exe
PID 1324 wrote to memory of 3292	1324	手机验证码接收系统.exe	官方.exe
PID 1324 wrote to memory of 3292	1324	手机验证码接收系统.exe	官方.exe
PID 1324 wrote to memory of 3292	1324	手机验证码接收系统.exe	官方.exe
PID 1324 wrote to memory of 4120	1324	手机验证码接收系统.exe	淘宝客PID劫持器.exe
PID 1324 wrote to memory of 4120	1324	手机验证码接收系统.exe	淘宝客PID劫持器.exe
PID 1324 wrote to memory of 4120	1324	手机验证码接收系统.exe	淘宝客PID劫持器.exe
PID 3292 wrote to memory of 2968	3292	官方.exe	cmd.exe
PID 3292 wrote to memory of 2968	3292	官方.exe	cmd.exe
PID 3292 wrote to memory of 2968	3292	官方.exe	cmd.exe
PID 2968 wrote to memory of 1116	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 1116	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 1116	2968	cmd.exe	PING.EXE
PID 1324 wrote to memory of 2240	1324	手机验证码接收系统.exe	WScript.exe
PID 1324 wrote to memory of 2240	1324	手机验证码接收系统.exe	WScript.exe
PID 1324 wrote to memory of 2240	1324	手机验证码接收系统.exe	WScript.exe
PID 2968 wrote to memory of 1660	2968	cmd.exe	WScript.exe
PID 2968 wrote to memory of 1660	2968	cmd.exe	WScript.exe
PID 2968 wrote to memory of 1660	2968	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe
"C:\Users\Admin\AppData\Local\Temp\2da1a40d86c8dc33f6851b1614b522cd2ca2f54f7d5f3ccf8fa38908db9271f3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe
"C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\官方.exe
"C:\Users\Admin\AppData\Local\Temp\官方.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B040.tmp\setup.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.0.0.1
5⤵
- Runs ping.exe
PID:1116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"
5⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe
"C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123.VBS"
3⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe
"C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe"
2⤵
- Executes dropped EXE
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.VBS
Filesize
398B

MD5
b3515d5ceabbcf4ae352adf668e4aa26

SHA1
cef8001c51225008419dcf98553ce4c8e693bb48

SHA256
220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf

SHA512
59db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.VBS
Filesize
398B

MD5
b3515d5ceabbcf4ae352adf668e4aa26

SHA1
cef8001c51225008419dcf98553ce4c8e693bb48

SHA256
220776a333307c6f3ae27222bf5b916b3628647cbbe2b539c934423a6c6c4ecf

SHA512
59db9b37e46220a9437bbbec5d8f977a02ca2c1430d3b3a6262fbf5792ea7dea8575396b0dfa6ea889d902f3439049ebd3dd1bca6efb89a690b4d105572237d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B040.tmp\setup.bat
Filesize
34B

MD5
e1b9eb7f7d775d0d49d8ace123a88fc7

SHA1
a97bd323f7ba1d85fa53360e85137fc16a4de204

SHA256
11d81cc1aeebb5ef06dcf2b90bfdbec35d689a4776838882410f2aca3b00b101

SHA512
50ab4c7295ece4f6712bc488fffea83fa24a296c6d6538a554a4bedc2a90f54f359e304f3bf3975a27157c41cb45132b839e1efcb1e930e7fbd2fe16d21b65b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe
Filesize
58KB

MD5
f729d886356835c780a1ec4486f60576

SHA1
40fafe8a61965919a4cc32a079ec5747fdddcd3e

SHA256
7ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e

SHA512
fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KINSTALLERS_66_4538.exe
Filesize
58KB

MD5
f729d886356835c780a1ec4486f60576

SHA1
40fafe8a61965919a4cc32a079ec5747fdddcd3e

SHA256
7ae1beac54fb6511a53be696006ed0fbe1e0bfb76dd9b68f135e97ccf0ccde2e

SHA512
fcacc65d9154e262fcc790945becc673d8eb98410231d521249257e9c3e4c2dfc01854e7c7a86e39e68fa7024859f888cdf3f2cbb820dc068998fc5b506996c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\官方.exe
Filesize
21KB

MD5
5a76883d66f3d880ca3e6a69ad693013

SHA1
d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6

SHA256
68d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5

SHA512
dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02

Download Submit
C:\Users\Admin\AppData\Local\Temp\官方.exe
Filesize
21KB

MD5
5a76883d66f3d880ca3e6a69ad693013

SHA1
d8f8177aedeb1e9779b88ff464251e2fb2e0b3f6

SHA256
68d447639d7a0588c7ac29506ae66a41006c3922ef32adc6bb2da43556a6b3e5

SHA512
dd93083e312768a3efa630734f53eb3180552a882095cda8ab4115a91c836e4b3e5a24412de4f53a9ab064f8dc64002079a8ae6556df1980881c68475d3bde02

Download Submit
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe
Filesize
456KB

MD5
653564b090dac7f2896856c54dc17312

SHA1
7d1c31329d59ceb766e45c340b21985ea8d149b5

SHA256
d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc

SHA512
c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\手机验证码接收系统.exe
Filesize
456KB

MD5
653564b090dac7f2896856c54dc17312

SHA1
7d1c31329d59ceb766e45c340b21985ea8d149b5

SHA256
d04412c4cbcc986ccfd847bda6de2dedf97c1ac5da8a9318048e14a4f62f45dc

SHA512
c7c17866a9d0f10aea21a66efade0e9c419eaf0ccccfb3826e736101691ed07c06e18b186db06cdaf2402f15ab9b428c9e18cd4ab0157a82d246858bb1f24f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe
Filesize
772KB

MD5
13e8c8ed061b041e160c496fe8eb4ff2

SHA1
cf65914ea3c6743b4d1c916c402c0f95f21498f4

SHA256
52a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25

SHA512
c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\淘宝客PID劫持器.exe
Filesize
772KB

MD5
13e8c8ed061b041e160c496fe8eb4ff2

SHA1
cf65914ea3c6743b4d1c916c402c0f95f21498f4

SHA256
52a5fb7bbc26d536cad0ff7a9474aa27f9f4ad039f9489fb6fe8ce44a315fc25

SHA512
c590dbfd6c6b13c1057d6fa8f981a233d2cdb1e775f037ba23127234d8d677dacc8582adf8d50051b2b2aba214e31cb6c430797372b49ff59605253e5068c1de

Download Submit
memory/1116-149-0x0000000000000000-mapping.dmp

Download
memory/1324-132-0x0000000000000000-mapping.dmp

Download
memory/1660-152-0x0000000000000000-mapping.dmp

Download
memory/2240-151-0x0000000000000000-mapping.dmp

Download
memory/2968-147-0x0000000000000000-mapping.dmp

Download
memory/3292-145-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3292-138-0x0000000000000000-mapping.dmp

Download
memory/3292-153-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4120-141-0x0000000000000000-mapping.dmp

Download
memory/4120-146-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4784-135-0x0000000000000000-mapping.dmp

Download