a9361f6e81c1dc5f30012ece35c04c75d5e772424a522ce6addbf0d5df5e0933

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

登录器配置器.exe
Size

6.1MB
MD5

98bff83ff9b0e5216d3d6a3cba12906a
SHA1

ffec014a12e35e5f0ca2e83b1fe3292fb94ab47e
SHA256

a9361f6e81c1dc5f30012ece35c04c75d5e772424a522ce6addbf0d5df5e0933
SHA512

d86b9a29b3715699bb0d3a0f7921a2e7175102d4bd5195d167dcb5d24dd6d387f3d62a8a6a3a4f312820942661adfd77a24c8f2d420560046ca20515e87ec3fd
SSDEEP

98304:S+c0hRUbtkCnPgF2ABKJH6DhHU06OT3Z1B+zzow/rmshM62OaN:FDUbtkCPTyHUx0JizJF2OaN

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\BelFhN.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\BelFhN.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

BelFhN.exe

pid process

1772 BelFhN.exe
Loads dropped DLL 2 IoCs

Processes:

登录器配置器.exe

pid process

936 登录器配置器.exe
936 登录器配置器.exe

pid	process
1772	BelFhN.exe

pid	process
936	登录器配置器.exe
936	登录器配置器.exe

Drops file in Program Files directory 64 IoCs

Processes:

BelFhN.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	BelFhN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	BelFhN.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	BelFhN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	BelFhN.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	BelFhN.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	BelFhN.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	BelFhN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	BelFhN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	BelFhN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	BelFhN.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EEE65B22-4DC6-43D4-B813-CF8D85346324}\chrome_installer.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	BelFhN.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	BelFhN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	BelFhN.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	BelFhN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	BelFhN.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	BelFhN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	BelFhN.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	BelFhN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	BelFhN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	BelFhN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	BelFhN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

登录器配置器.exeBelFhN.exe

description	pid	process	target process
PID 936 wrote to memory of 1772	936	登录器配置器.exe	BelFhN.exe
PID 936 wrote to memory of 1772	936	登录器配置器.exe	BelFhN.exe
PID 936 wrote to memory of 1772	936	登录器配置器.exe	BelFhN.exe
PID 936 wrote to memory of 1772	936	登录器配置器.exe	BelFhN.exe
PID 1772 wrote to memory of 1120	1772	BelFhN.exe	cmd.exe
PID 1772 wrote to memory of 1120	1772	BelFhN.exe	cmd.exe
PID 1772 wrote to memory of 1120	1772	BelFhN.exe	cmd.exe
PID 1772 wrote to memory of 1120	1772	BelFhN.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\登录器配置器.exe
"C:\Users\Admin\AppData\Local\Temp\登录器配置器.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\BelFhN.exe
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\00a47674.bat" "
3⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00a47674.bat
Filesize
187B

MD5
0f54c0ec8501181f8020e4856682631a

SHA1
5078c0b682f3db2483b8b7ad205c9d1e2ce5b2f4

SHA256
082d74aef640ff1767da8205c21b9aacb06ab3c1892d6efc10793a3cbc936c2f

SHA512
8d3ea99236259ae7401c8d568d45e0d3fa8e336f4577876cea9fec5de07ca56512f75832c1d10628bd8a6394825d02b9a8a215880ec8a882b6e56be969040eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00a47674.bat
Filesize
187B

MD5
0f54c0ec8501181f8020e4856682631a

SHA1
5078c0b682f3db2483b8b7ad205c9d1e2ce5b2f4

SHA256
082d74aef640ff1767da8205c21b9aacb06ab3c1892d6efc10793a3cbc936c2f

SHA512
8d3ea99236259ae7401c8d568d45e0d3fa8e336f4577876cea9fec5de07ca56512f75832c1d10628bd8a6394825d02b9a8a215880ec8a882b6e56be969040eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\438654FF.exe
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\438654FF.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BelFhN.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\BelFhN.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\BelFhN.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/936-66-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/936-99-0x0000000000400000-0x0000000001041000-memory.dmp

Filesize
12.3MB

Download
memory/936-100-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/936-64-0x0000000000400000-0x0000000001041000-memory.dmp

Filesize
12.3MB

Download
memory/1772-67-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download
memory/1772-108-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download