Overview

overview

8

Static

static

3

e7b303b6c4...aa.exe

windows7-x64

7

e7b303b6c4...aa.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    39s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2023, 21:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa.exe

  • Size

    2.0MB

  • MD5

    502168eef2f8f926351b1dc6573aa2df

  • SHA1

    ba263bd9b17906f58ddac08ad311f45052fecaf4

  • SHA256

    e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa

  • SHA512

    79f535a8e84e49982035cfacc3e5ff6fb18b2e9e2161d614bb4e429bbf80b94895740ca3706be2ecf9d4376de70a97568297628b168e7f8f2e140e21396ddfd6

  • SSDEEP

    24576:ok3iIg3wC2Wp9N17LIJ7lB1BqEW9f8hAF3z2jAd5tBEZ7EEE+R3lKZV4qaxUYi49:xQN0ZKzwMPS9nOkGYAQIKU

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa.exe
    "C:\Users\Admin\AppData\Local\Temp\e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Public\pro.exe
      "C:\Users\Public\pro.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\SysWOW64\cmd.exe
        /c wmic process where "name='360tray.exe'" get ExecutablePath
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic process where "name='360tray.exe'" get ExecutablePath
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:464
      • C:\Windows\SysWOW64\cmd.exe
        /c wmic process where "name='360tray.exe'" get ExecutablePath
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic process where "name='360tray.exe'" get ExecutablePath
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3336
      • C:\Windows\SysWOW64\cmd.exe
        /c wmic process where "name='360tray.exe'" get ExecutablePath
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic process where "name='360tray.exe'" get ExecutablePath
          4⤵
            PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
            4⤵
              PID:2748
          • C:\Windows\SysWOW64\cmd.exe
            /c wmic process where "name='HipsTray.exe'" get ExecutablePath
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3436
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic process where "name='HipsTray.exe'" get ExecutablePath
              4⤵
                PID:1244
            • C:\Windows\SysWOW64\cmd.exe
              /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4540
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic process where "name='HipsDaemon.exe'" get ExecutablePath
                4⤵
                  PID:3060
              • C:\Windows\SysWOW64\cmd.exe
                /c wmic process where "name='kislive.exe'" get ExecutablePath
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3696
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic process where "name='kislive.exe'" get ExecutablePath
                  4⤵
                    PID:1020
                • C:\Windows\SysWOW64\cmd.exe
                  /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1712
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic process where "name='kwsprotect64.exe'" get ExecutablePath
                    4⤵
                      PID:4676
                  • C:\Windows\SysWOW64\cmd.exe
                    /c wmic process where "name='kxecenter.exe'" get ExecutablePath
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5052
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic process where "name='kxecenter.exe'" get ExecutablePath
                      4⤵
                        PID:464
                    • C:\Windows\SysWOW64\cmd.exe
                      /c wmic process where "name='kxescore.exe'" get ExecutablePath
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3568
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic process where "name='kxescore.exe'" get ExecutablePath
                        4⤵
                          PID:3792
                      • C:\Windows\SysWOW64\cmd.exe
                        /c wmic process where "name='kxetray.exe'" get ExecutablePath
                        3⤵
                          PID:2212
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic process where "name='kxetray.exe'" get ExecutablePath
                            4⤵
                              PID:2340
                          • C:\Windows\SysWOW64\cmd.exe
                            /c wmic process where "name='QQPCTray.exe'" get ExecutablePath
                            3⤵
                              PID:4692
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                wmic process where "name='QQPCTray.exe'" get ExecutablePath
                                4⤵
                                  PID:3016
                              • C:\Windows\SysWOW64\cmd.exe
                                /c wmic process where "name='QQPCRTP.exe'" get ExecutablePath
                                3⤵
                                  PID:4928
                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                    wmic process where "name='QQPCRTP.exe'" get ExecutablePath
                                    4⤵
                                      PID:2240
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c wmic process where "name='QQPCLeakScan.exe'" get ExecutablePath
                                    3⤵
                                      PID:3416
                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                        wmic process where "name='QQPCLeakScan.exe'" get ExecutablePath
                                        4⤵
                                          PID:3984
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /c wmic process where "name='QMDL.exe'" get ExecutablePath
                                        3⤵
                                          PID:1908
                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                            wmic process where "name='QMDL.exe'" get ExecutablePath
                                            4⤵
                                              PID:4284
                                      • C:\Users\Admin\AppData\Local\Temp\e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa.exe
                                        "C:\Users\Admin\AppData\Local\Temp\e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa.exe"
                                        1⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2956
                                        • C:\Users\Public\pro.exe
                                          "C:\Users\Public\pro.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:680
                                          • C:\Windows\SysWOW64\cmd.exe
                                            /c wmic process where "name='360tray.exe'" get ExecutablePath
                                            3⤵
                                              PID:2380
                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                wmic process where "name='360tray.exe'" get ExecutablePath
                                                4⤵
                                                  PID:464
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /c wmic process where "name='360tray.exe'" get ExecutablePath
                                                3⤵
                                                  PID:3312
                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                    wmic process where "name='360tray.exe'" get ExecutablePath
                                                    4⤵
                                                      PID:3336
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    /c wmic process where "name='360tray.exe'" get ExecutablePath
                                                    3⤵
                                                      PID:1152
