403bfc624363a1fe6ca2a6bbf324ef40ef486d34b6bf846ba831c2ede9ad57a8

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 14:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

局域网共享一键修复.exe
Size

81KB
MD5

bbf058ef4162ca05b150cfb81e2d385f
SHA1

67ba02fad823887d2cad84cead65f0e4971ca3d3
SHA256

403bfc624363a1fe6ca2a6bbf324ef40ef486d34b6bf846ba831c2ede9ad57a8
SHA512

42a556be9530ffc43b4b59f1a989302a153cb1ab3253bb59598f2e3e4b388a05003f2d82a870c7db2f4223a38c0a2c3af6888812a151339dfc671b3b5d207673
SSDEEP

1536:ePcVo6r7S/rabtna3/j2i4tpGDNopa9l3qtBJLDLoznouy8rJ6uvzVP:x7cWbEb2i4eDNcarSvLDLoLoutt

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2004-23-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2648	2004	局域网共享一键修复.exe	28
PID 2004 wrote to memory of 2648	2004	局域网共享一键修复.exe	28
PID 2004 wrote to memory of 2648	2004	局域网共享一键修复.exe	28
PID 2004 wrote to memory of 2648	2004	局域网共享一键修复.exe	28
PID 2648 wrote to memory of 2764	2648	cmd.exe	30
PID 2648 wrote to memory of 2764	2648	cmd.exe	30
PID 2648 wrote to memory of 2764	2648	cmd.exe	30
PID 2648 wrote to memory of 2764	2648	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\局域网共享一键修复.exe
"C:\Users\Admin\AppData\Local\Temp\局域网共享一键修复.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5FEB.tmp\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K ok.bat
    3⤵
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5FEB.tmp\ok.bat

Filesize
4KB

MD5
e5979e4090809a7f511c270c5b75c611

SHA1
65e435712c1e46118449eb9a9095cf04f8de1a69

SHA256
e8aeee05e2af91e2a41c3a5f5e0a2f676af3c80dc444a170919e0ddd9fad3e40

SHA512
9f13a78e04f96fcb44b972d24f77bd411936bba79d1b7aeaf87dff3f2afe05b9252e1bb1f05a65fbd04e724c86531761f915ffa3ac9ac9710f9b564e2b25a68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FEB.tmp\start.bat

Filesize
128B

MD5
c985b79c0d355e58d8fbf6716a76da37

SHA1
75414d0f150e62ec28d6654913649b269a233913

SHA256
0fb1119a0290c104626040dc8749473c66415c47bcfd877d9eeba89443d491f5

SHA512
9ed447d417233953b1f78c433b2b59f16382e1b7a19c7ad271bccdbf3d5cae51e8afd6733a04af5c3c25bfa31d5f9e23b25409561ca69635268a64e9a441a648

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FEB.tmp\start.bat

Filesize
128B

MD5
c985b79c0d355e58d8fbf6716a76da37

SHA1
75414d0f150e62ec28d6654913649b269a233913

SHA256
0fb1119a0290c104626040dc8749473c66415c47bcfd877d9eeba89443d491f5

SHA512
9ed447d417233953b1f78c433b2b59f16382e1b7a19c7ad271bccdbf3d5cae51e8afd6733a04af5c3c25bfa31d5f9e23b25409561ca69635268a64e9a441a648

Download Submit
memory/2004-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2004-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download