fdd100611f6b894cc124c11840fa506cf595dcd7681855d1d0c08c33b97e49a3

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 04:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

被控端.exe
Size

1.3MB
MD5

a81c0bc1b3dcd4a5386f81c3f013afc0
SHA1

a2e0553d84f25859d3509d64ed58809a68104052
SHA256

9fa13f87b3b7154c68c36fc9ec5cd3dec4c5ee2a7d78f06edd93539b1ac27aed
SHA512

723de3db4cbaa416c7feea215f44064a2ce2f6e0d87e738afa5847a1ee172736328efd11e6d1e4b9ab33dc89c350f279142f0eb758ae260ee872390b65826f5f
SSDEEP

24576:OXpQs62u6fGL0Jr8Ub09JskxRyEgSI84VxOFRbfDmorQf5lOBzLaTATPLo824WgB:OZz6ofGm8UA9JskxRyjSI84VxuRbfLrm

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1628	DBremotes.exe
2764	DBremotes.exe
2216	DBremotes.exe

Loads dropped DLL 7 IoCs

pid	Process
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
2764	DBremotes.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1580-0-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-46-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-47-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-48-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-49-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-50-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-51-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-52-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-59-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-60-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-61-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-62-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-63-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-64-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-71-0x0000000000400000-0x000000000078E000-memory.dmp	upx
behavioral3/memory/1580-72-0x0000000000400000-0x000000000078E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	被控端.exe
File opened (read-only)	\??\Q:	被控端.exe
File opened (read-only)	\??\T:	被控端.exe
File opened (read-only)	\??\Z:	被控端.exe
File opened (read-only)	\??\G:	被控端.exe
File opened (read-only)	\??\H:	被控端.exe
File opened (read-only)	\??\K:	被控端.exe
File opened (read-only)	\??\L:	被控端.exe
File opened (read-only)	\??\M:	被控端.exe
File opened (read-only)	\??\O:	被控端.exe
File opened (read-only)	\??\R:	被控端.exe
File opened (read-only)	\??\S:	被控端.exe
File opened (read-only)	\??\W:	被控端.exe
File opened (read-only)	\??\Y:	被控端.exe
File opened (read-only)	\??\E:	被控端.exe
File opened (read-only)	\??\I:	被控端.exe
File opened (read-only)	\??\J:	被控端.exe
File opened (read-only)	\??\N:	被控端.exe
File opened (read-only)	\??\X:	被控端.exe
File opened (read-only)	\??\B:	被控端.exe
File opened (read-only)	\??\P:	被控端.exe
File opened (read-only)	\??\U:	被控端.exe
File opened (read-only)	\??\V:	被控端.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe
1580	被控端.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1580	被控端.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1580	被控端.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe
2216	DBremotes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1580	被控端.exe
1580	被控端.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1628	1580	被控端.exe	31
PID 1580 wrote to memory of 1628	1580	被控端.exe	31
PID 1580 wrote to memory of 1628	1580	被控端.exe	31
PID 1580 wrote to memory of 1628	1580	被控端.exe	31
PID 1580 wrote to memory of 2764	1580	被控端.exe	32
PID 1580 wrote to memory of 2764	1580	被控端.exe	32
PID 1580 wrote to memory of 2764	1580	被控端.exe	32
PID 1580 wrote to memory of 2764	1580	被控端.exe	32
PID 2764 wrote to memory of 2216	2764	DBremotes.exe	33
PID 2764 wrote to memory of 2216	2764	DBremotes.exe	33
PID 2764 wrote to memory of 2216	2764	DBremotes.exe	33
PID 2764 wrote to memory of 2216	2764	DBremotes.exe	33

C:\Users\Admin\AppData\Local\Temp\被控端.exe
"C:\Users\Admin\AppData\Local\Temp\被控端.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe
  C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe -setservicevncpass 0e74f08 -setservicereadpass 0e74f09 -setservicerfbport 49218 -setserviceremovedeskwall 1 -setservicetrayicon 0 -setapp
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe
  "C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe
    "C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe" -controlapp -slave
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inc\25_rdpClient.log

