Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 15:51
Static task
static1
General
-
Target
maochilaoshu.exe
-
Size
2.9MB
-
MD5
0772c75ff821f29e479ddc1da9a87740
-
SHA1
a06b6ed12126982f590893526ae6e3eec56ee4fc
-
SHA256
97c0b79f8421a1b0c3ef8129564ecf8b6ef037bdd432c8e856fd84e5d207edf4
-
SHA512
f0c40bb177c6ec4879840410fd0510bdf3c5d3e6a0de8d8f4ca98c23d0557f41f3e557184637ee9b29821b24927d5cea2951b118c84f5164a65ed3a580631286
-
SSDEEP
49152:WVbFeZNzXNBukNbW1Z6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcQ:ubONzdBPKg3Yz5J/693kb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4424-175-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4424-175-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
maochilaoshu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation maochilaoshu.exe -
Executes dropped EXE 3 IoCs
Processes:
v.exev.exejerryrat.exepid process 248 v.exe 3200 v.exe 4424 jerryrat.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jerryrat.exedescription ioc process File opened (read-only) \??\J: jerryrat.exe File opened (read-only) \??\M: jerryrat.exe File opened (read-only) \??\X: jerryrat.exe File opened (read-only) \??\Y: jerryrat.exe File opened (read-only) \??\B: jerryrat.exe File opened (read-only) \??\K: jerryrat.exe File opened (read-only) \??\P: jerryrat.exe File opened (read-only) \??\R: jerryrat.exe File opened (read-only) \??\O: jerryrat.exe File opened (read-only) \??\U: jerryrat.exe File opened (read-only) \??\E: jerryrat.exe File opened (read-only) \??\G: jerryrat.exe File opened (read-only) \??\H: jerryrat.exe File opened (read-only) \??\I: jerryrat.exe File opened (read-only) \??\L: jerryrat.exe File opened (read-only) \??\V: jerryrat.exe File opened (read-only) \??\W: jerryrat.exe File opened (read-only) \??\Z: jerryrat.exe File opened (read-only) \??\F: jerryrat.exe File opened (read-only) \??\N: jerryrat.exe File opened (read-only) \??\Q: jerryrat.exe File opened (read-only) \??\S: jerryrat.exe File opened (read-only) \??\T: jerryrat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jerryrat.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jerryrat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz jerryrat.exe -
Modifies registry class 1 IoCs
Processes:
maochilaoshu.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings maochilaoshu.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
maochilaoshu.exejerryrat.exepid process 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4176 maochilaoshu.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe 4424 jerryrat.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
maochilaoshu.exehh.exehh.exehh.exepid process 4176 maochilaoshu.exe 4176 maochilaoshu.exe 1336 hh.exe 1336 hh.exe 3684 hh.exe 3684 hh.exe 3848 hh.exe 3848 hh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
maochilaoshu.execmd.exedescription pid process target process PID 4176 wrote to memory of 1900 4176 maochilaoshu.exe cmd.exe PID 4176 wrote to memory of 1900 4176 maochilaoshu.exe cmd.exe PID 4176 wrote to memory of 1900 4176 maochilaoshu.exe cmd.exe PID 1900 wrote to memory of 3084 1900 cmd.exe reg.exe PID 1900 wrote to memory of 3084 1900 cmd.exe reg.exe PID 1900 wrote to memory of 3084 1900 cmd.exe reg.exe PID 4176 wrote to memory of 248 4176 maochilaoshu.exe v.exe PID 4176 wrote to memory of 248 4176 maochilaoshu.exe v.exe PID 4176 wrote to memory of 248 4176 maochilaoshu.exe v.exe PID 4176 wrote to memory of 3200 4176 maochilaoshu.exe v.exe PID 4176 wrote to memory of 3200 4176 maochilaoshu.exe v.exe PID 4176 wrote to memory of 3200 4176 maochilaoshu.exe v.exe PID 4176 wrote to memory of 4424 4176 maochilaoshu.exe jerryrat.exe PID 4176 wrote to memory of 4424 4176 maochilaoshu.exe jerryrat.exe PID 4176 wrote to memory of 4424 4176 maochilaoshu.exe jerryrat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\maochilaoshu.exe"C:\Users\Admin\AppData\Local\Temp\maochilaoshu.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f3⤵
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\1112⤵
- Executes dropped EXE
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\ma2⤵
- Executes dropped EXE
-
C:\Users\Public\xiaodaxzqxia\jerryrat.exeC:\Users\Public\xiaodaxzqxia\jerryrat.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datFilesize
8KB
MD5ccbec2d090894178ce950544cd652325
SHA18cfbecddeb69db2cae91204709467718725fd691
SHA2561918efa04c1930b7407c4dbe8cf725302c5cc57dcfebdbeb019b1e3cad65676a
SHA512f54dfd15e98cd4d100a29f0f78e60f511ac7a479ac38db5c1c0aa872310fddd2f9270c91d1d31ec1fcaf6260ec04cc91f5ca667b18b150e8dfb97b7f7c674796
-
C:\Users\Public\cxzvasdfg\5267770094464106\A11.chmFilesize
11KB
MD5db7961bf21e69e9cdbbfbc5357b6ae84
SHA16b43da6f1a502cc3ede9a46a71536e79335e3169
SHA25649c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e
SHA512e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8
-
C:\Users\Public\xiaodaxzqxia\111Filesize
1.5MB
MD56a37b4b3fa7c30242de550f429aedef1
SHA1f7996877a0cdae7c6328c19c35f430f90803cae1
SHA256a52e30d8dc89acd2e22fb56e95c919ed87fe908b829e77f380e284d9a2312776
SHA512c715f6c0588f5534c79c5580840f412ca8693e546551b5786bedc8c8a1d76af36d8fb5b8fe19435b9ec182da19ff27b81693a739674ee83de52d103d6a8fd1f8
-
C:\Users\Public\xiaodaxzqxia\jerryrat.exeFilesize
101.8MB
MD5bf1b730495a79f66eab2aac35a0b2817
SHA1d89578047501d4e220de0a47872f1515117153a2
SHA256c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8
SHA512e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4
-
C:\Users\Public\xiaodaxzqxia\jerryrat.exeFilesize
101.8MB
MD5bf1b730495a79f66eab2aac35a0b2817
SHA1d89578047501d4e220de0a47872f1515117153a2
SHA256c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8
SHA512e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4
-
C:\Users\Public\xiaodaxzqxia\maFilesize
799KB
MD5d66f3d98bb9260a2f25cb79fc43253d7
SHA174862b6db445959a9ef16a51b73c3dcedbe9be81
SHA25664d9b2c4e4772ba2ee30f878aa0d006983b4de15764c8e7ddae74dc39611857c
SHA512a830419304436966604f97022c9f938041196596f50864bee31ddda1d401e93e3f0494263652c8e3de277c81e6bb84eb20222efaea75c1af1ece374fe555b46c
-
C:\Users\Public\xiaodaxzqxia\n.batFilesize
263B
MD5c7d8b33e05722104d63de564a5d92b01
SHA1fd703f1c71ac1dae65dc34f3521854604cec8091
SHA256538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a
SHA51254a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
memory/248-160-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/3200-171-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4424-175-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB