Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
129s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/c.exe
-
Size
479KB
-
MD5
40269ec54ce4652fd82336a1e0920b8a
-
SHA1
b47ab90f264f73c5b2b44588f11d6a459764c629
-
SHA256
887a5500799685d517647285b2da937f611b364ebd0db9ea6b32010272487011
-
SHA512
a7156a2f2e2d572075c15945756f9490023a5e603297421e0c8606720848eef76cf4e6b863ee36e39b72d2c425ecf5e48a6bf37d5a87617e5ffe6303886425ea
-
SSDEEP
12288:E2KOYjMs4+GgTJKpiFtzfeiQ5Ki5oh1cJeOb:R8Qs4+GgTsEfeoh1c0U
Malware Config
Extracted
metasploit
windows/download_exec
http://47.94.43.210:8080/kRJU
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral11/memory/2420-0-0x0000000000400000-0x000000000053E000-memory.dmp upx behavioral11/memory/2420-21-0x0000000000400000-0x000000000053E000-memory.dmp upx behavioral11/memory/2420-30-0x0000000000400000-0x000000000053E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c.exepid process 2420 c.exe 2420 c.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPGFilesize
6KB
MD5e39405e85e09f64ccde0f59392317dd3
SHA19c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b
SHA256cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f
SHA5126733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a
-
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPGFilesize
27KB
MD5fbbb450cbc124bac75de4b49dc2fb93d
SHA15fd7ff0648f372ac8853e18a2d4557995801932b
SHA256f061b5cb931a13e8b120be759fa7faee63d3d05cb0cccb7a7321233a0301626c
SHA5121bdfe93f2602db0ec8564f554d0e769e613f8c26ff1afcc6d4400d234f4026f9168a72bec7af731c03e8675a5c8bf5c2a1317608d61767bb7c2eab4611f38c7b
-
memory/2420-0-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2420-21-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2420-29-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/2420-30-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB