5171f4290490c8eb1356519a03533ca5c60de4eb1d52c0607d89147a913df8b5

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

内容.exe
Size

6.8MB
MD5

caa9b129e72f3640f3c8423a8d6d771e
SHA1

121353458c22ce554290273983a5a9f39a31e709
SHA256

5171f4290490c8eb1356519a03533ca5c60de4eb1d52c0607d89147a913df8b5
SHA512

906ba7f8daf53d3cf619d2c5f967c4e2876bcd474d4393e449221b09938a86a5a9047d2bafa9f0c9037b06d11f6d2b5e1e40e5ca8a4c1e118dbaac19cb63b060
SSDEEP

98304:OJGYMihmZizqPoneOg3mUkj91+swfNDtGY:wEwneH3mWptGY

Score

8^/10

upx

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 1 IoCs

pid	Process
4680	mF1a90PR.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022cfa-6.dat	upx
behavioral2/memory/4680-8-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/4680-47-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mF1a90PR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mF1a90PR.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	内容.exe
3088	内容.exe
3088	内容.exe
3088	内容.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe
4680	mF1a90PR.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4680	mF1a90PR.exe
4680	mF1a90PR.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4680	3088	内容.exe	93
PID 3088 wrote to memory of 4680	3088	内容.exe	93
PID 3088 wrote to memory of 4680	3088	内容.exe	93
PID 4680 wrote to memory of 1712	4680	mF1a90PR.exe	96
PID 4680 wrote to memory of 1712	4680	mF1a90PR.exe	96
PID 4680 wrote to memory of 1712	4680	mF1a90PR.exe	96

C:\Users\Admin\AppData\Local\Temp\内容.exe
"C:\Users\Admin\AppData\Local\Temp\内容.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Public\Downloads\mF1a90PR\mF1a90PR.exe
  C:\Users\Public\Downloads\mF1a90PR\mF1a90PR.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\mF1a90PR\Edge.jpg

Filesize
358KB

MD5
7ff7e6fc3e8fa734a34d444104e053a0

SHA1
3ff8c544ad1c952a0259cadf048bb64729c70f38

SHA256
65989df141eb5a8093642903d777b57ff5ce108679f722d7687f09b4e5eda1c1

SHA512
bba2a53ae8e92b656b5dcb335d9bca0b297aa6469c9d79f027a405d0b0cb031fb1d5488b82aefd91dcc8b8767ff3f8a3e6fd372f58bf03b06f2b6ee2acac9265

Download Submit
C:\Users\Public\Downloads\mF1a90PR\edge.xml

Filesize
53KB

MD5
dd9a0de37a9d96ab04c25afa5a40da3f

SHA1
82e5b326b8f0ea585cb02815eff7cec0ede78613

SHA256
0a249ecf29d1febeadd35a4417225fed96f3326c0baf26914560a51955a1d67d

SHA512
662cee1057f191b996c822e64fb46b09e28c2c657d1242556d4b262da72f5f310db24706971869cedf034b691ed1fe8e5390a6c6d2b0a0f4862c7f951b948f71

Download Submit
C:\Users\Public\Downloads\mF1a90PR\mF1a90PR.dat

Filesize
132KB

MD5
e106b7fd4c3d48bb868b798c2c76d7f2

SHA1
6b3a7cc1f47429a683b9321db1cc165046d3cfb6

SHA256
03d8f1d778be79c3cd4476b1cc8c657c6d95bc684006ee4c1531d451385b40af

SHA512
53a58280024bba85f40e1e6dbe5663aff5b78006a9ed0a8e7d0b7a78c31dcb1512a7dbe8a3cc9191fea7576795e66b8af0f58f11e9c52ebbdc1085a308fe2570

Download Submit
C:\Users\Public\Downloads\mF1a90PR\mF1a90PR.exe

Filesize
525KB

MD5
14322669cf4b2bfcedac6584909bc339

SHA1
aa3d8abeda5663a9a9abbdafee7ee155bfa0898e

SHA256
9f23b1d5e11ee02d7e11e6933d53ce0abd689f450bed4f266ffc145174f7c951

SHA512
bb405ab0eef60ae81d78703ed6daf3c8b16bf8ecca9904f98f3afeb728a106197059ce7055b4ac2fd75c1d835129f6dd3753569acc129da1a4d96466f0ebe848

Download Submit
memory/3088-7-0x00007FF7EA800000-0x00007FF7EAF3A000-memory.dmp

Filesize
7.2MB

Download
memory/3088-0-0x00007FF7EA800000-0x00007FF7EAF3A000-memory.dmp

Filesize
7.2MB

Download
memory/4680-8-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4680-33-0x00000000037C0000-0x00000000037D2000-memory.dmp

Filesize
72KB

Download
memory/4680-30-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/4680-35-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/4680-47-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download