Overview
overview
10Static
static
7Download/-...��.exe
windows7-x64
8Download/-...��.exe
windows10-2004-x64
8Download/1.exe
windows7-x64
1Download/1.exe
windows10-2004-x64
1Download/L...31.exe
windows7-x64
10Download/L...31.exe
windows10-2004-x64
10Download/muyyuvd.exe
windows7-x64
7Download/muyyuvd.exe
windows10-2004-x64
7Download/�...��.exe
windows7-x64
10Download/�...��.exe
windows10-2004-x64
10Download/�...��.exe
windows7-x64
10Download/�...��.exe
windows10-2004-x64
10Download/�...��.exe
windows7-x64
10Download/�...��.exe
windows10-2004-x64
10General
-
Target
Download.rar
-
Size
8.8MB
-
Sample
230908-ntt1pabc65
-
MD5
8aa9b6dabf4ace7d9ea77994c0992c65
-
SHA1
7c20ac0838aff031ec9297453f2f0afdca3ce709
-
SHA256
1531a158dcb1c98da90e4625671d1cec0a838f1ec00ccee27013e9758e28cde8
-
SHA512
540981d058bfb0ed722ddda2b5f104103c0f3c0916b0ef331e5ae23740e0b0a5fc7e3435b7749a5df93af4776ec3a06b8b3c82e0b3f6bc53a749c2f8c81556cf
-
SSDEEP
196608:4nlfKdNA/wZeMdZ84gV8KA40mbf2cUoLUvP+jO5LfYyJeCHab1:4lfiNvdZ7Q8j40mKcUoLUvPtYfb
Behavioral task
behavioral1
Sample
Download/-服务端.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Download/-服务端.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
Download/1.exe
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
Download/1.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral5
Sample
Download/Loader/专项查杀工具-信息中心20230831.exe
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
Download/Loader/专项查杀工具-信息中心20230831.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral7
Sample
Download/muyyuvd.exe
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
Download/muyyuvd.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral9
Sample
Download/关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
Resource
win7-20230831-en
Behavioral task
behavioral10
Sample
Download/关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral11
Sample
Download/广东省海洋综合执法辅助人员管理暂行规定的意见.exe
Resource
win7-20230831-en
Behavioral task
behavioral12
Sample
Download/广东省海洋综合执法辅助人员管理暂行规定的意见.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral13
Sample
Download/火绒网络连接查询.exe
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
Download/火绒网络连接查询.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
cobaltstrike
100000000
http://127.0.0.1:59275/api/console-base/cookie/govern
http://211.91.52.55:443/jquery-3.3.1.min.js
http://125.74.108.45:443/jquery-3.3.1.min.js
http://1.189.232.202:443/jquery-3.3.1.min.js
http://27.221.72.110:443/jquery-3.3.1.min.js
http://27.221.72.135:443/jquery-3.3.1.min.js
http://36.131.221.241:443/jquery-3.3.1.min.js
-
access_type
512
-
host
127.0.0.1,/api/console-base/cookie/govern
-
http_header1
AAAABwAAAAAAAAADAAAAAgAAAAZ0ZnN0az0AAAAGAAAABkNvb2tpZQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAAEAAAABRIb3N0OiB3d3cuYWxpeXVuLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uAAAACgAAACBYLVJlcXVlc3RlZC1XaXRoOiBYTUxIdHRwUmVxdWVzdAAAABAAAAAUSG9zdDogd3d3LmFsaXl1bi5jb20AAAAHAAAAAAAAAAUAAAACc24AAAAHAAAAAQAAAAMAAAACAAAACXsiZGF0YSI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
7680
-
polling_time
10000
-
port_number
59275
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdpAYA5H5g4ejTK5FDPl3lTprxaVRmAdHRhhySdWVyUL3fbRg31HvlIelS8NH2TyPNZILZjxcNr/SuqkI13T0rVcP67mV7hTI3JnCzvT7pTyXh4Hh2X/WqMyiIBv0ay+Vu3Fv7HKlkJk5l2Syzo06cslDE13bWcPMFWdgakdny7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.66652032e+09
-
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/rest/componentPush.rules
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.08.911.59 Safari/537.36
-
watermark
100000000
Extracted
cobaltstrike
http://47.96.174.24:88/VmWC
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSNIP)
Extracted
cobaltstrike
391144938
http://38.147.172.99:443/load
http://103.214.168.86:443/ga.js
http://45.136.14.166:443/match
http://38.147.172.99:443/activity
http://134.122.167.72:443/visit.js
-
access_type
512
-
beacon_type
2048
-
host
38.147.172.99,/load,103.214.168.86,/ga.js,45.136.14.166,/match,38.147.172.99,/activity,134.122.167.72,/visit.js
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAiU0VTU0lPTklEPXdxZTQ1NHdxZTJkczE1ZHM0ZHNhNWRzNAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAjSlNFU1NJT049ZHNmNXNkNGY1ZTQ1ZmU0czY1ZDRmODU2ZTQAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
3000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLkw0kvfeugTUz0AmoVb/lE4jBMEVXSscLbqsILbLQbt0gXKVpDLWmw8u+ySk1wMPysDZiC7DSLdNEhH1tUiRNZfcKoe+OYofwP8EB7AJYsu1JZzVq3wlAzazE2wGXQqZNPPrdYvJUpVw7TijKATT9RT+Pk1mxbYYZqIhx+8TpwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/index.php
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
-
watermark
391144938
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
100000
http://47.96.174.24:88/dot.gif
-
access_type
512
-
host
47.96.174.24,/dot.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
88
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCW2YBojWiu4JqVZa2JVdlnT/bI4tNoctW0OdnrpURu/OsCmCO+Gm50Wo6DNIWo6M6Xm7v/mZKlCe0ux9l1J3N6upyLQUsMfxMdtfXtpqrO4x2a/79CpLCD0Km4wC2aDW1rkVfQhejl4wET2kwKYDfYuZ9RSIJ3odyn+Qro7WTBAQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
-
watermark
100000
Targets
-
-
Target
Download/-服务端.exe
-
Size
2.7MB
-
MD5
af090e363e79628671faf1b0a98587aa
-
SHA1
a331bdb7770bf09346444e7cb6fbd03ca69dfc9b
-
SHA256
3f2d6c9827e4532876c5efc69f4d6f7ffd51a6958515887daae51a94133733f3
-
SHA512
9b667be4c606b18c5ff2bba8c5c9730e225c08d458ed677d4944642632040071e2c94f03a66a244550e1224d61d99f283fc2994803501a40e03a8981946ea1f9
-
SSDEEP
49152:gmCSDU+UUzxovO1+fDBgah1iMKZ+Ps+j2MQQWvPD15w9K9M0PCL8F4hUBAX9Q40Q:gmCAU+UUzx0OCDBbOZ+kHHhq9NLL8e08
Score8/10-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
-
-
Target