                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                        wmic process where "name='360tray.exe'" get ExecutablePath
                                                        4⤵
                                                          PID:1960
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
                                                        3⤵
                                                          PID:2808
                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                            wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
                                                            4⤵
                                                              PID:2748
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /c wmic process where "name='HipsTray.exe'" get ExecutablePath
                                                            3⤵
                                                              PID:3436
                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                wmic process where "name='HipsTray.exe'" get ExecutablePath
                                                                4⤵
                                                                  PID:1244
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
                                                                3⤵
                                                                  PID:4540
                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                    wmic process where "name='HipsDaemon.exe'" get ExecutablePath
                                                                    4⤵
                                                                      PID:3060
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /c wmic process where "name='kislive.exe'" get ExecutablePath
                                                                    3⤵
                                                                      PID:3696
                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                        wmic process where "name='kislive.exe'" get ExecutablePath
                                                                        4⤵
                                                                          PID:1020
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
                                                                        3⤵
                                                                          PID:1712
                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                            wmic process where "name='kwsprotect64.exe'" get ExecutablePath
                                                                            4⤵
                                                                              PID:4676
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            /c wmic process where "name='kxecenter.exe'" get ExecutablePath
                                                                            3⤵
                                                                              PID:5052
                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                wmic process where "name='kxecenter.exe'" get ExecutablePath
                                                                                4⤵
                                                                                  PID:464
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /c wmic process where "name='kxescore.exe'" get ExecutablePath
                                                                                3⤵
                                                                                  PID:3568
                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                    wmic process where "name='kxescore.exe'" get ExecutablePath
                                                                                    4⤵
                                                                                      PID:3792
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    /c wmic process where "name='kxetray.exe'" get ExecutablePath
                                                                                    3⤵
                                                                                      PID:2212
                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                        wmic process where "name='kxetray.exe'" get ExecutablePath
                                                                                        4⤵
                                                                                          PID:2340
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        /c wmic process where "name='QQPCTray.exe'" get ExecutablePath
                                                                                        3⤵
                                                                                          PID:4692
                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                            wmic process where "name='QQPCTray.exe'" get ExecutablePath
                                                                                            4⤵
                                                                                              PID:3016
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            /c wmic process where "name='QQPCRTP.exe'" get ExecutablePath
                                                                                            3⤵
                                                                                              PID:4928
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                wmic process where "name='QQPCRTP.exe'" get ExecutablePath
                                                                                                4⤵
                                                                                                  PID:2240
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                /c wmic process where "name='QQPCLeakScan.exe'" get ExecutablePath
                                                                                                3⤵
                                                                                                  PID:3416
                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                    wmic process where "name='QQPCLeakScan.exe'" get ExecutablePath
                                                                                                    4⤵
                                                                                                      PID:3984
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /c wmic process where "name='QMDL.exe'" get ExecutablePath
                                                                                                    3⤵
                                                                                                      PID:1908
                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                        wmic process where "name='QMDL.exe'" get ExecutablePath
                                                                                                        4⤵
                                                                                                          PID:4284

                                                                                                  Network

                                                                                                        MITRE ATT&CK Matrix

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • C:\Users\Public\1.dat
                                                                                                          Filesize

                                                                                                          73KB

                                                                                                          MD5

                                                                                                          67f34b6ba332aeacdf7be5b2f3608479

                                                                                                          SHA1

                                                                                                          d84a74a186bd401fa5a4d77fe7af0838c3ff6d93

                                                                                                          SHA256

                                                                                                          61e419c82f57f94d1168e96d5611de6c2df36401f856e2c062c0f8235b0b1bb8

                                                                                                          SHA512

                                                                                                          2b424765d91536293c52673295372b6c71f198d21cfd58e8037e5f83de1371e0ee1a942cdfb76cf60baaeaaaa8f8bef3182f81654901542ec60058731b300423

                                                                                                          Download Submit

                                                                                                        • C:\Users\Public\1.dat
                                                                                                          Filesize

                                                                                                          73KB

                                                                                                          MD5

                                                                                                          67f34b6ba332aeacdf7be5b2f3608479

                                                                                                          SHA1

                                                                                                          d84a74a186bd401fa5a4d77fe7af0838c3ff6d93

                                                                                                          SHA256

                                                                                                          61e419c82f57f94d1168e96d5611de6c2df36401f856e2c062c0f8235b0b1bb8

                                                                                                          SHA512

                                                                                                          2b424765d91536293c52673295372b6c71f198d21cfd58e8037e5f83de1371e0ee1a942cdfb76cf60baaeaaaa8f8bef3182f81654901542ec60058731b300423

                                                                                                          Download Submit

                                                                                                        • C:\Users\Public\pro.exe
                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          MD5

                                                                                                          502168eef2f8f926351b1dc6573aa2df

                                                                                                          SHA1

                                                                                                          ba263bd9b17906f58ddac08ad311f45052fecaf4

                                                                                                          SHA256

                                                                                                          e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa

                                                                                                          SHA512

                                                                                                          79f535a8e84e49982035cfacc3e5ff6fb18b2e9e2161d614bb4e429bbf80b94895740ca3706be2ecf9d4376de70a97568297628b168e7f8f2e140e21396ddfd6

                                                                                                          Download Submit

                                                                                                        • C:\Users\Public\pro.exe
                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          MD5

                                                                                                          502168eef2f8f926351b1dc6573aa2df

                                                                                                          SHA1

                                                                                                          ba263bd9b17906f58ddac08ad311f45052fecaf4

                                                                                                          SHA256

                                                                                                          e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa

                                                                                                          SHA512

                                                                                                          79f535a8e84e49982035cfacc3e5ff6fb18b2e9e2161d614bb4e429bbf80b94895740ca3706be2ecf9d4376de70a97568297628b168e7f8f2e140e21396ddfd6

                                                                                                          Download Submit

                                                                                                        • C:\Users\Public\pro.exe
                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          MD5

                                                                                                          502168eef2f8f926351b1dc6573aa2df

                                                                                                          SHA1

                                                                                                          ba263bd9b17906f58ddac08ad311f45052fecaf4

                                                                                                          SHA256

                                                                                                          e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa

                                                                                                          SHA512

                                                                                                          79f535a8e84e49982035cfacc3e5ff6fb18b2e9e2161d614bb4e429bbf80b94895740ca3706be2ecf9d4376de70a97568297628b168e7f8f2e140e21396ddfd6

                                                                                                          Download Submit

                                                                                                        • C:\Users\Public\pro.exe
                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          MD5

                                                                                                          502168eef2f8f926351b1dc6573aa2df

                                                                                                          SHA1

                                                                                                          ba263bd9b17906f58ddac08ad311f45052fecaf4

                                                                                                          SHA256

                                                                                                          e7b303b6c44398a017db3d627b66d827d1e717b4cbd08f2613134416edd3ceaa

                                                                                                          SHA512

                                                                                                          79f535a8e84e49982035cfacc3e5ff6fb18b2e9e2161d614bb4e429bbf80b94895740ca3706be2ecf9d4376de70a97568297628b168e7f8f2e140e21396ddfd6

                                                                                                          Download Submit

                                                                                                        • memory/680-19-0x0000000000880000-0x0000000000A7C000-memory.dmp

                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          Download

                                                                                                        • memory/680-19-0x0000000000880000-0x0000000000A7C000-memory.dmp

                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          Download

                                                                                                        • memory/2956-0-0x0000000010000000-0x0000000010022000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                          Download

                                                                                                        • memory/2956-8-0x0000000000100000-0x00000000002FC000-memory.dmp

                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          Download

                                                                                                        • memory/2956-0-0x0000000010000000-0x0000000010022000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                          Download

                                                                                                        • memory/2956-8-0x0000000000100000-0x00000000002FC000-memory.dmp

                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          Download