Overview
overview
10Static
static
72023年11�...��.exe
windows7-x64
92023年11�...��.exe
windows10-2004-x64
9Due invoic...be.ps1
windows7-x64
1Due invoic...be.ps1
windows10-2004-x64
1tools-读�...��.exe
windows7-x64
1tools-读�...��.exe
windows10-2004-x64
10信息收�...cr.exe
windows7-x64
1信息收�...cr.exe
windows10-2004-x64
10公司资料.exe
windows7-x64
9公司资料.exe
windows10-2004-x64
9安全检�...cr.exe
windows7-x64
1安全检�...cr.exe
windows10-2004-x64
10提交材料.exe
windows7-x64
9提交材料.exe
windows10-2004-x64
9李志-账...16.exe
windows7-x64
10李志-账...16.exe
windows10-2004-x64
10陈力-病例.exe
windows7-x64
6陈力-病例.exe
windows10-2004-x64
6Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
16-11-2023 07:41
Behavioral task
behavioral1
Sample
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Due invoices Mazaya_pdf_pdf.vbe.ps1
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
Due invoices Mazaya_pdf_pdf.vbe.ps1
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
tools-读取浏览器敏感信息.exe
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
tools-读取浏览器敏感信息.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral7
Sample
信息收集模板.scr.exe
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
信息收集模板.scr.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
公司资料.exe
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
公司资料.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral11
Sample
安全检查资产上报收集表-20231103-___xlsx.scr.exe
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
安全检查资产上报收集表-20231103-___xlsx.scr.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral13
Sample
提交材料.exe
Resource
win7-20231025-en
Behavioral task
behavioral14
Sample
提交材料.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral15
Sample
李志-账号密码记录-解压密码-20231116.exe
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
李志-账号密码记录-解压密码-20231116.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral17
Sample
陈力-病例.exe
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
陈力-病例.exe
Resource
win10v2004-20231023-en
General
-
Target
公司资料.exe
-
Size
3.8MB
-
MD5
dc2e923303897fb5004c34693dc2eb74
-
SHA1
92006b30ecda6a1c091d9f7f8a4c1f060f3b9188
-
SHA256
6cb75a4a8d2dbfaca87e837cf411fde1bb5b0cffd9a09f5e8bb077d9b385a446
-
SHA512
606f67640ad9be15b4275f409b430c476150219bee941a69adf4519dc229cbcd6ea20e71bff8be9204916682731941e0c315d1421dc115115cc1ae78bc32e807
-
SSDEEP
98304:GgqM4j53BslobUytMfeUUzeeQY+PSOs0/4lf:GQo3BXbUSXzdQ/0Nf
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
公司资料.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 公司资料.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
公司资料.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 公司资料.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 公司资料.exe -
Processes:
resource yara_rule behavioral9/memory/2412-0-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-1-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-2-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-3-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-4-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-5-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-6-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-7-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-8-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-9-0x000000013FD60000-0x00000001406CB000-memory.dmp themida behavioral9/memory/2412-10-0x000000013FD60000-0x00000001406CB000-memory.dmp themida -
Processes:
公司资料.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 公司资料.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
公司资料.exepid process 2412 公司资料.exe 2412 公司资料.exe 2412 公司资料.exe 2412 公司资料.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
公司资料.exedescription pid process target process PID 2412 wrote to memory of 2792 2412 公司资料.exe WerFault.exe PID 2412 wrote to memory of 2792 2412 公司资料.exe WerFault.exe PID 2412 wrote to memory of 2792 2412 公司资料.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\公司资料.exe"C:\Users\Admin\AppData\Local\Temp\公司资料.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2412 -s 1202⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2412-0-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-1-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-2-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-3-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-4-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-5-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-6-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-7-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-8-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-9-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB
-
memory/2412-10-0x000000013FD60000-0x00000001406CB000-memory.dmpFilesize
9.4MB