d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9

General

Target

d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe
Size

13.8MB
MD5

5cd7c39074b6e308f1c028b498e3a7a1
SHA1

1ef50c5bec07a8d123fa6ae17aad23a47007bd42
SHA256

d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9
SHA512

057418afefc717d9d755de4e325c0e2146addd28f8edfa8fac93eb15ddb37d6ef802053f2881294396ca7002144dbf4fd6a7c1f95e2b53e0572d3a6ac09759cb
SSDEEP

98304:rPb0eFzKzpyeDMFGP9eZVxiXSd+uILq/3k/XB2fgNKryCXDT+rvy80GTSD7lofQ5:zbdWzQFGF4h+l0U+SKVsybof6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1180	Updata.exe

Executes dropped EXE 1 IoCs

pid	Process
1180	Updata.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe
1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe
1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1712 wrote to memory of 1180	1712	d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe	28
PID 1180 wrote to memory of 572	1180	Updata.exe	29
PID 1180 wrote to memory of 572	1180	Updata.exe	29
PID 1180 wrote to memory of 572	1180	Updata.exe	29
PID 1180 wrote to memory of 572	1180	Updata.exe	29

C:\Users\Admin\AppData\Local\Temp\d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe
"C:\Users\Admin\AppData\Local\Temp\d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Updata.exe
  "C:\Users\Admin\AppData\Local\Temp\Updata.exe" http://wang.cdn.it668.top:1668//神话-蓝音辅助08300.rar C:\Users\Admin\AppData\Local\Temp\d76569f075e8929f439783227c2643a29c67ed4d9dbe60f3fe7528b776b545c9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c _deleteme.bat
    3⤵
    PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
3.2MB

MD5
2d0043419a62ed871edbb0ee2d7ca090

SHA1
01c27014ead6e85ed5f897a14a99cc3d4655ab34

SHA256
a750a6d03bfb0b3986c123d5e39fd36f1fcf13005aa04eaa7e1e4b906b9b32a5

SHA512
06593448407cfe69a643ec8777a920733e6d39167cc782d7332ce4ba978abbe8d11be8e5d9d5bac965a57781da4e824fc5937fbb073af34faea839fb6ad2981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
3.2MB

MD5
2d0043419a62ed871edbb0ee2d7ca090

SHA1
01c27014ead6e85ed5f897a14a99cc3d4655ab34

SHA256
a750a6d03bfb0b3986c123d5e39fd36f1fcf13005aa04eaa7e1e4b906b9b32a5

SHA512
06593448407cfe69a643ec8777a920733e6d39167cc782d7332ce4ba978abbe8d11be8e5d9d5bac965a57781da4e824fc5937fbb073af34faea839fb6ad2981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_deleteme.bat

Filesize
132B

MD5
16b6f2900fd8504bcccae4e8e267620b

SHA1
17bf767eb7a9bdb64ced60fb22c3c2d7d2ca5eef

SHA256
1e61a52a0102f772414888fb6eb680ae1ca4aae8cecd2600e0dea12983bf029e

SHA512
c50a31a6f9d5576e49829e23fc64af75165af24d966fcb9c31afac4f6a73746760255ac85a8a89cc62c5705a84eb45e4adf40725989841e80f839b7ada49fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_deleteme.bat

Filesize
132B

MD5
16b6f2900fd8504bcccae4e8e267620b

SHA1
17bf767eb7a9bdb64ced60fb22c3c2d7d2ca5eef

SHA256
1e61a52a0102f772414888fb6eb680ae1ca4aae8cecd2600e0dea12983bf029e

SHA512
c50a31a6f9d5576e49829e23fc64af75165af24d966fcb9c31afac4f6a73746760255ac85a8a89cc62c5705a84eb45e4adf40725989841e80f839b7ada49fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\主线脚本\怀旧版主线-缥缈.txt

Filesize
16KB

MD5
af9bb45d209b19f234ab56f89b6c3e71

SHA1
e9f52ad308dfee11f6817f4b636b73884952427d

SHA256
3988ba5d8ebb45b93ec7f748d963b8ac18947252aa61322a300eb6aa340b204f

SHA512
53bb35fa07671788d304b5feabb86c586fdab29452c460972bfd070703d010f478d24b52332c1a711f09b7e5c18e3e120e7254508276748670d0c61ad20ddef1

Download Submit
\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
3.2MB

MD5
2d0043419a62ed871edbb0ee2d7ca090

SHA1
01c27014ead6e85ed5f897a14a99cc3d4655ab34

SHA256
a750a6d03bfb0b3986c123d5e39fd36f1fcf13005aa04eaa7e1e4b906b9b32a5

SHA512
06593448407cfe69a643ec8777a920733e6d39167cc782d7332ce4ba978abbe8d11be8e5d9d5bac965a57781da4e824fc5937fbb073af34faea839fb6ad2981e

Download Submit
memory/1180-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1180-10-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1180-184-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1180-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1712-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1712-8-0x00000000010B0000-0x0000000001EA6000-memory.dmp

Filesize
14.0MB

Download

Analysis

Sharing