ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Size

1.1MB
MD5

9573642332812c8282df476f31f1e4c2
SHA1

356f8e8bab35ca5e61ff1cf678c0b7603f74e107
SHA256

ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83
SHA512

b6c619fa861a1d2427eff3bf98349ba29278aca0df714f071306db71ef8d8ea4b879d0c5b789f02638558b6812651eae0b4dc574360aebd9b78854150e786e40
SSDEEP

24576:cVP4iQzePuruuXj/chlyr7oOVHw29OQaISSGBg806yila+i:cWBj/ch8rtw290Xnyila+i

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2796	sg.tmp
2588	铸梦跳转码计算神器①版.exe

Loads dropped DLL 7 IoCs

pid	Process
2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
2588	铸梦跳转码计算神器①版.exe
2588	铸梦跳转码计算神器①版.exe
2588	铸梦跳转码计算神器①版.exe
2588	铸梦跳转码计算神器①版.exe
2588	铸梦跳转码计算神器①版.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-0-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/2276-9-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/2420-37-0x0000000000400000-0x000000000056A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID	铸梦跳转码计算神器①版.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\ = "Microsoft Common Dialog Control, version 6.0"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~1154291821107522237..\\comdlg32.ocx"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID\ = "MSComDlg.CommonDialog.1"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Font Property Page Object"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~1154291821107522237..\\comdlg32.ocx"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\Version = "1.2"	铸梦跳转码计算神器①版.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ = "Microsoft Common Dialog Control, version 6.0"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Programmable	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~1154291821107522237..\\comdlg32.ocx, 1"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~1154291821107522237..\\comdlg32.ocx"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID\ = "MSComDlg.CommonDialog"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Color Property Page Object"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	铸梦跳转码计算神器①版.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	铸梦跳转码计算神器①版.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1	铸梦跳转码计算神器①版.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Control	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\ = "Common Dialog Open Property Page Object"	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\ = "Microsoft Common Dialog Control 6.0 (SP3)"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~1154291821107522237..\\comdlg32.ocx"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\Version = "1.2"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	铸梦跳转码计算神器①版.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	铸梦跳转码计算神器①版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib	铸梦跳转码计算神器①版.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeRestorePrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: 33	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeIncBasePriorityPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeCreateGlobalPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: 33	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeIncBasePriorityPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: 33	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeIncBasePriorityPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeBackupPrivilege	2276	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeRestorePrivilege	2276	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: 33	2276	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeIncBasePriorityPrivilege	2276	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: 33	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeIncBasePriorityPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeRestorePrivilege	2796	sg.tmp
Token: 35	2796	sg.tmp
Token: SeSecurityPrivilege	2796	sg.tmp
Token: SeSecurityPrivilege	2796	sg.tmp
Token: 33	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
Token: SeIncBasePriorityPrivilege	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	铸梦跳转码计算神器①版.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1992	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	28
PID 2420 wrote to memory of 1992	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	28
PID 2420 wrote to memory of 1992	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	28
PID 2420 wrote to memory of 1992	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	28
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2276	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	30
PID 2420 wrote to memory of 2796	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	31
PID 2420 wrote to memory of 2796	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	31
PID 2420 wrote to memory of 2796	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	31
PID 2420 wrote to memory of 2796	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	31
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2420 wrote to memory of 2588	2420	ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe	33
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34
PID 2588 wrote to memory of 2616	2588	铸梦跳转码计算神器①版.exe	34

C:\Users\Admin\AppData\Local\Temp\ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
"C:\Users\Admin\AppData\Local\Temp\ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=973824 -len=172556 "C:\Users\Admin\AppData\Local\Temp\~6520039698307570702.tmp",,C:\Users\Admin\AppData\Local\Temp\ab1d94af6a875f8039dc06a81db97419529577f4f656602386c75287a4c2ba83.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\~7837264283787357946~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~6520039698307570702.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~1154291821107522237.."
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\~1154291821107522237..\铸梦跳转码计算神器①版.exe
  "C:\Users\Admin\AppData\Local\Temp\~1154291821107522237..\铸梦跳转码计算神器①版.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 comdlg32.ocx /s
    3⤵
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1154291821107522237..\comdlg32.ocx

Filesize
137KB

MD5
b73809a916e6d7c1ae56f182a2e8f7e2

SHA1
34e4213d8bf0e150d3f50ae0bd3f5b328e1105f5

SHA256
64c6ee999562961d11af130254ad3ffd24bb725d3c18e7877f9fd362f4936195

SHA512
26c28cb6c7e1b47425403ab8850a765ac420dd6474327ce8469376219c830ab46218383d15a73c9ea3a23fc6b5f392ee6e2a1632a1bf644b1bd1a05a4729e333

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1154291821107522237..\铸梦跳转码计算神器①版.exe

Filesize
240KB

MD5
7331a6d63b5fc3f6f3e86924cf96a116

SHA1
c612e53d9c3b0f84ee6531ab21fc310c017e4c79

SHA256
8ee88e95e6e0dab6a67955c28dc7724991293c44fa8ab7f17067e4d7e49e7fdd

SHA512
a3fbf4190c34f1fe26bd9168d2ec76e74a8998e621e96a6c76582ed423101e258e503cadad35d367d5aaa5a4bee5499a1e22743986460600d40cc6abb4f35695

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6520039698307570702.tmp

Filesize
168KB

MD5
cfe274737f773791679e255b0753b2ff

SHA1
4e140ebfd5dee592b9b12c100b1341f18fb6a1c0

SHA256
ecab4735883c1294e85663b42b99c238b9f4e7b6b2631cbe86eaa37fdde05624

SHA512
80bc5ccdf3751aff107e0c59bd8f25b3285fe4cdfafbbda87e3d8e030f74e23e197b47eda7cecfab17039b8ae3c5a8e3305f6e78f1ab10aa08c3aad425b83414

Download Submit
\Users\Admin\AppData\Local\Temp\~7837264283787357946~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2276-9-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/2420-0-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/2420-8-0x0000000002760000-0x00000000028CA000-memory.dmp

Filesize
1.4MB

Download
memory/2420-37-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/2420-39-0x0000000002760000-0x00000000028CA000-memory.dmp

Filesize
1.4MB

Download