983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26

Analysis

max time kernel
155s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Size

7.0MB
MD5

f6e04055431833bc4d1b6320a89c15ee
SHA1

567b7e0559f4d2f5510381f179300186902e7c7e
SHA256

02fd7b85fe499dfef76647a2e994ed7d653ab578a5b30a5bb62f4b760b7361d7
SHA512

2006f54fd500a1c80024aec4e039302d04301293f09c076d153f6560608cc3f7c7f3efef0396ef31c4d0e268fbf2023a7460b02e8ec7c7b4edc7355c5e04e492
SSDEEP

98304:Q9IaSBLM5fWaSBTM5YM3Tr+zorfuwFMdexTo0Je:+SgS8DrpuEMdexVJe

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yXXt1vi5.exe

pid process

1164 yXXt1vi5.exe

pid	process
1164	yXXt1vi5.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\Downloads\xZ1PlLqI\yXXt1vi5.exe	upx
behavioral2/memory/1164-6-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/1164-43-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10月26日最新发布-财会人员薪资补贴所需材料.exeyXXt1vi5.exe

pid	process
4804	10月26日最新发布-财会人员薪资补贴所需材料.exe
4804	10月26日最新发布-财会人员薪资补贴所需材料.exe
4804	10月26日最新发布-财会人员薪资补贴所需材料.exe
4804	10月26日最新发布-财会人员薪资补贴所需材料.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

yXXt1vi5.exe

pid process

1164 yXXt1vi5.exe
1164 yXXt1vi5.exe

pid	process
1164	yXXt1vi5.exe
1164	yXXt1vi5.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

10月26日最新发布-财会人员薪资补贴所需材料.exeyXXt1vi5.exe

description	pid	process	target process
PID 4804 wrote to memory of 1164	4804	10月26日最新发布-财会人员薪资补贴所需材料.exe	yXXt1vi5.exe
PID 4804 wrote to memory of 1164	4804	10月26日最新发布-财会人员薪资补贴所需材料.exe	yXXt1vi5.exe
PID 4804 wrote to memory of 1164	4804	10月26日最新发布-财会人员薪资补贴所需材料.exe	yXXt1vi5.exe
PID 1164 wrote to memory of 4072	1164	yXXt1vi5.exe	cmd.exe
PID 1164 wrote to memory of 4072	1164	yXXt1vi5.exe	cmd.exe
PID 1164 wrote to memory of 4072	1164	yXXt1vi5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1\10月26日最新发布-财会人员薪资补贴所需材料.exe
"C:\Users\Admin\AppData\Local\Temp\1\10月26日最新发布-财会人员薪资补贴所需材料.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Public\Downloads\xZ1PlLqI\yXXt1vi5.exe
C:\Users\Public\Downloads\xZ1PlLqI\yXXt1vi5.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c echo.>c:\xxxx.ini
3⤵
PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG
Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG
Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\xZ1PlLqI\Edge.jpg
Filesize
358KB

MD5
6b870f1589127369c183fbe8d2c9715c

SHA1
b4bb67404fd9873905764ce67093ea14b9c63025

SHA256
a9e4d44e4945255ad10462c3480cc9c45a0a586a2dfddb93bae7e79026dabd6f

SHA512
099be250ce673aa29feb6847fdd314f98049f6193ff0c9526c71bd58d4edb567ed6c99badf8402963870237aa14cee266a0df5429864eb93091a959e7df9b94c

Download Submit
C:\Users\Public\Downloads\xZ1PlLqI\edge.xml
Filesize
53KB

MD5
6afac5c9b2da8c43b59185adbffa89d4

SHA1
c21528e4ebe67aeb55fa80a883e4b7c37837a099

SHA256
43ac19475a63b7dd3374cc4ba4f1cd46f0a0528fe38dd967729d444879593bc2

SHA512
9d8e398c4a274cff656c23ef4f0a6101275d4a8f56838083e157342238b37eacf971329639ac2b2f996e0c21cf21a5e4145fe30e084e6bc5b981254920cd0626

Download Submit
C:\Users\Public\Downloads\xZ1PlLqI\yXXt1vi5.dat
Filesize
132KB

MD5
70ad630a7418d8be5444046275365a35

SHA1
d9a37b093bdcbb173e31cf7654f498c1b218cce4

SHA256
1f1d3e1ba33cb81e50affc899c962fb4ba427c9c22ccb4d70c42449024b4252f

SHA512
dc8d386c93b8b618373213f25d3440254653d7c2f421eb3c5ee6a809514dc3a3708ae19c96486bd9a69bf40a015e5d99fc1415c0f3f565f95ad4dca8155120dc

Download Submit
C:\Users\Public\Downloads\xZ1PlLqI\yXXt1vi5.exe
Filesize
525KB

MD5
14322669cf4b2bfcedac6584909bc339

SHA1
aa3d8abeda5663a9a9abbdafee7ee155bfa0898e

SHA256
9f23b1d5e11ee02d7e11e6933d53ce0abd689f450bed4f266ffc145174f7c951

SHA512
bb405ab0eef60ae81d78703ed6daf3c8b16bf8ecca9904f98f3afeb728a106197059ce7055b4ac2fd75c1d835129f6dd3753569acc129da1a4d96466f0ebe848

Download Submit
memory/1164-6-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1164-28-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1164-30-0x00000000037C0000-0x00000000037D2000-memory.dmp

Filesize
72KB

Download
memory/1164-32-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/1164-43-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download