Overview
overview
7Static
static
7ada83f24db...0a.exe
windows7-x64
7ada83f24db...0a.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$TEMPLATES/Setup.exe
windows7-x64
7$TEMPLATES/Setup.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3KKjie.exe
windows7-x64
7KKjie.exe
windows10-2004-x64
7$EXEDIR/KK...fe.exe
windows7-x64
1$EXEDIR/KK...fe.exe
windows10-2004-x64
1$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3KKjie_safe.exe
windows7-x64
1KKjie_safe.exe
windows10-2004-x64
1KKjie_safe.dll
windows7-x64
1KKjie_safe.dll
windows10-2004-x64
1languages/Chinese.dll
windows7-x64
1languages/Chinese.dll
windows10-2004-x64
1xiezai.exe
windows7-x64
7xiezai.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$TEMPLATES...ft.exe
windows7-x64
1$TEMPLATES...ft.exe
windows10-2004-x64
1$TEMPLATES...ft.exe
windows7-x64
1$TEMPLATES...ft.exe
windows10-2004-x64
1$TEMPLATES/readme.exe
windows7-x64
7$TEMPLATES/readme.exe
windows10-2004-x64
7Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 04:11
Behavioral task
behavioral1
Sample
ada83f24db805cdc68a240df31289f0a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ada83f24db805cdc68a240df31289f0a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMPLATES/Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMPLATES/Setup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
KKjie.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
KKjie.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$EXEDIR/KKjie_safe.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$EXEDIR/KKjie_safe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
KKjie_safe.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
KKjie_safe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
KKjie_safe.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
KKjie_safe.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
languages/Chinese.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
languages/Chinese.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
xiezai.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
xiezai.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
$TEMPLATES/lianmena/tsoft.exe
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
$TEMPLATES/lianmena/tsoft.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
$TEMPLATES/lianmeng/tsoft.exe
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
$TEMPLATES/lianmeng/tsoft.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
$TEMPLATES/readme.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
$TEMPLATES/readme.exe
Resource
win10v2004-20240226-en
General
-
Target
ada83f24db805cdc68a240df31289f0a.exe
-
Size
1.9MB
-
MD5
ada83f24db805cdc68a240df31289f0a
-
SHA1
f4764ab7b0f3d71dab22eb8d79f0588dbfdfe6cf
-
SHA256
79e77a92e9fbc01a18c002abd63bd41f4b08970d747ff9283fa19217cf9284a9
-
SHA512
ae456c1c7b5ac4777a57d795ae9529ac562a121be3d88a99e99c641fb1532cd7efc35e0ed9ee5f1fe95202de29489b296d486e720006f166112b9b4c19d2ceac
-
SSDEEP
49152:zBwuJEfEMI6LspCpN2kaydZ7UOiip2uxRr3R0L+ERW:NfkEELsg/jZniiRxAL5W
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 872 send.exe 2564 Setup.exe -
Loads dropped DLL 10 IoCs
pid Process 1612 ada83f24db805cdc68a240df31289f0a.exe 872 send.exe 872 send.exe 872 send.exe 872 send.exe 1612 ada83f24db805cdc68a240df31289f0a.exe 2564 Setup.exe 2564 Setup.exe 2564 Setup.exe 2564 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 9 IoCs
