Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/c.exe
-
Size
479KB
-
MD5
40269ec54ce4652fd82336a1e0920b8a
-
SHA1
b47ab90f264f73c5b2b44588f11d6a459764c629
-
SHA256
887a5500799685d517647285b2da937f611b364ebd0db9ea6b32010272487011
-
SHA512
a7156a2f2e2d572075c15945756f9490023a5e603297421e0c8606720848eef76cf4e6b863ee36e39b72d2c425ecf5e48a6bf37d5a87617e5ffe6303886425ea
-
SSDEEP
12288:E2KOYjMs4+GgTJKpiFtzfeiQ5Ki5oh1cJeOb:R8Qs4+GgTsEfeoh1c0U
Malware Config
Extracted
metasploit
windows/download_exec
http://47.94.43.210:8080/kRJU
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Processes:
resource yara_rule behavioral12/memory/2884-0-0x0000000000400000-0x000000000053E000-memory.dmp upx behavioral12/memory/2884-21-0x0000000000400000-0x000000000053E000-memory.dmp upx behavioral12/memory/2884-30-0x0000000000400000-0x000000000053E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c.exepid process 2884 c.exe 2884 c.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPGFilesize
6KB
MD5e39405e85e09f64ccde0f59392317dd3
SHA19c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b
SHA256cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f
SHA5126733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a
-
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPGFilesize
36KB
MD5f6bf82a293b69aa5b47d4e2de305d45a
SHA14948716616d4bbe68be2b4c5bf95350402d3f96f
SHA2566a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0
SHA512edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa
-
memory/2884-0-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2884-21-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2884-29-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/2884-30-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB