5171f4290490c8eb1356519a03533ca5c60de4eb1d52c0607d89147a913df8b5

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

内容.exe
Size

6.8MB
MD5

caa9b129e72f3640f3c8423a8d6d771e
SHA1

121353458c22ce554290273983a5a9f39a31e709
SHA256

5171f4290490c8eb1356519a03533ca5c60de4eb1d52c0607d89147a913df8b5
SHA512

906ba7f8daf53d3cf619d2c5f967c4e2876bcd474d4393e449221b09938a86a5a9047d2bafa9f0c9037b06d11f6d2b5e1e40e5ca8a4c1e118dbaac19cb63b060
SSDEEP

98304:OJGYMihmZizqPoneOg3mUkj91+swfNDtGY:wEwneH3mWptGY

Score

8^/10

upx

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 1 IoCs

pid	Process
2104	LrFtXrAo.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001210a-6.dat	upx
behavioral1/memory/2104-30-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/2104-48-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LrFtXrAo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LrFtXrAo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	内容.exe
2144	内容.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2104	LrFtXrAo.exe
2104	LrFtXrAo.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2144 wrote to memory of 2104	2144	内容.exe	28
PID 2104 wrote to memory of 2784	2104	LrFtXrAo.exe	29
PID 2104 wrote to memory of 2784	2104	LrFtXrAo.exe	29
PID 2104 wrote to memory of 2784	2104	LrFtXrAo.exe	29
PID 2104 wrote to memory of 2784	2104	LrFtXrAo.exe	29

C:\Users\Admin\AppData\Local\Temp\内容.exe
"C:\Users\Admin\AppData\Local\Temp\内容.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Public\Downloads\LrFtXrAo\LrFtXrAo.exe
  C:\Users\Public\Downloads\LrFtXrAo\LrFtXrAo.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xshell 6 Update Log.txt

Filesize
350B

MD5
08d915b7c06af3693f838416f3aa7676

SHA1
31dd3a685718b0e14d1913d75fb793da55d8475b

SHA256
bee0861f029e3ebbd7ded5d7a4cd8664eece463735b501f319087733fe35d40a

SHA512
0bb9a6a0696dc8d72ed8eb729770d51dbe88215ad756504066ffeb783d2ef9438de45c0587f9d078a3156dfe3100127e42df9b800219b85907f3246bc8b81f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\LrFtXrAo\Edge.jpg

Filesize
358KB

MD5
7ff7e6fc3e8fa734a34d444104e053a0

SHA1
3ff8c544ad1c952a0259cadf048bb64729c70f38

SHA256
65989df141eb5a8093642903d777b57ff5ce108679f722d7687f09b4e5eda1c1

SHA512
bba2a53ae8e92b656b5dcb335d9bca0b297aa6469c9d79f027a405d0b0cb031fb1d5488b82aefd91dcc8b8767ff3f8a3e6fd372f58bf03b06f2b6ee2acac9265

Download Submit
C:\Users\Public\Downloads\LrFtXrAo\LrFtXrAo.dat

Filesize
132KB

MD5
e106b7fd4c3d48bb868b798c2c76d7f2

SHA1
6b3a7cc1f47429a683b9321db1cc165046d3cfb6

SHA256
03d8f1d778be79c3cd4476b1cc8c657c6d95bc684006ee4c1531d451385b40af

SHA512
53a58280024bba85f40e1e6dbe5663aff5b78006a9ed0a8e7d0b7a78c31dcb1512a7dbe8a3cc9191fea7576795e66b8af0f58f11e9c52ebbdc1085a308fe2570

Download Submit
C:\Users\Public\Downloads\LrFtXrAo\LrFtXrAo.exe

Filesize
525KB

MD5
14322669cf4b2bfcedac6584909bc339

SHA1
aa3d8abeda5663a9a9abbdafee7ee155bfa0898e

SHA256
9f23b1d5e11ee02d7e11e6933d53ce0abd689f450bed4f266ffc145174f7c951

SHA512
bb405ab0eef60ae81d78703ed6daf3c8b16bf8ecca9904f98f3afeb728a106197059ce7055b4ac2fd75c1d835129f6dd3753569acc129da1a4d96466f0ebe848

Download Submit
C:\Users\Public\Downloads\LrFtXrAo\edge.xml

Filesize
53KB

MD5
dd9a0de37a9d96ab04c25afa5a40da3f

SHA1
82e5b326b8f0ea585cb02815eff7cec0ede78613

SHA256
0a249ecf29d1febeadd35a4417225fed96f3326c0baf26914560a51955a1d67d

SHA512
662cee1057f191b996c822e64fb46b09e28c2c657d1242556d4b262da72f5f310db24706971869cedf034b691ed1fe8e5390a6c6d2b0a0f4862c7f951b948f71

Download Submit
memory/2104-34-0x0000000002200000-0x0000000002212000-memory.dmp

Filesize
72KB

Download
memory/2104-31-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2104-30-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2104-36-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/2104-48-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2144-7-0x000000013FE20000-0x000000014055A000-memory.dmp

Filesize
7.2MB

Download