fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8

Analysis

max time kernel
75s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe
Size

4.6MB
MD5

76f37b906c4a210e354d29eeac816b6d
SHA1

2ef9c6c0835315be8805ce039b3c0e0db3c6ef67
SHA256

fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8
SHA512

815b2594f4b40773bd8ec74ffee589d78ca49e4dcbf64bfd269af62a572d7b5f74f33de43788c68a7dff1d3da13343443b1d57b9b86d22b92aad1ae1014f79b7
SSDEEP

98304:l06FOznLo0+Dd6uxc8FazgIGOU0AemtfdQqwWPU0Hnf8H69:l3F6n80W6uGO8bGeAjtfdiWPHnf8I

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	php-cgi.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	php-cgi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	php-cgi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 4 IoCs

pid	Process
60	irsetup.exe
672	un.exe
32	un.exe
2528	php-cgi.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Wine	php-cgi.exe

Loads dropped DLL 2 IoCs

pid	Process
60	irsetup.exe
2528	php-cgi.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023171-138.dat	upx
behavioral2/files/0x0006000000023171-143.dat	upx
behavioral2/files/0x0006000000023171-144.dat	upx
behavioral2/memory/60-147-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/60-189-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2528	php-cgi.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Your Product\360ShellPro.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\360Restore.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\360Restore.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\360Safe.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\360Safe.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\360ShellPro.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
60	irsetup.exe
60	irsetup.exe
2528	php-cgi.exe
2528	php-cgi.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
60	irsetup.exe
60	irsetup.exe
60	irsetup.exe
672	un.exe
32	un.exe
2528	php-cgi.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 60	4656	fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe	85
PID 4656 wrote to memory of 60	4656	fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe	85
PID 4656 wrote to memory of 60	4656	fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe	85
PID 60 wrote to memory of 672	60	irsetup.exe	87
PID 60 wrote to memory of 672	60	irsetup.exe	87
PID 60 wrote to memory of 32	60	irsetup.exe	89
PID 60 wrote to memory of 32	60	irsetup.exe	89
PID 60 wrote to memory of 2528	60	irsetup.exe	91
PID 60 wrote to memory of 2528	60	irsetup.exe	91
PID 60 wrote to memory of 2528	60	irsetup.exe	91

C:\Users\Admin\AppData\Local\Temp\fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe
"C:\Users\Admin\AppData\Local\Temp\fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1744242 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\fd4ff677931e296f6b608cd23fa19e7e3ce1a1a758d0521e637ac9fcdbd404b8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2805025096-2326403612-4231045514-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\un.exe
    "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg ziliao1.jpg C:\ProgramData\Microsoft\Program\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:672
- - C:\un.exe
    "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe php-cgi.exe qbcore.dll C:\ProgramData\Program\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:32
- - C:\ProgramData\Program\php-cgi.exe
    "C:\ProgramData\Program\php-cgi.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\UPX.rar

Filesize
1.9MB

MD5
21f02fd4ce141af298b352b8367b722a

SHA1
b38d3969aeaf665692d056ddb2f9b7ff29efaad9

SHA256
5bb75a6d1307e6c6c178623186ca7bd0a2e7f19763536a2e878243ab673ab39a

SHA512
dce44b34969cb050d6d8c37202980989045671a5ab995a023309633bc17e4a9fe51448162e504e41b5eff7c747058bafd499ff4ae3c34ef0dc0ca3117d50aa88

Download Submit
C:\ProgramData\Program\php-cgi.exe

Filesize
591KB

MD5
6c9faa530a79f516c85cfac8986656e5

SHA1
6a454009a2f1b0df3483ddffaed7e95d167d789d

SHA256
6d08bb136618e8aff1af1951abe0c918d0de59103af9a79b1fef3219bb2b97f4

SHA512
306a68dcc57243bcfb2f5e22df539b1e65546c895f989ef5a07f957fee34e4c7165e358a64248a85ca3647e6fb452674b32ec5922b4a17c83cc9411104f7c8c5

Download Submit
C:\ProgramData\Program\php-cgi.exe

Filesize
591KB

MD5
6c9faa530a79f516c85cfac8986656e5

SHA1
6a454009a2f1b0df3483ddffaed7e95d167d789d

SHA256
6d08bb136618e8aff1af1951abe0c918d0de59103af9a79b1fef3219bb2b97f4

SHA512
306a68dcc57243bcfb2f5e22df539b1e65546c895f989ef5a07f957fee34e4c7165e358a64248a85ca3647e6fb452674b32ec5922b4a17c83cc9411104f7c8c5

Download Submit
C:\ProgramData\Program\qbcore.dll

Filesize
1.5MB

MD5
a3f01d33a2f69ab23727cdd2c4858b20

SHA1
a9b5bf5d6772dba90199105b0841a5cfa8cb09a3

SHA256
e2daab9130cc7a8b9eadb8670c864b7faddb35125386551865a8893663551ff6

SHA512
502a8be36eda91298b6fd12627ca8d3dddf0e8e402f275de40438e33ebe832c92c6e14f2c3a60eea78b039108b0cf004c3f2a95d18b3cddc595e35e050e35aa4

Download Submit
C:\ProgramData\Program\qbcore.dll

Filesize
1.5MB

MD5
a3f01d33a2f69ab23727cdd2c4858b20

SHA1
a9b5bf5d6772dba90199105b0841a5cfa8cb09a3

SHA256
e2daab9130cc7a8b9eadb8670c864b7faddb35125386551865a8893663551ff6

SHA512
502a8be36eda91298b6fd12627ca8d3dddf0e8e402f275de40438e33ebe832c92c6e14f2c3a60eea78b039108b0cf004c3f2a95d18b3cddc595e35e050e35aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\un.exe

Filesize
512KB

MD5
5bda37f25c6cbaab7bb2f36886eee4ae

SHA1
ce10a26fbac92e78a739b0b3b7ec3fb0f42ee32f

SHA256
22405d814d2bdb39a1b67757ed0d1357ba8b0a0bf3e614619d8e3d32e38d8d7b

SHA512
2a79a6dd4633890877c68227383fbe8248bd57689109cf7f7dbd037a14f4b6c8c88c19514bd17daf405ce5109708ef8f5816764256c28af67a335fbac73a00b4

Download Submit
C:\un.exe

Filesize
512KB

MD5
5bda37f25c6cbaab7bb2f36886eee4ae

SHA1
ce10a26fbac92e78a739b0b3b7ec3fb0f42ee32f

SHA256
22405d814d2bdb39a1b67757ed0d1357ba8b0a0bf3e614619d8e3d32e38d8d7b

SHA512
2a79a6dd4633890877c68227383fbe8248bd57689109cf7f7dbd037a14f4b6c8c88c19514bd17daf405ce5109708ef8f5816764256c28af67a335fbac73a00b4

Download Submit
C:\un.exe

Filesize
512KB

MD5
5bda37f25c6cbaab7bb2f36886eee4ae

SHA1
ce10a26fbac92e78a739b0b3b7ec3fb0f42ee32f

SHA256
22405d814d2bdb39a1b67757ed0d1357ba8b0a0bf3e614619d8e3d32e38d8d7b

SHA512
2a79a6dd4633890877c68227383fbe8248bd57689109cf7f7dbd037a14f4b6c8c88c19514bd17daf405ce5109708ef8f5816764256c28af67a335fbac73a00b4

Download Submit
memory/60-147-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/60-189-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2528-190-0x0000000073A30000-0x0000000073BC4000-memory.dmp

Filesize
1.6MB

Download
memory/2528-191-0x0000000073A30000-0x0000000073BC4000-memory.dmp

Filesize
1.6MB

Download