0cfc4ec5d31d5c0630453dbad12c5bd68176abfdc4a657703cf83105d3eb3624

Resubmissions

25-08-2023 15:01

230825-sdyfdseg2t 7

Analysis

max time kernel
303s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_sogou_pinyin_Release_13.8.0.8160_1111.exe
Size

121.2MB
MD5

32e82020e094e31a22eff21a8631720d
SHA1

d95795f0f07f570ae5032ff0e3b1ef9e92fd8078
SHA256

f36d62741de77493685c5fecd3d9bab16ec69ac48af10bbf3c6bd27e802c8086
SHA512

422c8e07eb8c16f9c03e05a2de3986fcdadf62b26d95341c21731d053fa5dc19810616552ab945cddfa6743fbb70d54d546fb780ef31e2c74072b52061b5d243
SSDEEP

3145728:VcsyS378uQ9FgVzhUL+vRV0Bp56wuoOYCHXT2CJGJwzuuK1h:VcsLpaFgVzhUm0BpMXSCJqwzuumh

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/1324-0-0x0000000000400000-0x00000000006D5000-memory.dmp	upx
behavioral9/memory/1324-138-0x0000000000400000-0x00000000006D5000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

_sogou_pinyin_Release_13.8.0.8160_1111.exe

pid	process
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

_sogou_pinyin_Release_13.8.0.8160_1111.exe

pid	process
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe
1324	_sogou_pinyin_Release_13.8.0.8160_1111.exe

C:\Users\Admin\AppData\Local\Temp\_sogou_pinyin_Release_13.8.0.8160_1111.exe
"C:\Users\Admin\AppData\Local\Temp\_sogou_pinyin_Release_13.8.0.8160_1111.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\HWSignature.dll

Filesize
137KB

MD5
34d9b6cbec8f5161b0e3b67ea98ab454

SHA1
a6db9aa9ccd11cd6d3436c331c6b444aa6c2caa8

SHA256
e662e4aa8e273a8cb59a7b5818aaa5519408579ad7f96f47d105b3b2c11d1313

SHA512
2f1be03cfbd70de3c12082689af3ac96154e172d1886a549b50724c505f7e0b2061877efc6b1034b08038292aa9d360a118eb5d5cc948df7d10a1e9d7186ebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\HWSignature.dll

Filesize
137KB

MD5
34d9b6cbec8f5161b0e3b67ea98ab454

SHA1
a6db9aa9ccd11cd6d3436c331c6b444aa6c2caa8

SHA256
e662e4aa8e273a8cb59a7b5818aaa5519408579ad7f96f47d105b3b2c11d1313

SHA512
2f1be03cfbd70de3c12082689af3ac96154e172d1886a549b50724c505f7e0b2061877efc6b1034b08038292aa9d360a118eb5d5cc948df7d10a1e9d7186ebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\HWSignature.dll

Filesize
137KB

MD5
34d9b6cbec8f5161b0e3b67ea98ab454

SHA1
a6db9aa9ccd11cd6d3436c331c6b444aa6c2caa8

SHA256
e662e4aa8e273a8cb59a7b5818aaa5519408579ad7f96f47d105b3b2c11d1313

SHA512
2f1be03cfbd70de3c12082689af3ac96154e172d1886a549b50724c505f7e0b2061877efc6b1034b08038292aa9d360a118eb5d5cc948df7d10a1e9d7186ebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\ImageMagik.dll

Filesize
5.9MB

MD5
333fc7f32226a7db5e8cceeb256ac0e6

SHA1
17e9bf367964ac530a75f8f4d69508437e10f65d

SHA256
dd8d873a91a23689798058c1fe17fde9e39ec9491c7bf562c8e3ab66d57e239e

SHA512
2c4ea1bd2fa04f568d69f77924220f5cbb724a8840b8e1cd219d7e4c8ff9d03f5bbf57ce0f6fde01c1f4fdd86c2fe984e02dfbdfbf4a657b47a75e42532a6162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\SetupLib.dll

Filesize
5.7MB

MD5
01b82ddfb1370d2b3922a844aca83be5

SHA1
0bb3667c862dc135f4591d488ea326eaa37ad5db

SHA256
01631d03b131550e2bad7ed50722bb81a374e17b391e18473621b251ff8a7b92

SHA512
84057d2b812149c02e3da792055f90b38c5d85269f48fa711ac12adcbbe64e3dc41e4e0e8b6fd73e56d149f68bda8e477974d895846170deb5ccdcb80f1bd7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\SetupLib.dll

Filesize
5.7MB

MD5
01b82ddfb1370d2b3922a844aca83be5

SHA1
0bb3667c862dc135f4591d488ea326eaa37ad5db

SHA256
01631d03b131550e2bad7ed50722bb81a374e17b391e18473621b251ff8a7b92

SHA512
84057d2b812149c02e3da792055f90b38c5d85269f48fa711ac12adcbbe64e3dc41e4e0e8b6fd73e56d149f68bda8e477974d895846170deb5ccdcb80f1bd7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\SetupLibNew.dll

Filesize
2.2MB

MD5
b68b37b9f475451e961c85781798ca1a

SHA1
006adc482d6c5afbada28d2219f5eae90f916b19

SHA256
b50adc1fd1aa6df8fd148cc78b37c8b7e277c470eefcf15c27dc239566c5d7bc

SHA512
b43360fd1315e8eae4fc396565dd7a1b15d00566c71cf05d493ddc82118832ed79cd38c6df2173e126f3ea06c8f5c2d434fa006a350b7fbdbef9e6325f5e1e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\SetupLibNew.dll

Filesize
2.2MB

MD5
b68b37b9f475451e961c85781798ca1a

SHA1
006adc482d6c5afbada28d2219f5eae90f916b19

SHA256
b50adc1fd1aa6df8fd148cc78b37c8b7e277c470eefcf15c27dc239566c5d7bc

SHA512
b43360fd1315e8eae4fc396565dd7a1b15d00566c71cf05d493ddc82118832ed79cd38c6df2173e126f3ea06c8f5c2d434fa006a350b7fbdbef9e6325f5e1e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\SetupLibNew.dll

Filesize
2.2MB

MD5
b68b37b9f475451e961c85781798ca1a

SHA1
006adc482d6c5afbada28d2219f5eae90f916b19

SHA256
b50adc1fd1aa6df8fd148cc78b37c8b7e277c470eefcf15c27dc239566c5d7bc

SHA512
b43360fd1315e8eae4fc396565dd7a1b15d00566c71cf05d493ddc82118832ed79cd38c6df2173e126f3ea06c8f5c2d434fa006a350b7fbdbef9e6325f5e1e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\ioSpecial.ini

Filesize
958B

MD5
034a34644dbe48c4fb9569beaac3ac62

SHA1
074c40afc42971a577b14236d6eda3e0ac98cd96

SHA256
721b2350e0042a7ff1e3540e34feb50449580569d91817811c4eb02d4855a725

SHA512
6b53ad93fb606d3aed115e2cd7295819a5ec564e08b55640e7ff4188ab646e1ab71664e60c32d18e531d12c2bbdec86395ea62e979a3d54340bbae7266525dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAAB9.tmp\validate.ini

Filesize
87B

MD5
59da6b50ff42da1a3230fbca1bd90e11

SHA1
6870be998befa4bf02e8824e0a101303fe76ef4f

SHA256
5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a

SHA512
e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

Download Submit
memory/1324-28-0x000000006E010000-0x000000006E020000-memory.dmp

Filesize
64KB

Download
memory/1324-0-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download
memory/1324-19-0x0000000003890000-0x0000000003ADE000-memory.dmp

Filesize
2.3MB

Download
memory/1324-39-0x0000000003700000-0x0000000003725000-memory.dmp

Filesize
148KB

Download
memory/1324-12-0x000000006E020000-0x000000006E030000-memory.dmp

Filesize
64KB

Download
memory/1324-138-0x0000000000400000-0x00000000006D5000-memory.dmp

Filesize
2.8MB

Download