Analysis
-
max time kernel
50s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-ja -
resource tags
arch:x64arch:x86image:win10v2004-20230221-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
20-06-2023 15:47
Static task
static1
General
-
Target
maochilaoshu.exe
-
Size
2.9MB
-
MD5
0772c75ff821f29e479ddc1da9a87740
-
SHA1
a06b6ed12126982f590893526ae6e3eec56ee4fc
-
SHA256
97c0b79f8421a1b0c3ef8129564ecf8b6ef037bdd432c8e856fd84e5d207edf4
-
SHA512
f0c40bb177c6ec4879840410fd0510bdf3c5d3e6a0de8d8f4ca98c23d0557f41f3e557184637ee9b29821b24927d5cea2951b118c84f5164a65ed3a580631286
-
SSDEEP
49152:WVbFeZNzXNBukNbW1Z6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcQ:ubONzdBPKg3Yz5J/693kb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1356-175-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1356-175-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
maochilaoshu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation maochilaoshu.exe -
Executes dropped EXE 3 IoCs
Processes:
v.exev.exejerryrat.exepid process 4696 v.exe 4844 v.exe 1356 jerryrat.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jerryrat.exedescription ioc process File opened (read-only) \??\M: jerryrat.exe File opened (read-only) \??\P: jerryrat.exe File opened (read-only) \??\Q: jerryrat.exe File opened (read-only) \??\R: jerryrat.exe File opened (read-only) \??\T: jerryrat.exe File opened (read-only) \??\U: jerryrat.exe File opened (read-only) \??\E: jerryrat.exe File opened (read-only) \??\I: jerryrat.exe File opened (read-only) \??\V: jerryrat.exe File opened (read-only) \??\K: jerryrat.exe File opened (read-only) \??\N: jerryrat.exe File opened (read-only) \??\S: jerryrat.exe File opened (read-only) \??\Y: jerryrat.exe File opened (read-only) \??\B: jerryrat.exe File opened (read-only) \??\G: jerryrat.exe File opened (read-only) \??\X: jerryrat.exe File opened (read-only) \??\J: jerryrat.exe File opened (read-only) \??\L: jerryrat.exe File opened (read-only) \??\O: jerryrat.exe File opened (read-only) \??\W: jerryrat.exe File opened (read-only) \??\Z: jerryrat.exe File opened (read-only) \??\F: jerryrat.exe File opened (read-only) \??\H: jerryrat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4232 452 WerFault.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jerryrat.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jerryrat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz jerryrat.exe -
Modifies registry class 1 IoCs
Processes:
maochilaoshu.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings maochilaoshu.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
maochilaoshu.exejerryrat.exepid process 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 3688 maochilaoshu.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe 1356 jerryrat.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
maochilaoshu.exehh.exehh.exepid process 3688 maochilaoshu.exe 3688 maochilaoshu.exe 2668 hh.exe 2668 hh.exe 4364 hh.exe 4364 hh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
maochilaoshu.execmd.exedescription pid process target process PID 3688 wrote to memory of 3792 3688 maochilaoshu.exe cmd.exe PID 3688 wrote to memory of 3792 3688 maochilaoshu.exe cmd.exe PID 3688 wrote to memory of 3792 3688 maochilaoshu.exe cmd.exe PID 3792 wrote to memory of 3900 3792 cmd.exe reg.exe PID 3792 wrote to memory of 3900 3792 cmd.exe reg.exe PID 3792 wrote to memory of 3900 3792 cmd.exe reg.exe PID 3688 wrote to memory of 4696 3688 maochilaoshu.exe v.exe PID 3688 wrote to memory of 4696 3688 maochilaoshu.exe v.exe PID 3688 wrote to memory of 4696 3688 maochilaoshu.exe v.exe PID 3688 wrote to memory of 4844 3688 maochilaoshu.exe v.exe PID 3688 wrote to memory of 4844 3688 maochilaoshu.exe v.exe PID 3688 wrote to memory of 4844 3688 maochilaoshu.exe v.exe PID 3688 wrote to memory of 1356 3688 maochilaoshu.exe jerryrat.exe PID 3688 wrote to memory of 1356 3688 maochilaoshu.exe jerryrat.exe PID 3688 wrote to memory of 1356 3688 maochilaoshu.exe jerryrat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\maochilaoshu.exe"C:\Users\Admin\AppData\Local\Temp\maochilaoshu.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f3⤵
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\1112⤵
- Executes dropped EXE
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\ma2⤵
- Executes dropped EXE
-
C:\Users\Public\xiaodaxzqxia\jerryrat.exeC:\Users\Public\xiaodaxzqxia\jerryrat.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9111884419198725\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9111884419198725\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 452 -ip 4521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 452 -s 11081⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datFilesize
8KB
MD5adc8b0e1cd2921f762477f24ac5c4d35
SHA1f2523ed6882cf80816e20dc80b87b664143e4e81
SHA256ebeda0a4edfdf1edc04dfd7f9488dc85c63d1596d9021569b7c453b971d5da25
SHA512541e277b78360aeb7e18cab92a4e73092484eec662415ef639fc9d0df056f12cea3aaf5e7584d90dae06cc79d7c6536dad6d745ae6e8513cc0a0f4eccc54d43b
-
C:\Users\Public\cxzvasdfg\9111884419198725\A11.chmFilesize
11KB
MD5db7961bf21e69e9cdbbfbc5357b6ae84
SHA16b43da6f1a502cc3ede9a46a71536e79335e3169
SHA25649c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e
SHA512e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8
-
C:\Users\Public\xiaodaxzqxia\111Filesize
1.5MB
MD56a37b4b3fa7c30242de550f429aedef1
SHA1f7996877a0cdae7c6328c19c35f430f90803cae1
SHA256a52e30d8dc89acd2e22fb56e95c919ed87fe908b829e77f380e284d9a2312776
SHA512c715f6c0588f5534c79c5580840f412ca8693e546551b5786bedc8c8a1d76af36d8fb5b8fe19435b9ec182da19ff27b81693a739674ee83de52d103d6a8fd1f8
-
C:\Users\Public\xiaodaxzqxia\jerryrat.exeFilesize
101.8MB
MD5bf1b730495a79f66eab2aac35a0b2817
SHA1d89578047501d4e220de0a47872f1515117153a2
SHA256c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8
SHA512e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4
-
C:\Users\Public\xiaodaxzqxia\jerryrat.exeFilesize
101.8MB
MD5bf1b730495a79f66eab2aac35a0b2817
SHA1d89578047501d4e220de0a47872f1515117153a2
SHA256c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8
SHA512e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4
-
C:\Users\Public\xiaodaxzqxia\maFilesize
799KB
MD5d66f3d98bb9260a2f25cb79fc43253d7
SHA174862b6db445959a9ef16a51b73c3dcedbe9be81
SHA25664d9b2c4e4772ba2ee30f878aa0d006983b4de15764c8e7ddae74dc39611857c
SHA512a830419304436966604f97022c9f938041196596f50864bee31ddda1d401e93e3f0494263652c8e3de277c81e6bb84eb20222efaea75c1af1ece374fe555b46c
-
C:\Users\Public\xiaodaxzqxia\n.batFilesize
263B
MD5c7d8b33e05722104d63de564a5d92b01
SHA1fd703f1c71ac1dae65dc34f3521854604cec8091
SHA256538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a
SHA51254a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
memory/1356-175-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/4696-152-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4844-171-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB