Overview
overview
10Static
static
72023年11�...��.exe
windows7-x64
92023年11�...��.exe
windows10-2004-x64
9Due invoic...be.ps1
windows7-x64
1Due invoic...be.ps1
windows10-2004-x64
1tools-读�...��.exe
windows7-x64
1tools-读�...��.exe
windows10-2004-x64
10信息收�...cr.exe
windows7-x64
1信息收�...cr.exe
windows10-2004-x64
10公司资料.exe
windows7-x64
9公司资料.exe
windows10-2004-x64
9安全检�...cr.exe
windows7-x64
1安全检�...cr.exe
windows10-2004-x64
10提交材料.exe
windows7-x64
9提交材料.exe
windows10-2004-x64
9李志-账...16.exe
windows7-x64
10李志-账...16.exe
windows10-2004-x64
10陈力-病例.exe
windows7-x64
6陈力-病例.exe
windows10-2004-x64
6Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
16-11-2023 07:41
Behavioral task
behavioral1
Sample
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Due invoices Mazaya_pdf_pdf.vbe.ps1
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
Due invoices Mazaya_pdf_pdf.vbe.ps1
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
tools-读取浏览器敏感信息.exe
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
tools-读取浏览器敏感信息.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral7
Sample
信息收集模板.scr.exe
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
信息收集模板.scr.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
公司资料.exe
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
公司资料.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral11
Sample
安全检查资产上报收集表-20231103-___xlsx.scr.exe
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
安全检查资产上报收集表-20231103-___xlsx.scr.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral13
Sample
提交材料.exe
Resource
win7-20231025-en
Behavioral task
behavioral14
Sample
提交材料.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral15
Sample
李志-账号密码记录-解压密码-20231116.exe
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
李志-账号密码记录-解压密码-20231116.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral17
Sample
陈力-病例.exe
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
陈力-病例.exe
Resource
win10v2004-20231023-en
General
-
Target
提交材料.exe
-
Size
3.8MB
-
MD5
aacf37fe5bddbad79fe940b129e4ab20
-
SHA1
fa3b2b05bbf9fe0f076de647ee1b4d4c49e06c59
-
SHA256
fa84c2b8cd4846e1c224d7dfb26e3737393b5fe13738b8d725d9b3815f9b0be1
-
SHA512
28f69ea85c4fbf0e98b60db5c17d1bca1c152d75e63c676e0deb4dceb244d95cad5bdf9a407c6638b4e42eaf90ca565521892fcf196265a375693a681d416a87
-
SSDEEP
98304:GgqM4j53BslobUytMfeUUzeeQY+ySOs0q4R:GQo3BXbUSXzdQC0c
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
提交材料.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 提交材料.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
提交材料.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 提交材料.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 提交材料.exe -
Processes:
resource yara_rule behavioral13/memory/2440-0-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-1-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-2-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-3-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-4-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-5-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-6-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-7-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-8-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-9-0x000000013F610000-0x000000013FF7B000-memory.dmp themida behavioral13/memory/2440-10-0x000000013F610000-0x000000013FF7B000-memory.dmp themida -
Processes:
提交材料.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 提交材料.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
提交材料.exepid process 2440 提交材料.exe 2440 提交材料.exe 2440 提交材料.exe 2440 提交材料.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
提交材料.exedescription pid process target process PID 2440 wrote to memory of 2836 2440 提交材料.exe WerFault.exe PID 2440 wrote to memory of 2836 2440 提交材料.exe WerFault.exe PID 2440 wrote to memory of 2836 2440 提交材料.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\提交材料.exe"C:\Users\Admin\AppData\Local\Temp\提交材料.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2440 -s 1202⤵PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2440-0-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-1-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-2-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-3-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-4-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-5-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-6-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-7-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-8-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-9-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB
-
memory/2440-10-0x000000013F610000-0x000000013FF7B000-memory.dmpFilesize
9.4MB