0cfc4ec5d31d5c0630453dbad12c5bd68176abfdc4a657703cf83105d3eb3624

Resubmissions

25-08-2023 15:01

230825-sdyfdseg2t 7

Analysis

max time kernel
273s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_sogou_pinyin_Release_13.8.0.8160_1111.exe
Size

121.2MB
MD5

32e82020e094e31a22eff21a8631720d
SHA1

d95795f0f07f570ae5032ff0e3b1ef9e92fd8078
SHA256

f36d62741de77493685c5fecd3d9bab16ec69ac48af10bbf3c6bd27e802c8086
SHA512

422c8e07eb8c16f9c03e05a2de3986fcdadf62b26d95341c21731d053fa5dc19810616552ab945cddfa6743fbb70d54d546fb780ef31e2c74072b52061b5d243
SSDEEP

3145728:VcsyS378uQ9FgVzhUL+vRV0Bp56wuoOYCHXT2CJGJwzuuK1h:VcsLpaFgVzhUm0BpMXSCJqwzuumh

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral7/memory/2592-0-0x0000000000400000-0x00000000006D5000-memory.dmp	upx
behavioral7/memory/2592-118-0x0000000000400000-0x00000000006D5000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

_sogou_pinyin_Release_13.8.0.8160_1111.exe

pid	process
2592	_sogou_pinyin_Release_13.8.0.8160_1111.exe
2592	_sogou_pinyin_Release_13.8.0.8160_1111.exe
2592	_sogou_pinyin_Release_13.8.0.8160_1111.exe
2592	_sogou_pinyin_Release_13.8.0.8160_1111.exe
2592	_sogou_pinyin_Release_13.8.0.8160_1111.exe
2592	_sogou_pinyin_Release_13.8.0.8160_1111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

_sogou_pinyin_Release_13.8.0.8160_1111.exe

pid process

2592 _sogou_pinyin_Release_13.8.0.8160_1111.exe
2592 _sogou_pinyin_Release_13.8.0.8160_1111.exe

C:\Users\Admin\AppData\Local\Temp\_sogou_pinyin_Release_13.8.0.8160_1111.exe
"C:\Users\Admin\AppData\Local\Temp\_sogou_pinyin_Release_13.8.0.8160_1111.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\SetupLib.dll

Filesize
5.7MB

MD5
01b82ddfb1370d2b3922a844aca83be5

SHA1
0bb3667c862dc135f4591d488ea326eaa37ad5db

SHA256
01631d03b131550e2bad7ed50722bb81a374e17b391e18473621b251ff8a7b92

SHA512
84057d2b812149c02e3da792055f90b38c5d85269f48fa711ac12adcbbe64e3dc41e4e0e8b6fd73e56d149f68bda8e477974d895846170deb5ccdcb80f1bd7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\SetupLibNew.dll

Filesize
2.2MB

MD5
b68b37b9f475451e961c85781798ca1a

SHA1
006adc482d6c5afbada28d2219f5eae90f916b19

SHA256
b50adc1fd1aa6df8fd148cc78b37c8b7e277c470eefcf15c27dc239566c5d7bc

SHA512
b43360fd1315e8eae4fc396565dd7a1b15d00566c71cf05d493ddc82118832ed79cd38c6df2173e126f3ea06c8f5c2d434fa006a350b7fbdbef9e6325f5e1e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\ioSpecial.ini

Filesize
958B

MD5
042b6c0e1d1d95a118278c16675dc9c3

SHA1
b079807cfafea57f6247cd154529ad371d685207

SHA256
0ed09b637167783415206c226df076c49bcab4d4cbbedfe597ec89c39a1ba20e

SHA512
73289808350e70d113e13ef7a2f552f9241531ea5be495834248e18452e32fd81af4c87c31cbb6a41d0c4452a5ce0f8b55cb7af347ce93c0d7e3f4da95fdeaa5

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\HWSignature.dll

Filesize
137KB

MD5
34d9b6cbec8f5161b0e3b67ea98ab454

SHA1
a6db9aa9ccd11cd6d3436c331c6b444aa6c2caa8

SHA256
e662e4aa8e273a8cb59a7b5818aaa5519408579ad7f96f47d105b3b2c11d1313

SHA512
2f1be03cfbd70de3c12082689af3ac96154e172d1886a549b50724c505f7e0b2061877efc6b1034b08038292aa9d360a118eb5d5cc948df7d10a1e9d7186ebd6

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\ImageMagik.dll

Filesize
5.9MB

MD5
333fc7f32226a7db5e8cceeb256ac0e6

SHA1
17e9bf367964ac530a75f8f4d69508437e10f65d

SHA256
dd8d873a91a23689798058c1fe17fde9e39ec9491c7bf562c8e3ab66d57e239e

SHA512
2c4ea1bd2fa04f568d69f77924220f5cbb724a8840b8e1cd219d7e4c8ff9d03f5bbf57ce0f6fde01c1f4fdd86c2fe984e02dfbdfbf4a657b47a75e42532a6162

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\SetupLib.dll

Filesize
5.7MB

MD5
01b82ddfb1370d2b3922a844aca83be5

SHA1
0bb3667c862dc135f4591d488ea326eaa37ad5db

SHA256
01631d03b131550e2bad7ed50722bb81a374e17b391e18473621b251ff8a7b92

SHA512
84057d2b812149c02e3da792055f90b38c5d85269f48fa711ac12adcbbe64e3dc41e4e0e8b6fd73e56d149f68bda8e477974d895846170deb5ccdcb80f1bd7ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\SetupLibNew.dll

Filesize
2.2MB

MD5
b68b37b9f475451e961c85781798ca1a

SHA1
006adc482d6c5afbada28d2219f5eae90f916b19

SHA256
b50adc1fd1aa6df8fd148cc78b37c8b7e277c470eefcf15c27dc239566c5d7bc

SHA512
b43360fd1315e8eae4fc396565dd7a1b15d00566c71cf05d493ddc82118832ed79cd38c6df2173e126f3ea06c8f5c2d434fa006a350b7fbdbef9e6325f5e1e12

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA98A.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
memory/2592-0-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/2592-25-0x000000006D3C0000-0x000000006D3D0000-memory.dmp

Filesize
64KB

Download
memory/2592-32-0x0000000003950000-0x0000000003975000-memory.dmp

Filesize
148KB

Download
memory/2592-18-0x00000000033B0000-0x00000000035FE000-memory.dmp

Filesize
2.3MB

Download
memory/2592-12-0x000000006D3D0000-0x000000006D3E0000-memory.dmp

Filesize
64KB

Download
memory/2592-118-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download