resource yara_rule behavioral1/files/0x00090000000143d1-2.dat nsis_installer_1 behavioral1/files/0x002c00000001450f-20.dat nsis_installer_1 behavioral1/files/0x002c00000001450f-20.dat nsis_installer_2 behavioral1/files/0x002c00000001450f-23.dat nsis_installer_1 behavioral1/files/0x002c00000001450f-23.dat nsis_installer_2 behavioral1/files/0x002c00000001450f-25.dat nsis_installer_1 behavioral1/files/0x002c00000001450f-25.dat nsis_installer_2 behavioral1/files/0x002c00000001450f-24.dat nsis_installer_1 behavioral1/files/0x002c00000001450f-24.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2564 Setup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 1612 wrote to memory of 872 1612 ada83f24db805cdc68a240df31289f0a.exe 28 PID 872 wrote to memory of 2516 872 send.exe 29 PID 872 wrote to memory of 2516 872 send.exe 29 PID 872 wrote to memory of 2516 872 send.exe 29 PID 872 wrote to memory of 2516 872 send.exe 29 PID 872 wrote to memory of 2516 872 send.exe 29 PID 872 wrote to memory of 2516 872 send.exe 29 PID 872 wrote to memory of 2516 872 send.exe 29 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30 PID 1612 wrote to memory of 2564 1612 ada83f24db805cdc68a240df31289f0a.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"3⤵PID:2516
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
566B
MD52c9e5a30a2c7e0edc427b6ea27899b52
SHA1dd9c07f9aaa2c0d4c56931eeb939f56b23a2b6cc
SHA256d9a9244e1bb26a65946c95878a07e62c5d251ad5b45b9b9ef809f0523c801602
SHA51221e1b642d1a3d656cbeb2cd2137792059fa056971a44f459e326353e44684489d3277464821296c24f144ddf1be85352d8771ba768adf1bff3bc30b05e70c74a
-
Filesize
579B
MD5a920ab156c5b45efd3b7f3da5e20dda7
SHA119df19c0093b110b47aeeac3a4125a32616dd7fe
SHA25641eb056acfbb8e3c1c4a5e50fe55b4ef0d6cc58514affb3ce3e0a40618d83649
SHA51289b2b42a41259410442b426b80c92d6af5b9e55a49139e717df88978fc3550d39363b1c1548494df38ecbc4694d45a1bded345ab1ad1e0711164279a30db4438
-
Filesize
1.3MB
MD586df01299e969a8a105f504a45a86188
SHA13884636b59ce99cb1776a49000e7159f1c5e1621
SHA2561237a0e33c463217db96ff97f736cde21c84a010805ac3bd7a1937bab69f1360
SHA51202379a958915e547449b164099734db95c236431723212eb9c4480ddd6e4086b4d5dd50a5de77fd0773b7cbec474976ad401ea0f59f8912353eb8343d89851da
-
Filesize
1.3MB
MD58d6f541ff90cb471691963eb1225b011
SHA162abcabb3d465aab78a8e2feb5a456560ddc0063
SHA25665e0a0404b6e3b7a780277837f6090fd7be711d328764b1ca15c2d43ee9cedf5
SHA512d1ade7b12e161abb78b9fc962e6e9975cda6f139a2d7c4f65a80515ccc7e64a52237c85f3ed1b7931fe6d329fd5391890a245de4eb09779daf2be6a6132de465
-
Filesize
14KB
MD5107737e3282fefd85684f2fa3df6d1c3
SHA13befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA25621042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4
-
Filesize
4KB
MD55ce60830e6db34a33f12be5018b21ca2
SHA11a4f855b358884d0c67053ec606a5a68aadf75b8
SHA2568a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903
-
Filesize
359KB
MD554ebf9996a9c772296d713909a88b4c3
SHA15abfbb6bd8e79773fe575fb9c5c26c30254c9532
SHA256a879172340d85623ab07f481b601ee67afddac49c77269521ce7e4c9e8bc3e0d
SHA51280ae97248adf191364003af1971425625ccd9f474b60af7be4b7223695b748c5f0993716de4bf9001c88348b9deda31f3c628a6796a26cddf95daffdf096bd3c
-
Filesize
1.8MB
MD5a6f4051f7da492db1ea4096f2effd24c
SHA1e2c64323fb25429f2c0c39cce159b68b43989b6f
SHA2564ffc6508abc6b72a8b552f1ea9a9127c5c201b4e1e07b0918c3b46921dfd5563
SHA5125c108d871b6afc4c1494f9776583e2b02ff6359c0a8bd20ce207d27c95c92610b5f0cf4984d4b1b888a358633547836d344407b161bc156f25fc87771f2ae2ee
-
Filesize
36KB
MD55aa5f1c916bac1a35ebea267e7a4840f
SHA11429790fa37313ddfece78c764992d21fa87b710
SHA256323501be982027bc5b18fbb1c8ee94d0219c02665003f91b7a75dc57e1c6a700
SHA5127da1ec129f6ffdd028a6d5e31b7b8474c560004e919b88956596bc4497d686f652c86029cc6477860a531c76e1b23170d181b8b31a2b71aa7c411dea7f9c8493