276e6eee9af3d0e3892a7594592aa16b9db4f22abf12be63549891871f13bd0b

General

Target

MaChao Indicators Build 28Sep2023 Installer version2.exe
Size

1.0MB
MD5

3dc94b01ef6fa19a8448752cad869cca
SHA1

17ada6539efae0b837b5a5310f160ff28206276b
SHA256

395f6e2b174423eea1882d133eb7fc082725e7c4f4fb5812052cb2668d39fb55
SHA512

415122317e6464e7d87d88ac683f5b123109a1764eb34859b8b1a3f11448189fe93719c64a46556fc5a91542b28defdd9fc5144d1a4699851c864093d7fa0329
SSDEEP

12288:pBUAbUxvIP+AXARutmZpMgHcyTgfXsqApuYV5SdMbXY6sxjjhhi7KDRU1ndruGwF:JUg+AXmzvHcyQA4oUaa1jHiWnGwmkyBS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2736	MaChao Indicators Build 28Sep2023 Installer version2.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1224-0-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1224-4-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2736-5-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2736-15-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/files/0x0005000000018698-25.dat	upx
behavioral1/memory/2736-26-0x00000000034B0000-0x00000000034C0000-memory.dmp	upx
behavioral1/memory/2736-30-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/2736-33-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1224-34-0x0000000000400000-0x0000000000500000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MaChao Indicators Build 28Sep2023 Installer version2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1224	MaChao Indicators Build 28Sep2023 Installer version2.exe
2736	MaChao Indicators Build 28Sep2023 Installer version2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28
PID 1224 wrote to memory of 2736	1224	MaChao Indicators Build 28Sep2023 Installer version2.exe	28

C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe
"C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe
  "C:\Users\Admin\AppData\Local\Temp\MaChao Indicators Build 28Sep2023 Installer version2.exe" spawn
  2⤵
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Desktop\MaChao Indicators\Uninstall.exe

Filesize
392KB

MD5
a911a43ad085197f9ac1a5857079c141

SHA1
e6022581e92add83dc49a44783142b9d42bb93dc

SHA256
aacf9a039f1efeaf3b0320095d90c43884fa9e9c8c0ed09918a5de988ff39a29

SHA512
48d215eb66431040ded8088eb697bcf71f195ebff4b1a2707bd7dc130220f925a691f918e632546aaf88b4ba4fbcf98015bcc09edbbe850b08d555c6899ad752

Download Submit
memory/1224-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1224-2-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

Filesize
1024KB

Download
memory/1224-4-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1224-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1224-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1224-34-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2736-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2736-5-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2736-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2736-15-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2736-26-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2736-30-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2736-33-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing