Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/内容.exe
-
Size
167KB
-
MD5
b30d517585fefa8cd92a0af9d3193b87
-
SHA1
716cc624c33e168adfecab2a0d26f1af2526fdd2
-
SHA256
22ab670f9dcaf146d719e864fc3e01b0f5bd4d587834366c8b5dcd78f677f310
-
SHA512
fd8c0f629cdaf963d0d592edc591efdae75e922664cca552d4b1ab08d416f52aa534fbb5e4ca0f5d8a22f40d68933e92201296942e41bb57da39b778bb55e394
-
SSDEEP
3072:lQUcrL6KmL783vtpkBAoH66Gop/q/rQms3cp6L8EcSufWr7+tvZZsXILNeujvcu2:lQfSKm/6kBoRop/q/rQm6k6QEcSzr6tk
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2596 2556 WerFault.exe 内容.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
内容.exepid process 2556 内容.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
内容.exedescription pid process target process PID 2556 wrote to memory of 2596 2556 内容.exe WerFault.exe PID 2556 wrote to memory of 2596 2556 内容.exe WerFault.exe PID 2556 wrote to memory of 2596 2556 内容.exe WerFault.exe PID 2556 wrote to memory of 2596 2556 内容.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\内容.exe"C:\Users\Admin\AppData\Local\Temp\1\内容.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 7562⤵
- Program crash