Overview

overview

10

Static

static

3

8.27.exe

windows7-x64

7

8.27.exe

windows10-2004-x64

3

office安�...��.exe

windows7-x64

8

office安�...��.exe

windows10-2004-x64

8

pdf.exe

windows7-x64

1

pdf.exe

windows10-2004-x64

3

test.exe

windows7-x64

1

test.exe

windows10-2004-x64

1

企财险�...��.exe

windows7-x64

10

企财险�...��.exe

windows10-2004-x64

10

截图1-8.exe

windows7-x64

8

截图1-8.exe

windows10-2004-x64

8

方案D.exe

windows7-x64

1

方案D.exe

windows10-2004-x64

1

苏宁系�...16.exe

windows7-x64

1

苏宁系�...16.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2023, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdf.exe

  • Size

    3KB

  • MD5

    1f53ae6118faec2c66ccc0a7229786f0

  • SHA1

    797573dc4564a054e309b66150431dc83c9981a7

  • SHA256

    3a49e2e35e719f6b5719f59af3709a9f8a6a84a9413778b5c1f9fb630461298c

  • SHA512

    c6d743267068d50cfa4bf478439f9f029046518cdfab4a4f0e03cfe5b753ba95a21c101a17beb62a6160a629be3cad265f610dccae95c48e0ec9017230b13710

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" http://www.baidu.com
      2⤵
        PID:1456
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.baidu.com/
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2eed46f8,0x7ffa2eed4708,0x7ffa2eed4718
          3⤵
            PID:1408
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1872
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
            3⤵
              PID:1696
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
              3⤵
                PID:4480
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
                3⤵
                  PID:3480
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
                  3⤵
                    PID:1832
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 /prefetch:8
                    3⤵
                      PID:5100
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                      3⤵
                        PID:1320
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3876
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
                        3⤵
                          PID:4568
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
                          3⤵
                            PID:4584
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
                            3⤵
                              PID:2540
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
                              3⤵
                                PID:4984
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3104910444213711788,16960311212928672511,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:2
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4988
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1852
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3060

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                fc99b0086d7714fd471ed4acc862ccc0

                                SHA1

                                39a3c43c97f778d67413a023d66e8e930d0e2314

                                SHA256

                                45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

                                SHA512

                                c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                816B

                                MD5

                                549870fc8a4dd975e6cd90b5e1e00378

                                SHA1

                                e832389f64b2f19198cf47cc6dc8b9914f284be4

                                SHA256

                                b9dd484fb44d145337954e7f191f3ee9b9141252a3fb894a82863f0f66cb48eb

                                SHA512

                                f2e953870c86814265155f668b30bbd742a6e4b8a0dfdd9445c9861e2b96b6ea5e053340312bcc228912f7f2f80a9488c130f5082d19a1214daa6f2aecfa0021

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                259B

                                MD5

                                118841947038294c28686fc4d818d9ae

                                SHA1

                                47667fe07d0d4387c2f71f57df2921a863575431

                                SHA256

                                d8e3f585e81ce98c69a992576c4b51314b61ef4b06d530655dfe3ead1b482af1

                                SHA512

                                47edce03bc2e3d929bed5011e1052ecb2527cf315178b994fba11dbf7ac6be4d37760f8ac6a998109370cb6917c3b33633a149fe52d699306f9aba3a7800b2e7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                111B

                                MD5

                                285252a2f6327d41eab203dc2f402c67

                                SHA1

                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                SHA256

                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                SHA512

                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                e5b718a3b2e3651081b0e77e2d8f09cd

                                SHA1

                                309d0734e95326eb80d172762853641034dab429

                                SHA256

                                45fe26d305a25222dc3f3ce27b98e592e47f2f968f1c006b67749eea418f9fe4

                                SHA512

                                edfb31a87f5ba4987d23fad8137395a96299cd9977f199f70bc99a18b75960a93c7342df6d95a31c295cb34565cb4c809c2ed2172c51197708df33d54f06c90d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                bab1bb4a48a890bcf7868fd2dea39367

                                SHA1

                                7b5620d270585fb29a2f33b8cff928ca32ff1a8b

                                SHA256

                                d8eac38c19c5aa5cf55f95056f0a0871c876965b30089c04b5546ae72abb4938

                                SHA512

                                c411b683df93c19f6d08f3430109a32e4f58156a2b5f6ca38c69452a5adc74359096b61098a023d092ddfc8654d6add08b52167829aa42fcce9435a33888bc2a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                Filesize

                                24KB

                                MD5

                                96f00bbd6a174879c58220f95f0115f5

                                SHA1

                                d3d7f82b0bf27daf1b3903bfe050c2d05422050f

                                SHA256

                                644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

                                SHA512

                                e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                1031bc751d2648e39ed9d4cb2581376a

                                SHA1

                                1025e742f671ae9896fbc54c1827213c5b516580

                                SHA256

                                e2dd32b5384225c3ac8e3e1fc9ca53f08a41c48449b944f2f622ad7441b4924c

                                SHA512

                                7e75e4fbfb7f9c21c06db4f20a29306b6a4a41280487f458863862b8329e6654b98a64111238f4887924e97fa28e56e5a5b60a9651a6f5b82699bef54b0e4a9a

                                Download Submit

                              • memory/2848-0-0x0000000000100000-0x0000000000108000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/2848-5-0x00007FFA2E770000-0x00007FFA2F111000-memory.dmp

                                Filesize

                                9.6MB

                                Download

                              • memory/2848-3-0x0000000000590000-0x00000000005A0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2848-2-0x00007FFA2E770000-0x00007FFA2F111000-memory.dmp

                                Filesize

                                9.6MB

                                Download

                              • memory/2848-1-0x00007FFA2E770000-0x00007FFA2F111000-memory.dmp

                                Filesize

                                9.6MB

                                Download