08960b36601485c4589ad186cc3dea99dfbfe15b40e3d2615747791fdf137674

Resubmissions

12/06/2023, 07:55

230612-jsa4zabf5z 6

12/06/2023, 07:47

230612-jmycbabf41 6

Analysis

max time kernel
69s
max time network
77s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 07:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ai进程守护.exe
Size

553KB
MD5

a3b7a00315b7ff714ea9f2a2660bb5b9
SHA1

4a602596a4e176961a132ec87fb1f2bdf8cb5acb
SHA256

08960b36601485c4589ad186cc3dea99dfbfe15b40e3d2615747791fdf137674
SHA512

47e549d396e047ffa0c8c8b25a5563c9bec1752c090aa829e46dc0679fa621340ab6fd74934a2e9f56a021b4de4638fd47b2f190b4ce02c3f375f35b1a0bebaf
SSDEEP

12288:xM04tD6kXMtOJpPh4JIOiXhRdIDIU1Dzoa0pAn:xMxD6kXM4Ph4I7d2H/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	ai进程守护.exe
File opened (read-only)	\??\F:	ai进程守护.exe
File opened (read-only)	\??\I:	ai进程守护.exe
File opened (read-only)	\??\O:	ai进程守护.exe
File opened (read-only)	\??\R:	ai进程守护.exe
File opened (read-only)	\??\W:	ai进程守护.exe
File opened (read-only)	\??\E:	ai进程守护.exe
File opened (read-only)	\??\H:	ai进程守护.exe
File opened (read-only)	\??\L:	ai进程守护.exe
File opened (read-only)	\??\P:	ai进程守护.exe
File opened (read-only)	\??\Z:	ai进程守护.exe
File opened (read-only)	\??\G:	ai进程守护.exe
File opened (read-only)	\??\J:	ai进程守护.exe
File opened (read-only)	\??\K:	ai进程守护.exe
File opened (read-only)	\??\M:	ai进程守护.exe
File opened (read-only)	\??\S:	ai进程守护.exe
File opened (read-only)	\??\T:	ai进程守护.exe
File opened (read-only)	\??\U:	ai进程守护.exe
File opened (read-only)	\??\N:	ai进程守护.exe
File opened (read-only)	\??\Q:	ai进程守护.exe
File opened (read-only)	\??\V:	ai进程守护.exe
File opened (read-only)	\??\X:	ai进程守护.exe
File opened (read-only)	\??\Y:	ai进程守护.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ai进程守护.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ai进程守护.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe
1504	ai进程守护.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	880	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	880	AUDIODG.EXE
Token: 33	880	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	880	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1504	ai进程守护.exe

C:\Users\Admin\AppData\Local\Temp\ai进程守护.exe
"C:\Users\Admin\AppData\Local\Temp\ai进程守护.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\shellcode.bin

Filesize
300KB

MD5
580130429f81a25eeb36c9f0e63925c6

SHA1
6baaf3130046a3daa36df902ba16b5c2c0354ac3

SHA256
9f9e9c9ec201fd805e2f0e2817c8c9a447d301900247e8a80ee65cee14a104ce

SHA512
7ae0762029d37abb4002bb2fb2234791b4612119238862f1bb3320eeb41b9d0168385d50b25483ad2dd241d212a36d24fae6a6871ed52414f6ecfece95ef9049

Download Submit
memory/1504-59-0x0000000000290000-0x00000000002DC000-memory.dmp

Filesize
304KB

Download
memory/1504-60-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1504-66-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1504-68-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1504-69-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1504-70-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1504-71-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download
memory/1504-72-0x0000000180000000-0x0000000180054000-memory.dmp

Filesize
336KB

Download