Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
127s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/AggregatorHost.exe
-
Size
353KB
-
MD5
0e76274b5ea373ca9744d3070b981eae
-
SHA1
6e306a9a65f286418bd69905963acd5d70b68e94
-
SHA256
032ec772a00bc1de43fed9d289c38853c56a1ea8dfd2a037b8c482e92a5cb14b
-
SHA512
fafbbf3c1f66bd9dc62ed24dbcbf139000a98baaa0cef56fbcad4346cf5859e236c6fb6968f433772daa92dce7d9d3e41c1b3167a00b4652ec57e6e95c2e7739
-
SSDEEP
6144:hM7Mhq/8SBfUnY8sX6D1Ja+9K7O8NvQm8VmbsgxgsO21y6qciya4hrNyT6uf:hsSJyO8e7CPxghvZU1hrq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AggregatorHost.exepid process 880 AggregatorHost.exe -
Loads dropped DLL 2 IoCs
Processes:
AggregatorHost.exepid process 2732 AggregatorHost.exe 2732 AggregatorHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AggregatorHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Public\\Documents\\AggregatorHost.exe" AggregatorHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AggregatorHost.exepid process 880 AggregatorHost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AggregatorHost.exedescription pid process target process PID 2732 wrote to memory of 880 2732 AggregatorHost.exe AggregatorHost.exe PID 2732 wrote to memory of 880 2732 AggregatorHost.exe AggregatorHost.exe PID 2732 wrote to memory of 880 2732 AggregatorHost.exe AggregatorHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\AggregatorHost.exe"C:\Users\Admin\AppData\Local\Temp\1\AggregatorHost.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\AggregatorHost.exe"C:\Users\Public\Documents\AggregatorHost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Public\Documents\AggregatorHost.exeFilesize
353KB
MD50e76274b5ea373ca9744d3070b981eae
SHA16e306a9a65f286418bd69905963acd5d70b68e94
SHA256032ec772a00bc1de43fed9d289c38853c56a1ea8dfd2a037b8c482e92a5cb14b
SHA512fafbbf3c1f66bd9dc62ed24dbcbf139000a98baaa0cef56fbcad4346cf5859e236c6fb6968f433772daa92dce7d9d3e41c1b3167a00b4652ec57e6e95c2e7739
-
memory/880-10-0x0000000001E90000-0x0000000002290000-memory.dmpFilesize
4.0MB
-
memory/880-9-0x0000000180000000-0x0000000180054000-memory.dmpFilesize
336KB
-
memory/880-16-0x0000000180000000-0x0000000180054000-memory.dmpFilesize
336KB
-
memory/880-17-0x0000000180000000-0x0000000180054000-memory.dmpFilesize
336KB
-
memory/880-19-0x0000000001E90000-0x0000000002290000-memory.dmpFilesize
4.0MB