f2beafc9c07213ded42ab2c977086901a4c2c27fa7cc728aac76bfd615409dce

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e93954b1b1464748a0b18f7c2c59a9b.exe
Size

14.0MB
MD5

9e93954b1b1464748a0b18f7c2c59a9b
SHA1

cfa6a2185311fabc4eafd6b845c1d6b57622c62b
SHA256

f2beafc9c07213ded42ab2c977086901a4c2c27fa7cc728aac76bfd615409dce
SHA512

f466c9a2171ed7e5ae93805d71de9142f5fcb09f2db44d5d9498c2e5fa948d887b85fe09804191057a35e54ea547210ffc536e66015dc9009fdb30dfc11aa212
SSDEEP

393216:tah/nVE7bryzaPsVpURhWRwTItLfaaZO8MEZm9Ct2d:tWdE7brXup+hF2JTEgt2d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Loads dropped DLL 6 IoCs

pid	Process
1708	9e93954b1b1464748a0b18f7c2c59a9b.exe
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
2588	taskkill.exe
412	taskkill.exe
2380	taskkill.exe
792	taskkill.exe
2396	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 1708 wrote to memory of 2552	1708	9e93954b1b1464748a0b18f7c2c59a9b.exe	17
PID 2552 wrote to memory of 2380	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	29
PID 2552 wrote to memory of 2380	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	29
PID 2552 wrote to memory of 2380	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	29
PID 2552 wrote to memory of 2380	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	29
PID 2552 wrote to memory of 412	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	39
PID 2552 wrote to memory of 412	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	39
PID 2552 wrote to memory of 412	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	39
PID 2552 wrote to memory of 412	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	39
PID 2552 wrote to memory of 2588	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	37
PID 2552 wrote to memory of 2588	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	37
PID 2552 wrote to memory of 2588	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	37
PID 2552 wrote to memory of 2588	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	37
PID 2552 wrote to memory of 2396	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	35
PID 2552 wrote to memory of 2396	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	35
PID 2552 wrote to memory of 2396	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	35
PID 2552 wrote to memory of 2396	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	35
PID 2552 wrote to memory of 792	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	33
PID 2552 wrote to memory of 792	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	33
PID 2552 wrote to memory of 792	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	33
PID 2552 wrote to memory of 792	2552	9e93954b1b1464748a0b18f7c2c59a9b.tmp	33

C:\Users\Admin\AppData\Local\Temp\9e93954b1b1464748a0b18f7c2c59a9b.exe
"C:\Users\Admin\AppData\Local\Temp\9e93954b1b1464748a0b18f7c2c59a9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\is-TFUM4.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TFUM4.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp" /SL5="$400BE,14231157,297472,C:\Users\Admin\AppData\Local\Temp\9e93954b1b1464748a0b18f7c2c59a9b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im ZhuoDaShi.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im QQPMInstall.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im QQPhoneManagerWeb_990566.1.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im adb.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im zhuodashiupdater.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TFUM4.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp

Filesize
113KB

MD5
8e71225df8b5355e9b3b713af48837cc

SHA1
8e7aa72b2ebe06594c4fc801727f7a6f9662c0b3

SHA256
d9b57675e82518da9e199e42ae7e5bea0ea6e8650cdbdc7a7462251bbbd30b99

SHA512
577516a19f66986c36902db41064c5cca7b4a8ae940653e3bf10cc7344645396c209cc8a815e32aceba00edf996f8e05dd34fcfba56ce58f696e40c4d3996aa8

Download Submit
\Users\Admin\AppData\Local\Temp\is-RO6LN.tmp\Office2007.cjstyles

Filesize
166KB

MD5
cf348b8c7ca257ebc47dbd42e4d8354b

SHA1
f2503f76c224f7aad4e249c1d75fec26aa496f3b

SHA256
f7399f6e7ef773449c311d653a82fcc59d2d722f6e3d5212379e7096a244f428

SHA512
1f2541b9959cebc533a6aa7866165170aef6883b6ee706b0824ad1d34444c126fce8c2fcf4d4c68ac2c763e13552e5ef463a1fe62d765a6433ce5c6a68bc0fbb

Download Submit
\Users\Admin\AppData\Local\Temp\is-RO6LN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RO6LN.tmp\isskin.dll

Filesize
31KB

MD5
4625f75884786ccf41569c2fdfd5fdd9

SHA1
052406f3bc299f7969bee44c6e391203cfd34a60

SHA256
d3bb7dae1aebec222a6b5e8ec2599229efebe1a4e5eb958c5df8f7d0cff3660e

SHA512
1c4f65a23e49a84e4a2b17baf1c0b8a00cdb099044f558514b0734809c9b326449410bbcf88063b193d9e0fd17d6b96d32784d47d37356744e097d2181e2e600

Download Submit
\Users\Admin\AppData\Local\Temp\is-RO6LN.tmp\isxdl.dll

Filesize
91KB

MD5
973d0a038874831abb68d1fb79e7dee8

SHA1
a51a42141592269f37dc906a30cbb4b9d7d6c5e9

SHA256
454ca456c2d52a899d7d9b2ed811034b8b338ac7a63ad71513a0e30afb2a9b34

SHA512
e32845856aa8a22736c9d0747e28ddd084171ee857290be63652d97fb1c9d8c2594fefc174c8fa56f9bd8adac3b782605e9a18d98811f4effa4758ffed12dc6c

Download Submit
\Users\Admin\AppData\Local\Temp\is-TFUM4.tmp\9e93954b1b1464748a0b18f7c2c59a9b.tmp

Filesize
166KB

MD5
57be45328dae566d8e55685a20b2660a

SHA1
1d025de4e192f65b0a95d42df884c7a0722c6985

SHA256
e7858d5f101476d9ee4719043cfd6e6ff578669624247dcc24b030becef7bb99

SHA512
23a2691da31a22393bcdd9f434c5cad0d265d99c4291aee00bd0d13f5e495f73afbf23457f0e3e80ec996f2bf0bf147f6833b3941c8ebe722a1ef7df7e947231

Download Submit
memory/1708-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1708-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1708-298-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2552-71-0x00000000750E0000-0x000000007516C000-memory.dmp

Filesize
560KB

Download
memory/2552-66-0x0000000075BB0000-0x0000000075C2B000-memory.dmp

Filesize
492KB

Download
memory/2552-31-0x0000000076B00000-0x0000000076C5C000-memory.dmp

Filesize
1.4MB

Download
memory/2552-30-0x0000000075910000-0x000000007599F000-memory.dmp

Filesize
572KB

Download
memory/2552-33-0x0000000076C90000-0x00000000778DA000-memory.dmp

Filesize
12.3MB

Download
memory/2552-39-0x0000000074F20000-0x0000000075015000-memory.dmp

Filesize
980KB

Download
memory/2552-47-0x0000000075B30000-0x0000000075B87000-memory.dmp

Filesize
348KB

Download
memory/2552-60-0x00000000768B0000-0x000000007694D000-memory.dmp

Filesize
628KB

Download
memory/2552-72-0x00000000750A0000-0x00000000750D2000-memory.dmp

Filesize
200KB

Download
memory/2552-85-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2552-91-0x0000000074E90000-0x0000000074EC6000-memory.dmp

Filesize
216KB

Download
memory/2552-90-0x0000000076950000-0x0000000076AED000-memory.dmp

Filesize
1.6MB

Download
memory/2552-89-0x0000000074F20000-0x0000000075015000-memory.dmp

Filesize
980KB

Download
memory/2552-88-0x0000000075020000-0x0000000075059000-memory.dmp

Filesize
228KB

Download
memory/2552-87-0x00000000750A0000-0x00000000750D2000-memory.dmp

Filesize
200KB

Download
memory/2552-86-0x00000000750E0000-0x000000007516C000-memory.dmp

Filesize
560KB

Download
memory/2552-84-0x00000000765F0000-0x0000000076673000-memory.dmp

Filesize
524KB

Download
memory/2552-82-0x0000000075B30000-0x0000000075B87000-memory.dmp

Filesize
348KB

Download
memory/2552-81-0x0000000075370000-0x000000007550E000-memory.dmp

Filesize
1.6MB

Download
memory/2552-80-0x0000000075610000-0x0000000075619000-memory.dmp

Filesize
36KB

Download
memory/2552-79-0x00000000755B0000-0x00000000755C2000-memory.dmp

Filesize
72KB

Download
memory/2552-78-0x0000000075D00000-0x0000000075DA0000-memory.dmp

Filesize
640KB

Download
memory/2552-77-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2552-76-0x0000000075DA0000-0x0000000075DC7000-memory.dmp

Filesize
156KB

Download
memory/2552-75-0x0000000076950000-0x0000000076AED000-memory.dmp

Filesize
1.6MB

Download
memory/2552-74-0x0000000074F20000-0x0000000075015000-memory.dmp

Filesize
980KB

Download
memory/2552-73-0x0000000075020000-0x0000000075059000-memory.dmp

Filesize
228KB

Download
memory/2552-22-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2552-70-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2552-69-0x00000000765F0000-0x0000000076673000-memory.dmp

Filesize
524KB

Download
memory/2552-68-0x00000000755D0000-0x00000000755E3000-memory.dmp

Filesize
76KB

Download
memory/2552-32-0x0000000075B30000-0x0000000075B87000-memory.dmp

Filesize
348KB

Download
memory/2552-65-0x0000000075B30000-0x0000000075B87000-memory.dmp

Filesize
348KB

Download
memory/2552-64-0x0000000075370000-0x000000007550E000-memory.dmp

Filesize
1.6MB

Download
memory/2552-63-0x00000000755B0000-0x00000000755C2000-memory.dmp

Filesize
72KB

Download
memory/2552-62-0x0000000075910000-0x000000007599F000-memory.dmp

Filesize
572KB

Download
memory/2552-61-0x0000000075D00000-0x0000000075DA0000-memory.dmp

Filesize
640KB

Download
memory/2552-59-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2552-58-0x0000000074E90000-0x0000000074EC6000-memory.dmp

Filesize
216KB

Download
memory/2552-57-0x0000000076950000-0x0000000076AED000-memory.dmp

Filesize
1.6MB

Download
memory/2552-56-0x0000000074F20000-0x0000000075015000-memory.dmp

Filesize
980KB

Download
memory/2552-55-0x0000000075020000-0x0000000075059000-memory.dmp

Filesize
228KB

Download
memory/2552-54-0x00000000750A0000-0x00000000750D2000-memory.dmp

Filesize
200KB

Download
memory/2552-53-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2552-52-0x00000000765F0000-0x0000000076673000-memory.dmp

Filesize
524KB

Download
memory/2552-49-0x0000000075BB0000-0x0000000075C2B000-memory.dmp

Filesize
492KB

Download
memory/2552-48-0x0000000076C90000-0x00000000778DA000-memory.dmp

Filesize
12.3MB

Download
memory/2552-46-0x0000000075370000-0x000000007550E000-memory.dmp

Filesize
1.6MB

Download
memory/2552-45-0x0000000075610000-0x0000000075619000-memory.dmp

Filesize
36KB

Download
memory/2552-44-0x0000000076B00000-0x0000000076C5C000-memory.dmp

Filesize
1.4MB

Download
memory/2552-43-0x0000000075910000-0x000000007599F000-memory.dmp

Filesize
572KB

Download
memory/2552-42-0x0000000075D00000-0x0000000075DA0000-memory.dmp

Filesize
640KB

Download
memory/2552-41-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2552-40-0x0000000076950000-0x0000000076AED000-memory.dmp

Filesize
1.6MB

Download
memory/2552-38-0x00000000750A0000-0x00000000750D2000-memory.dmp

Filesize
200KB

Download
memory/2552-37-0x0000000075DE0000-0x0000000075E0A000-memory.dmp

Filesize
168KB

Download
memory/2552-36-0x00000000750E0000-0x000000007516C000-memory.dmp

Filesize
560KB

Download
memory/2552-35-0x0000000075170000-0x000000007528C000-memory.dmp

Filesize
1.1MB

Download
memory/2552-34-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2552-29-0x0000000075D00000-0x0000000075DA0000-memory.dmp

Filesize
640KB

Download
memory/2552-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2552-28-0x00000000768B0000-0x000000007694D000-memory.dmp

Filesize
628KB

Download
memory/2552-299-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download