Filesize
637B

MD5
a11227b32821325eb9f417df9c91ea64

SHA1
ee5bf38fe06e87fcaa6d0c094fbfea60fb6a63c2

SHA256
776a45cfbd5c9a8f5f76940c39a8df3a22461001f930390695b3cc7e6bb8633f

SHA512
773ec3859aa23f34f59f8e90d78ab148342a1bdecdf8f055768c25c8f5a31d58a06745750a87d1ef0ac440789bac5e5616a0fd82ddcee027a661058b37bbf02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc\tsPairServer.dll

Filesize
191KB

MD5
c0755ec60b32bf59fb13758f958106e6

SHA1
73f0038c811b635a877d2e96069a9fc781c36115

SHA256
c3e7c4f23fbe61f17be9608b7be78094c19ec33b200c94e3666f14f2fe38483b

SHA512
5cf36feadbe72cbe536f8174b74c5755cfa72d5e727e9df264d558f5f40b0dad7f7c875786fc14fcdcdfa72836800639249f2ffc6fd548ed54f9327000524fdf

Download Submit
\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
\Users\Admin\AppData\Local\Temp\inc\DBremotes.exe

Filesize
1.8MB

MD5
21097291ae55dc2565a4c0362348b7f1

SHA1
ae371de55ea330d2beadaafbd3353ef0aa7c696c

SHA256
dda179f332180866998386fe447656e1432187c989e970fc19d41d30be70adeb

SHA512
718fab5e6c1ac0e0ed82c31143442426346c6a5a0527d527f03ddc11e60d0445a33c287691fe2170e69ecfd914ffa28b0c9622c397e37e25c0370efe52906fb3

Download Submit
\Users\Admin\AppData\Local\Temp\inc\ToolTsClient.dll

Filesize
172KB

MD5
446c0a7734db91342b8b10e57f3a6b09

SHA1
1c2e26eb886243b12fa7a4c9a8712d2d877b3751

SHA256
29f83514c7028c7de0fb07aeb4ed8120b460e757880634d675e6fde1386d76f1

SHA512
56acfdd0c24adc8e132eeab17159815fcf60e2e84016e1b2d2bfcf19c901165ea180bb5a143051cfcc6fd90e252a21efa01e1e028099a7b0fcb4c34f0dd204ff

Download Submit
\Users\Admin\AppData\Local\Temp\inc\tsPairServer.dll

Filesize
191KB

MD5
c0755ec60b32bf59fb13758f958106e6

SHA1
73f0038c811b635a877d2e96069a9fc781c36115

SHA256
c3e7c4f23fbe61f17be9608b7be78094c19ec33b200c94e3666f14f2fe38483b

SHA512
5cf36feadbe72cbe536f8174b74c5755cfa72d5e727e9df264d558f5f40b0dad7f7c875786fc14fcdcdfa72836800639249f2ffc6fd548ed54f9327000524fdf

Download Submit
\Users\Admin\AppData\Local\Temp\inc\tsPairServer.dll

Filesize
191KB

MD5
c0755ec60b32bf59fb13758f958106e6

SHA1
73f0038c811b635a877d2e96069a9fc781c36115

SHA256
c3e7c4f23fbe61f17be9608b7be78094c19ec33b200c94e3666f14f2fe38483b

SHA512
5cf36feadbe72cbe536f8174b74c5755cfa72d5e727e9df264d558f5f40b0dad7f7c875786fc14fcdcdfa72836800639249f2ffc6fd548ed54f9327000524fdf

Download Submit
\Users\Admin\AppData\Local\Temp\inc\tsPairServer.dll

Filesize
191KB

MD5
c0755ec60b32bf59fb13758f958106e6

SHA1
73f0038c811b635a877d2e96069a9fc781c36115

SHA256
c3e7c4f23fbe61f17be9608b7be78094c19ec33b200c94e3666f14f2fe38483b

SHA512
5cf36feadbe72cbe536f8174b74c5755cfa72d5e727e9df264d558f5f40b0dad7f7c875786fc14fcdcdfa72836800639249f2ffc6fd548ed54f9327000524fdf

Download Submit
memory/1580-51-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-52-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-47-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-48-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-49-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-50-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-0-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-46-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-59-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-60-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-61-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-62-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-63-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-64-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-71-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/1580-72-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download