Download/1.exe
-
Size
1.8MB
-
MD5
f0b3783d02decefad419810bf6129ac9
-
SHA1
3bb7a9c874a6faa0ff6800e3d70e8b85091dfddd
-
SHA256
b3ff9f6179c0221132eb6149b3aca64fcc564705972fc7253c8f6692a2742c30
-
SHA512
ff24f58709002b0aea3c141a369a44918bcb3b87496af289bf3e434410726ee134ecc862f3345928a4833ed309140b4893de9f4abce49572c686c994504a26d5
-
SSDEEP
24576:Z5Bh88DAy8j/FzfaRxeZkl0MeQn652HO255TmcSVIH06iyr2tdBnZR:HBh88kDLFm3ZVR71CIU6iPBn
Score1/10 -
-
-
Target
Download/Loader/专项查杀工具-信息中心20230831.exe
-
Size
149KB
-
MD5
b0a79041ffa540e33b9829633279d9fa
-
SHA1
f6fce0911806d282d51eb9c9de40c655ba8d8df3
-
SHA256
f370c6ebe338fc1d18f2acfade02cc037e64ef32756dbdf34d864df1f041fd48
-
SHA512
f3c6cab0d9fead95bc2fa76ee796176fa62e391b7278bb98ba29c35ca289391192c97f5c1abee0e0b9b88ff130db7ee1678d807cb73bd61731bdd0e7c35eff0a
-
SSDEEP
3072:Xa54/QqEmO7dDVpau8KYastPhu8CG/aHmaka:XKs3nORRpaxRul
Score10/10 -
-
-
Target
Download/muyyuvd.exe
-
Size
1.4MB
-
MD5
768e4477abc5c60667290601bfe58b8e
-
SHA1
688c99ef523cff22a20bfe70b1a9d3855669ea21
-
SHA256
e7c87b0791bdb4f723af07d7b6c8dd79c3d9e1667f7ff6ad271665f3755d6ab8
-
SHA512
1c57a8671dd4623d434116c875c63b31df123896cd6e00d7d8daa8c4d9c9bf09d085f06f62c302a7b2a8ab08520d9bf49062e824e6b3420f75893f13b18284cc
-
SSDEEP
12288:kTeEBQDPeK6zp48Tm9yLogwL8soAsgp8R3D0kUodp3nBigg/vwr2I4TgV:QehDPh6XoyEgGEARpvtoPx8Sg
Score7/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Download/关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
-
Size
6.3MB
-
MD5
2fe3e6577f98084a36281d133c18c421
-
SHA1
a1919c3dbeca2d7b9863d7ca444c52c92dcb2a8d
-
SHA256
aedf61c285b9ea63f61d788f997d5b316e5ea217ca1e193f9db1d58d7fc614fb
-
SHA512
2b3dac0e1fef85fee49a7b665ed9ef5985760ea717e1c475d1d86cd5a212b5e35de4cf8edfd235196224352c5338e5bada5b19b541a795a35c8909c800c35db2
-
SSDEEP
49152:qkev1cjXHrb/T7vO90d7HjmAFd4A64nsfJc3MInicrIDRnW4pSXny1bSV5X1o63R:bjX/HicrG3br6iFnEVp+8/2tk
Score10/10 -
-
-
Target
Download/广东省海洋综合执法辅助人员管理暂行规定的意见.exe
-
Size
2.9MB
-
MD5
328894184f6c03103f4ec74ebdb1da33
-
SHA1
b0b78411b73844e42366db63b88eead196b17791
-
SHA256
eb70ebcf049eacb788867088e0234230651bb91b6a22ec4631b39c1c5b3ab435
-
SHA512
5a4a026e9c63e805e184cf58da59f90bf238a1039d16a014d89e76f26fdde7dfe19ddc2888b77b8d36f76e70032f0bf71f05f32bc5684d355a700b4ce22bbf3f
-
SSDEEP
49152:UP1Y0klK+qf0tb+Xj9eokhBW9NNg3AJQ6iSLoKUtyAA8vj6P6MVw1+44BffHnSXR:uEHFD6DLoKYyb8uVw8pdPSXVsq4E
Score10/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Download/火绒网络连接查询.exe
-
Size
2.6MB
-
MD5
6778f3dced1c151403900b0476611639
-
SHA1
9b60b0601e269628115ea851cd09e1f79c7b0bdb
-
SHA256
8debfe89f386834fc0553e65c3b827fc15bb96fc0c329058f818fe0db48dc624
-
SHA512
15187f442a7814af816d5d8aee6f663cf2fa006705dd4ebdb3a960d83065ebc1870370074f8168a9c65f5ca970c57b525ea5aa0462627d8e1d0454f457b3e72d
-
SSDEEP
49152:SFXWYr6RKkRu97UW+OSmdjlTCTYaBDV2VO:MXV+DOS5P2VO
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1