Overview
overview
10Static
static
7-服务端.exe
windows10-2004-x64
81.exe
windows10-2004-x64
1360tray.exe
windows10-2004-x64
7Loader/专...31.exe
windows10-2004-x64
10Microsoft.exe
windows10-2004-x64
1a.exe
windows10-2004-x64
1check-2023-08-01.exe
windows10-2004-x64
1flashcente...cn.exe
windows10-2004-x64
7muyyuvd.exe
windows10-2004-x64
7pdf安装.exe
windows10-2004-x64
1东方有�...��.exe
windows10-2004-x64
10关于部�...��.exe
windows10-2004-x64
10国家电�...��.exe
windows10-2004-x64
7广东省�...��.exe
windows10-2004-x64
10广东省�...07.exe
windows10-2004-x64
1录屏精�...��.exe
windows10-2004-x64
7火绒网�...��.exe
windows10-2004-x64
10General
-
Target
Download.zip
-
Size
24.0MB
-
Sample
230910-rm3wsshg3y
-
MD5
53214de283b2887ed1d9038d2aeaa98c
-
SHA1
e0d7fd0b8bae74763f4844640021e7e99a288d2e
-
SHA256
470fa92d98853148ff13c260aa181b648744c5995b4e2c9314e342b6523ed104
-
SHA512
4f3da1672790fa786896283e888bba89e528622803147c7c0175ab917c2d1331e07dacabe3dc59a03f074cb3b1a509d0faf58cba5da57e108bfab92c5d73339b
-
SSDEEP
393216:M0GC70YsuXUJwNmnouIP5rzRXNGuWokiMRB78vEGUkRSIui2QpWrifKi3:iJ/uawQon5NgfN8vplfn3
Behavioral task
behavioral1
Sample
-服务端.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
360tray.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral4
Sample
Loader/专项查杀工具-信息中心20230831.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral5
Sample
Microsoft.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral6
Sample
a.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral7
Sample
check-2023-08-01.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral8
Sample
flashcenter_install_cn.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral9
Sample
muyyuvd.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral10
Sample
pdf安装.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral11
Sample
东方有线网络有限公司岗位调整通知.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral12
Sample
关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral13
Sample
国家电网有限公司企业负责人收入情况.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral14
Sample
广东省海洋综合执法辅助人员管理暂行规定的意见.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral15
Sample
广东省统计局智能普查代码API信息-20230907.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral16
Sample
录屏精灵-小方app-录制.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral17
Sample
火绒网络连接查询.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
cobaltstrike
http://47.96.174.24:88/VmWC
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSNIP)
Extracted
cobaltstrike
100000000
http://gd.cndelica.com:8443/poll
http://127.0.0.1:59275/api/console-base/cookie/govern
http://211.91.52.55:443/jquery-3.3.1.min.js
http://125.74.108.45:443/jquery-3.3.1.min.js
http://1.189.232.202:443/jquery-3.3.1.min.js
http://27.221.72.110:443/jquery-3.3.1.min.js
http://27.221.72.135:443/jquery-3.3.1.min.js
http://36.131.221.241:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
gd.cndelica.com,/poll
-
http_header1
AAAACgAAABpYLUN1c3RvbS1QU0s6IFtTT01FX1ZBTFVFXQAAAAcAAAAAAAAADQAAAAgAAAANAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACQAAAB5hY3Rpb249R2V0RXh0ZW5zaWJpbGl0eUNvbnRleHQAAAAKAAAALUNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbjsgY2hhcnNldD11dGYtOAAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAaWC1DdXN0b20tUFNLOiBbU09NRV9WQUxVRV0AAAAHAAAAAAAAAAUAAAAFdG9rZW4AAAAHAAAAAQAAAA8AAAADAAAAAgAAABl7InZlcnNpb24iOiIyIiwicmVwb3J0IjoiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
1000
-
port_number
8443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqzEJfhNRDTUWc4OFw6QgWMCgtZpCzf+4+RQGYwL9gNHEC7Oh+6fCB3hnfVWpvxm96OVnB0eWJt6P1aNkZxVZ+u6PuqrBRm+Ad5gbjYgujotq7rM44FsmQaZAp8fORER8oRJjuMN1AxEzkj0VjMXZ8LwkT+0lyLqjjmBsdJBcCWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.102727936e+09
-
unknown2
AAAABAAAAAEAAAACAAAAAgAAACMAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/upload
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
-
watermark
100000000
Extracted
cobaltstrike
391144938
http://38.147.172.99:443/load
http://103.214.168.86:443/ga.js
http://45.136.14.166:443/match
http://38.147.172.99:443/activity
http://134.122.167.72:443/visit.js
-
access_type
512
-
beacon_type
2048
-
host
38.147.172.99,/load,103.214.168.86,/ga.js,45.136.14.166,/match,38.147.172.99,/activity,134.122.167.72,/visit.js
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAiU0VTU0lPTklEPXdxZTQ1NHdxZTJkczE1ZHM0ZHNhNWRzNAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAjSlNFU1NJT049ZHNmNXNkNGY1ZTQ1ZmU0czY1ZDRmODU2ZTQAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
3000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLkw0kvfeugTUz0AmoVb/lE4jBMEVXSscLbqsILbLQbt0gXKVpDLWmw8u+ySk1wMPysDZiC7DSLdNEhH1tUiRNZfcKoe+OYofwP8EB7AJYsu1JZzVq3wlAzazE2wGXQqZNPPrdYvJUpVw7TijKATT9RT+Pk1mxbYYZqIhx+8TpwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/index.php
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
-
watermark
391144938
Extracted
cobaltstrike
100000
http://47.96.174.24:88/dot.gif
-
access_type
512
-
host
47.96.174.24,/dot.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
88
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCW2YBojWiu4JqVZa2JVdlnT/bI4tNoctW0OdnrpURu/OsCmCO+Gm50Wo6DNIWo6M6Xm7v/mZKlCe0ux9l1J3N6upyLQUsMfxMdtfXtpqrO4x2a/79CpLCD0Km4wC2aDW1rkVfQhejl4wET2kwKYDfYuZ9RSIJ3odyn+Qro7WTBAQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Targets
-
-
Target
-服务端.exe
-
Size
2.7MB
-
MD5
af090e363e79628671faf1b0a98587aa
-
SHA1
a331bdb7770bf09346444e7cb6fbd03ca69dfc9b
-
SHA256
3f2d6c9827e4532876c5efc69f4d6f7ffd51a6958515887daae51a94133733f3
-
SHA512
9b667be4c606b18c5ff2bba8c5c9730e225c08d458ed677d4944642632040071e2c94f03a66a244550e1224d61d99f283fc2994803501a40e03a8981946ea1f9
-
SSDEEP
49152:gmCSDU+UUzxovO1+fDBgah1iMKZ+Ps+j2MQQWvPD15w9K9M0PCL8F4hUBAX9Q40Q:gmCAU+UUzx0OCDBbOZ+kHHhq9NLL8e08
Score8/10-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies WinLogon
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
-
-
Target
1.exe
-
Size
1.8MB
-
MD5
f0b3783d02decefad419810bf6129ac9
-
SHA1
3bb7a9c874a6faa0ff6800e3d70e8b85091dfddd
-
SHA256
b3ff9f6179c0221132eb6149b3aca64fcc564705972fc7253c8f6692a2742c30
-
SHA512
ff24f58709002b0aea3c141a369a44918bcb3b87496af289bf3e434410726ee134ecc862f3345928a4833ed309140b4893de9f4abce49572c686c994504a26d5
-
SSDEEP
24576:Z5Bh88DAy8j/FzfaRxeZkl0MeQn652HO255TmcSVIH06iyr2tdBnZR:HBh88kDLFm3ZVR71CIU6iPBn
Score1/10 -
-
-
Target
360tray.exe
-
Size
6.7MB
-
MD5
b268d708d8fdf9d2c12e318ec76000b2
-
SHA1
893fe2ec32f6f96473701cde5ce99a72363b48f1
-
SHA256
e69b1a30c0da8b2ee47f9159bea3424bbb01ab616abc913657b610b04a760556
-
SHA512
8515473c7f4ebb1feec78c9c99b78ed81b4b54f4f2c4ba64be56698adf0f54b3b2cb4413aafad2ea8dd2eec2681a2b6e8f9325e3d85780caa4075c8230381bc0
-
SSDEEP
196608:ySu78K/zj89onJ5hrZEce9tGPqKSWaTboBEBl:Lu7L/389c5hlEiPNSWa3r
Score7/10-
Loads dropped DLL
-
-
-
Target
Loader/专项查杀工具-信息中心20230831.exe
-
Size
149KB
-
MD5
b0a79041ffa540e33b9829633279d9fa
-
SHA1
f6fce0911806d282d51eb9c9de40c655ba8d8df3
-
SHA256
f370c6ebe338fc1d18f2acfade02cc037e64ef32756dbdf34d864df1f041fd48
-
SHA512
f3c6cab0d9fead95bc2fa76ee796176fa62e391b7278bb98ba29c35ca289391192c97f5c1abee0e0b9b88ff130db7ee1678d807cb73bd61731bdd0e7c35eff0a
-
SSDEEP
3072:Xa54/QqEmO7dDVpau8KYastPhu8CG/aHmaka:XKs3nORRpaxRul
Score10/10 -
-
-
Target
Microsoft.exe
-
Size
2.2MB
-
MD5
3ef79468e41ba8ddb7d9115658a86adb
-
SHA1
c6f1b475f672e98c0edca422a98b2ba46e3ff899
-
SHA256
8cf4338336a087fbb3cac54f6130c07f3aa5ba4c9a0ffc5a8f810f27b2948c56
-
SHA512
46676fa6577ad818f90dedc2673ed943e535bcc1f565b9430df7835ad1bfc0a82f271fd276ce865e796e3ca58fc25b78932aba63f863bc788433939aaaf84ea9
-
SSDEEP
24576:+3dS4QT7fhTFyzQ5OrzwkmGm2Aqc+1FhBPnBnV/93FXQJ9KUkzxt0JY2v:eChTwaOY5Gm2AonV/9H2v
Score1/10 -
-
-
Target
a.exe
-
Size
234KB
-
MD5
92e3146b2d255fa095717b7ef9c1ca4d
-
SHA1
762db1ff5e01ebf15bd98a563ac2f6302a2d2c4e
-
SHA256
467991df3bcf63e877e458d94c55175ece5e082b02b9fd8e17b1e24fe0238ce2
-
SHA512
635cf4feb05e23f97a1a27cc921bf14c1f9a16dfb3aa9a1cc0976c37126c41cc12ca7730559804cc8435987026614ee17e381ed23ca7d857f79504cda0260045
-
SSDEEP
3072:MGP0+Rf58fHFbDyvwATqXBt4c/nBYI2uolI6bRhvx9xhoZKpyy66UetawF:hjQftX9d/qbwEpe6Ueo
Score1/10 -
-
-
Target
check-2023-08-01.exe
-
Size
1.5MB
-
MD5
99dec1d62ebcac33b2d2d42017b1ab90
-
SHA1
8125b26437cf17e05018e1aa77534e6422bbc866
-
SHA256
98f34efc9f236bdd99ac8a67f0bc75bbd8bc3c24e3048f7cec8c1b98c31644cf
-
SHA512
e17dba14ade0677e23a4b9bd7c196b687e48e0b0e4cc831521b1d10391ab4a39b6ed1b846d8d53db4c9457fe528c5a4e5756a9681d979ffe70943ea1b80b1dde
-
SSDEEP
24576:yQ7o6xCWfVDcZauuO5q78a3Gyz/Gi3x6gmQ11qJFZw0ZA9FhSL:yQ7o6xCWfVDcZauuOHQ11qJFZwt/hSL
Score1/10 -
-
-
Target
flashcenter_install_cn.exe
-
Size
1015KB
-
MD5
3e686d37908636dedf2f5977c5d45645
-
SHA1
b6a30b835b632681ecc1a7c236630143a3160154
-
SHA256
a038a50223dc85b97103224f3bb60b8ad1e6cdfa93a026da964d554eaaef4d39
-
SHA512
0f8c5e1bcd1fcc7954a09aecf6f98397a4846008c3f5c8b641a43ecbd3544b2dd291a62cf8dad737d9b97252a124b3dcf9ed0665785c15e746933f651bc635d4
-
SSDEEP
24576:MyTFRdaAX8h4Gq/TrdCYGR23uiOU50ohfew+rSUfBLw:JTctSGcTRC1JRLpLw
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
muyyuvd.exe
-
Size
1.4MB
-
MD5
768e4477abc5c60667290601bfe58b8e
-
SHA1
688c99ef523cff22a20bfe70b1a9d3855669ea21
-
SHA256
e7c87b0791bdb4f723af07d7b6c8dd79c3d9e1667f7ff6ad271665f3755d6ab8
-
SHA512
1c57a8671dd4623d434116c875c63b31df123896cd6e00d7d8daa8c4d9c9bf09d085f06f62c302a7b2a8ab08520d9bf49062e824e6b3420f75893f13b18284cc
-
SSDEEP
12288:kTeEBQDPeK6zp48Tm9yLogwL8soAsgp8R3D0kUodp3nBigg/vwr2I4TgV:QehDPh6XoyEgGEARpvtoPx8Sg
Score7/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
pdf安装.exe
-
Size
17KB
-
MD5
9db3212ef37dfb08386ed0f14ee5cf0a
-
SHA1
98fa740b89cc81aeeeae56aa402c8e6abe556aff
-
SHA256
f23dabb76523c6610b09cfa630957348c3c9f27ea083e7d5446713bd3967a5d3
-
SHA512
91d97ce12981906b86d84b30a2b7fc1118fbe8ee7610b37aa636bed94b14a4b6119bec38a29a6e8641aa0bb22a82d3f2b5af420b95d3a2a55f694a5237f46c25
-
SSDEEP
192:VbFMsPYyAFuofTGqLa1TsZdpCB+o2VM176ZK5Id8r/Xn/AS+szlfNFveTplCc9e:VRMAYld9ZWwVMJ4Sr/P1lfNF4pkc9e
Score1/10 -
-
-
Target
东方有线网络有限公司岗位调整通知.exe
-
Size
4.0MB
-
MD5
b30d1506521c913c0aaf563a58e844fa
-
SHA1
fcb1248a038c2c940b906ea8db96842bcd69c435
-
SHA256
953f0a446db98a7bed8118dc7cdd79e2e3bde26f4875b5975bfa5d5ec6714737
-
SHA512
faa1ddbb5e349de8c8bf8b0fada9dc877a6ce2e2c167086e56a3c98bc6ad1b0d156a58fe3c29293cacf9ce434c84cf530994df757e07cf09bdab71cffd994f30
-
SSDEEP
49152:HLrQm0frb/TDvO90d7HjmAFd4A64nsfJXZqbzFeKLAPGU9U+pkNBgtGst/65rVgZ:+A
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
-
Size
6.3MB
-
MD5
2fe3e6577f98084a36281d133c18c421
-
SHA1
a1919c3dbeca2d7b9863d7ca444c52c92dcb2a8d
-
SHA256
