Overview
overview
10Static
static
7Download/-...��.exe
windows7-x64
8Download/-...��.exe
windows10-2004-x64
8Download/1.exe
windows7-x64
1Download/1.exe
windows10-2004-x64
1Download/L...31.exe
windows7-x64
10Download/L...31.exe
windows10-2004-x64
10Download/muyyuvd.exe
windows7-x64
7Download/muyyuvd.exe
windows10-2004-x64
7Download/�...��.exe
windows7-x64
10Download/�...��.exe
windows10-2004-x64
10Download/�...��.exe
windows7-x64
10Download/�...��.exe
windows10-2004-x64
10Download/�...��.exe
windows7-x64
10Download/�...��.exe
windows10-2004-x64
10Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
08-09-2023 11:41
Behavioral task
behavioral1
Sample
Download/-服务端.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Download/-服务端.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
Download/1.exe
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
Download/1.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral5
Sample
Download/Loader/专项查杀工具-信息中心20230831.exe
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
Download/Loader/专项查杀工具-信息中心20230831.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral7
Sample
Download/muyyuvd.exe
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
Download/muyyuvd.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral9
Sample
Download/关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
Resource
win7-20230831-en
Behavioral task
behavioral10
Sample
Download/关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral11
Sample
Download/广东省海洋综合执法辅助人员管理暂行规定的意见.exe
Resource
win7-20230831-en
Behavioral task
behavioral12
Sample
Download/广东省海洋综合执法辅助人员管理暂行规定的意见.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral13
Sample
Download/火绒网络连接查询.exe
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
Download/火绒网络连接查询.exe
Resource
win10v2004-20230831-en
General
-
Target
Download/muyyuvd.exe
-
Size
1.4MB
-
MD5
768e4477abc5c60667290601bfe58b8e
-
SHA1
688c99ef523cff22a20bfe70b1a9d3855669ea21
-
SHA256
e7c87b0791bdb4f723af07d7b6c8dd79c3d9e1667f7ff6ad271665f3755d6ab8
-
SHA512
1c57a8671dd4623d434116c875c63b31df123896cd6e00d7d8daa8c4d9c9bf09d085f06f62c302a7b2a8ab08520d9bf49062e824e6b3420f75893f13b18284cc
-
SSDEEP
12288:kTeEBQDPeK6zp48Tm9yLogwL8soAsgp8R3D0kUodp3nBigg/vwr2I4TgV:QehDPh6XoyEgGEARpvtoPx8Sg
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral7/memory/2036-0-0x0000000000400000-0x0000000000564000-memory.dmp vmprotect behavioral7/memory/2036-1-0x0000000000400000-0x0000000000564000-memory.dmp vmprotect behavioral7/memory/2036-20-0x0000000000400000-0x0000000000564000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
muyyuvd.exepid process 2036 muyyuvd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2668 2036 WerFault.exe muyyuvd.exe -
Processes:
muyyuvd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 muyyuvd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde muyyuvd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
muyyuvd.exedescription pid process target process PID 2036 wrote to memory of 2668 2036 muyyuvd.exe WerFault.exe PID 2036 wrote to memory of 2668 2036 muyyuvd.exe WerFault.exe PID 2036 wrote to memory of 2668 2036 muyyuvd.exe WerFault.exe PID 2036 wrote to memory of 2668 2036 muyyuvd.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Download\muyyuvd.exe"C:\Users\Admin\AppData\Local\Temp\Download\muyyuvd.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 13842⤵
- Program crash
PID:2668