a1d303b353df28ed366a8fc944d93cacf25f328d63e2b95c30b188410a6894df

Resubmissions

12/01/2024, 05:35

240112-gactqsgcf6 7

12/01/2024, 05:30

240112-f7lx8sfdbm 7

12/01/2024, 05:25

240112-f4aqssfcej 7

Analysis

max time kernel
130s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
resource tags

arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12/01/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb/AdbWinApi.dll
Size

95KB
MD5

ed5a809dc0024d83cbab4fb9933d598d
SHA1

0bc5a82327f8641d9287101e4cc7041af20bad57
SHA256

d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9
SHA512

1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17
SSDEEP

1536:Jwqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCP:JwqD3L8Tezq0et+ui1y

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3944-0-0x0000000140000000-0x000000014002F000-memory.dmp	upx
behavioral2/memory/3944-6-0x0000000140000000-0x000000014002F000-memory.dmp	upx
behavioral2/memory/3944-7-0x0000000140000000-0x000000014002F000-memory.dmp	upx
behavioral2/memory/2640-12-0x0000000140000000-0x000000014002F000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4476	2184	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2184	912	rundll32.exe	89
PID 912 wrote to memory of 2184	912	rundll32.exe	89
PID 912 wrote to memory of 2184	912	rundll32.exe	89
PID 3944 wrote to memory of 4188	3944	全自动安装.exe	121
PID 3944 wrote to memory of 4188	3944	全自动安装.exe	121
PID 4188 wrote to memory of 3616	4188	cmd.exe	122
PID 4188 wrote to memory of 3616	4188	cmd.exe	122
PID 4188 wrote to memory of 3616	4188	cmd.exe	122
PID 3616 wrote to memory of 3492	3616	adb.exe	123
PID 3616 wrote to memory of 3492	3616	adb.exe	123
PID 3616 wrote to memory of 3492	3616	adb.exe	123
PID 4188 wrote to memory of 2552	4188	cmd.exe	124
PID 4188 wrote to memory of 2552	4188	cmd.exe	124
PID 4188 wrote to memory of 2552	4188	cmd.exe	124
PID 2640 wrote to memory of 5056	2640	全自动安装.exe	131
PID 2640 wrote to memory of 5056	2640	全自动安装.exe	131
PID 5056 wrote to memory of 1284	5056	cmd.exe	130
PID 5056 wrote to memory of 1284	5056	cmd.exe	130
PID 5056 wrote to memory of 1284	5056	cmd.exe	130
PID 1284 wrote to memory of 2604	1284	adb.exe	133
PID 1284 wrote to memory of 2604	1284	adb.exe	133
PID 1284 wrote to memory of 2604	1284	adb.exe	133
PID 5056 wrote to memory of 852	5056	cmd.exe	132
PID 5056 wrote to memory of 852	5056	cmd.exe	132
PID 5056 wrote to memory of 852	5056	cmd.exe	132

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb\AdbWinApi.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb\AdbWinApi.dll,#1
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 616
    3⤵
    - Program crash
    PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2184 -ip 2184
1⤵
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\全自动安装.exe
"C:\Users\Admin\AppData\Local\Temp\全自动安装.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BE0B.tmp\BE0C.tmp\BE0D.bat C:\Users\Admin\AppData\Local\Temp\全自动安装.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\adb\adb.exe
    "adb\adb.exe" install "com.anagan.qgp.apk"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\adb\adb.exe
      adb -L tcp:5037 fork-server server --reply-fd 608
      4⤵
      PID:3492
- - C:\Users\Admin\AppData\Local\Temp\adb\adb.exe
    "adb\adb.exe" kill-server
    3⤵
    PID:2552

C:\Users\Admin\AppData\Local\Temp\全自动安装.exe
"C:\Users\Admin\AppData\Local\Temp\全自动安装.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3AF.tmp\3B0.tmp\3B1.bat C:\Users\Admin\AppData\Local\Temp\全自动安装.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\adb\adb.exe
    "adb\adb.exe" kill-server
    3⤵
    PID:852

C:\Users\Admin\AppData\Local\Temp\adb\adb.exe
"adb\adb.exe" install "com.anagan.qgp.apk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\adb\adb.exe
  adb -L tcp:5037 fork-server server --reply-fd 576
  2⤵
  PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.android\adbkey

Filesize
1KB

MD5
d416118410ae16248e4bd0f30e06d742

SHA1
8e09a1555602e1f8121efd4db7a458aaa205495e

SHA256
e51ab76d6c3f2764cc084abac5d8cc1d58db90743a7c3a1e0f1fd9cbafac17a0

SHA512
adbcdef8ffd9b88a341869c4aa6b5fa96f1b23040b328b9d45043bb2387709795656a6d6801f0cea4b6c8a51a1fa77b14bbdfd252626f180254e5850bb914c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE0B.tmp\BE0C.tmp\BE0D.bat

Filesize
435B

MD5
2f68a3064dcbc3c25ed677cf9f8b3729

SHA1
9fad2e5c9752ec30cd32f2f7c23cb5a52566766a

SHA256
0a423e84702d81e85c2a8313fc0ea261ccb61ce1f255c1955f72505b76646163

SHA512
3782942518bb897455c5435892b732af8ef487cbe5799f0e3c20e28d76d4f619d51c09f2f17a1be3a7a509344f5050d82dd2aa7a64d961a8281f7843fa1c615b

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb.log

Filesize
1020B

MD5
421e99d4d2a138b00e90ea772b2a8c12

SHA1
fe7e462efff91a002712e72a6277c1b76792f208

SHA256
8434884b43cb480c5b4b0f7dcb6968d0afeaa9d17f9140fe8f99b761a3cfe282

SHA512
f80875a8eb181c86b69168b888319cc02544f7316922e5298046d2d8998de31081390ce54137b27ca03fe0e71b4f4fcf402975c513dd4901149ede71c8b2f4ff

Download Submit
memory/2640-12-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download
memory/3944-0-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download
memory/3944-6-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download
memory/3944-7-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download