aedf61c285b9ea63f61d788f997d5b316e5ea217ca1e193f9db1d58d7fc614fb
-
SHA512
2b3dac0e1fef85fee49a7b665ed9ef5985760ea717e1c475d1d86cd5a212b5e35de4cf8edfd235196224352c5338e5bada5b19b541a795a35c8909c800c35db2
-
SSDEEP
49152:qkev1cjXHrb/T7vO90d7HjmAFd4A64nsfJc3MInicrIDRnW4pSXny1bSV5X1o63R:bjX/HicrG3br6iFnEVp+8/2tk
Score10/10 -
-
-
Target
国家电网有限公司企业负责人收入情况.exe
-
Size
826KB
-
MD5
0cca261d04da399c982b7cfb9782949d
-
SHA1
abc3592bc8e3106216c5fe1e9cb210f4f003eebe
-
SHA256
4d4eb532a1c9589d62709912df86386794d174b4b62b26406a4f6f325f41ffb6
-
SHA512
6733881010676dccf9b9408ef3303bbd681b88e0d2f2582857126e2a4f1c1aef39cb414d5e227721c7d3d23b96ce823b89b948d5704358c8fca8816a921e6984
-
SSDEEP
24576:7zyE+cC6ef3u4kvNqOcT35k/slCdewxt:7b+P5+flqOcDqUIJ
Score7/10-
Executes dropped EXE
-
-
-
Target
广东省海洋综合执法辅助人员管理暂行规定的意见.exe
-
Size
2.9MB
-
MD5
328894184f6c03103f4ec74ebdb1da33
-
SHA1
b0b78411b73844e42366db63b88eead196b17791
-
SHA256
eb70ebcf049eacb788867088e0234230651bb91b6a22ec4631b39c1c5b3ab435
-
SHA512
5a4a026e9c63e805e184cf58da59f90bf238a1039d16a014d89e76f26fdde7dfe19ddc2888b77b8d36f76e70032f0bf71f05f32bc5684d355a700b4ce22bbf3f
-
SSDEEP
49152:UP1Y0klK+qf0tb+Xj9eokhBW9NNg3AJQ6iSLoKUtyAA8vj6P6MVw1+44BffHnSXR:uEHFD6DLoKYyb8uVw8pdPSXVsq4E
Score10/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
广东省统计局智能普查代码API信息-20230907.exe
-
Size
298KB
-
MD5
7064c19cf881943337c3db937b26d0fc
-
SHA1
3a103fd5fb66864b3959a64207051a9aca820736
-
SHA256
e7ff5500d4ff19131f320072f81573a709e25eeeaded913631f7f4b36be98d14
-
SHA512
c0cca4c2f175a3034b7b56f9fb26ae45711a0cae67e31ec6e45b952edf62bad615e2b9cf2cfa7e13fb637298697d2a6d1a0170fc82a1aa34e9c7d4eeecfc36da
-
SSDEEP
6144:3NTqter/4fl6UOr7oUMAD7J4ae8eefV1mvytA5ZUIVeqN5g+Kv:3NTPQfm35M+lhpFOSA5KIAqr4
Score1/10 -
-
-
Target
录屏精灵-小方app-录制.com
-
Size
4.8MB
-
MD5
6db9e2872b1d3d218bed5f6042d45af6
-
SHA1
d819c902901196ae243c2044373e17791fe30048
-
SHA256
647347d2c84696af6018d43cf1b70fc39dfe4a1fbf5850918fb493d2b494042b
-
SHA512
deab612fb5311c65d68725942a32ce56a000577b758f131a4c0fb778e1de9f9e908a7cb2352c538a46dcc98ef37167eab7dd03c791359bed02963541029a2eeb
-
SSDEEP
98304:0PSfOFkEACaDWJ4Rwy/QYVxF1NXZRc6k4zBcrt//svPYRA3Dyt2jc31:0PSf4uD4y/QYVxF1NXZRc6kS9QOX4
Score7/10-
Executes dropped EXE
-
-
-
Target
火绒网络连接查询.exe
-
Size
2.6MB
-
MD5
6778f3dced1c151403900b0476611639
-
SHA1
9b60b0601e269628115ea851cd09e1f79c7b0bdb
-
SHA256
8debfe89f386834fc0553e65c3b827fc15bb96fc0c329058f818fe0db48dc624
-
SHA512
15187f442a7814af816d5d8aee6f663cf2fa006705dd4ebdb3a960d83065ebc1870370074f8168a9c65f5ca970c57b525ea5aa0462627d8e1d0454f457b3e72d
-
SSDEEP
49152:SFXWYr6RKkRu97UW+OSmdjlTCTYaBDV2VO:MXV+DOS5P2VO
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1