5a78661ac86987a988314d4a25a7c9fc6570379dc7d029fdd88281bea113ef7c

General

Target

360.exe
Size

1.7MB
MD5

df46b1e3df096e50e29fc4dc126e2166
SHA1

10b5c7ced741a2837ffbd8e53c71469fb79ab555
SHA256

5a78661ac86987a988314d4a25a7c9fc6570379dc7d029fdd88281bea113ef7c
SHA512

59b99280cb848db2247135039d610e65d1870f2190456aba381f20ddd03b2a9040bbcf5c63cee67df0c8532e6908b5563b690928ec839121d69198b478ff57a2
SSDEEP

24576:t4nXubIQGyxbPV0db26W05DmTsv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdOW:tqe3f6DSffPMWrQ0ZkP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	360.tmp

Loads dropped DLL 3 IoCs

pid	Process
2432	360.exe
2916	360.tmp
2916	360.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp60.dll	360.tmp

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Yihsiwei setup\unins000.dat	360.tmp
File created	C:\Program Files (x86)\Yihsiwei setup\is-RKQ6G.tmp	360.tmp
File opened for modification	C:\Program Files (x86)\Yihsiwei setup\unins000.dat	360.tmp
File created	C:\Program Files (x86)\Yihsiwei setup\is-ELHFE.tmp	360.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	360.tmp
2916	360.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	360.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2916	2432	360.exe	28
PID 2432 wrote to memory of 2916	2432	360.exe	28
PID 2432 wrote to memory of 2916	2432	360.exe	28
PID 2432 wrote to memory of 2916	2432	360.exe	28
PID 2432 wrote to memory of 2916	2432	360.exe	28
PID 2432 wrote to memory of 2916	2432	360.exe	28
PID 2432 wrote to memory of 2916	2432	360.exe	28

C:\Users\Admin\AppData\Local\Temp\360.exe
"C:\Users\Admin\AppData\Local\Temp\360.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\is-J3M8R.tmp\360.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J3M8R.tmp\360.tmp" /SL5="$70124,911091,831488,C:\Users\Admin\AppData\Local\Temp\360.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yihsiwei setup\is-ELHFE.tmp

Filesize
3.1MB

MD5
bd56d80395c9335ca1ff912fbbf7865c

SHA1
41b637881457e33447ddceb8f443df2e952efc1d

SHA256
81e5420e11eed4b058a83eaaca2ae5a43971bac3754e96d9a7f0884f4404f191

SHA512
c71fd6c1bb4200b99348907bbd7f3574b20a56d1120681a69c542fcb3e8e535455a0cefad860eec0acecd5be2aeff19d7dbc6420db0224fe01bdcbb5efc71005

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J3M8R.tmp\360.tmp

Filesize
3.0MB

MD5
4d3c3cb1a1e10a53d05f27eb462797ee

SHA1
38922d6d0dcef401a03a99954bb5afdde308fe2d

SHA256
f087429252d17b36cda63d4d9ffd4eefa166ba91768041e858d67e799a9b006e

SHA512
9493054d011f91ab05299bf9230f4a22ad64127e32a0410cbb102869fc6b838ec65cbfd3b8f22b40e5e136ef5534aa7c1dd04498adab515b4c5cfe641dea9a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J3M8R.tmp\360.tmp

Filesize
3.0MB

MD5
4d3c3cb1a1e10a53d05f27eb462797ee

SHA1
38922d6d0dcef401a03a99954bb5afdde308fe2d

SHA256
f087429252d17b36cda63d4d9ffd4eefa166ba91768041e858d67e799a9b006e

SHA512
9493054d011f91ab05299bf9230f4a22ad64127e32a0410cbb102869fc6b838ec65cbfd3b8f22b40e5e136ef5534aa7c1dd04498adab515b4c5cfe641dea9a3e

Download Submit
\Program Files (x86)\Yihsiwei setup\unins000.exe

Filesize
3.1MB

MD5
bd56d80395c9335ca1ff912fbbf7865c

SHA1
41b637881457e33447ddceb8f443df2e952efc1d

SHA256
81e5420e11eed4b058a83eaaca2ae5a43971bac3754e96d9a7f0884f4404f191

SHA512
c71fd6c1bb4200b99348907bbd7f3574b20a56d1120681a69c542fcb3e8e535455a0cefad860eec0acecd5be2aeff19d7dbc6420db0224fe01bdcbb5efc71005

Download Submit
\Program Files (x86)\Yihsiwei setup\unins000.exe

Filesize
3.1MB

MD5
bd56d80395c9335ca1ff912fbbf7865c

SHA1
41b637881457e33447ddceb8f443df2e952efc1d

SHA256
81e5420e11eed4b058a83eaaca2ae5a43971bac3754e96d9a7f0884f4404f191

SHA512
c71fd6c1bb4200b99348907bbd7f3574b20a56d1120681a69c542fcb3e8e535455a0cefad860eec0acecd5be2aeff19d7dbc6420db0224fe01bdcbb5efc71005

Download Submit
\Users\Admin\AppData\Local\Temp\is-J3M8R.tmp\360.tmp

Filesize
3.0MB

MD5
4d3c3cb1a1e10a53d05f27eb462797ee

SHA1
38922d6d0dcef401a03a99954bb5afdde308fe2d

SHA256
f087429252d17b36cda63d4d9ffd4eefa166ba91768041e858d67e799a9b006e

SHA512
9493054d011f91ab05299bf9230f4a22ad64127e32a0410cbb102869fc6b838ec65cbfd3b8f22b40e5e136ef5534aa7c1dd04498adab515b4c5cfe641dea9a3e

Download Submit
memory/2432-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2432-26-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2916-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2916-25-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing