Overview
overview
7Static
static
7ada83f24db...0a.exe
windows7-x64
7ada83f24db...0a.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$TEMPLATES/Setup.exe
windows7-x64
7$TEMPLATES/Setup.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3KKjie.exe
windows7-x64
7KKjie.exe
windows10-2004-x64
7$EXEDIR/KK...fe.exe
windows7-x64
1$EXEDIR/KK...fe.exe
windows10-2004-x64
1$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3KKjie_safe.exe
windows7-x64
1KKjie_safe.exe
windows10-2004-x64
1KKjie_safe.dll
windows7-x64
1KKjie_safe.dll
windows10-2004-x64
1languages/Chinese.dll
windows7-x64
1languages/Chinese.dll
windows10-2004-x64
1xiezai.exe
windows7-x64
7xiezai.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$TEMPLATES...ft.exe
windows7-x64
1$TEMPLATES...ft.exe
windows10-2004-x64
1$TEMPLATES...ft.exe
windows7-x64
1$TEMPLATES...ft.exe
windows10-2004-x64
1$TEMPLATES/readme.exe
windows7-x64
7$TEMPLATES/readme.exe
windows10-2004-x64
7Analysis
-
max time kernel
140s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 04:11
Behavioral task
behavioral1
Sample
ada83f24db805cdc68a240df31289f0a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ada83f24db805cdc68a240df31289f0a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMPLATES/Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMPLATES/Setup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
KKjie.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
KKjie.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$EXEDIR/KKjie_safe.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$EXEDIR/KKjie_safe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
KKjie_safe.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
KKjie_safe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
KKjie_safe.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
KKjie_safe.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
languages/Chinese.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
languages/Chinese.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
xiezai.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
xiezai.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
$TEMPLATES/lianmena/tsoft.exe
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
$TEMPLATES/lianmena/tsoft.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
$TEMPLATES/lianmeng/tsoft.exe
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
$TEMPLATES/lianmeng/tsoft.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
$TEMPLATES/readme.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
$TEMPLATES/readme.exe
Resource
win10v2004-20240226-en
General
-
Target
ada83f24db805cdc68a240df31289f0a.exe
-
Size
1.9MB
-
MD5
ada83f24db805cdc68a240df31289f0a
-
SHA1
f4764ab7b0f3d71dab22eb8d79f0588dbfdfe6cf
-
SHA256
79e77a92e9fbc01a18c002abd63bd41f4b08970d747ff9283fa19217cf9284a9
-
SHA512
ae456c1c7b5ac4777a57d795ae9529ac562a121be3d88a99e99c641fb1532cd7efc35e0ed9ee5f1fe95202de29489b296d486e720006f166112b9b4c19d2ceac
-
SSDEEP
49152:zBwuJEfEMI6LspCpN2kaydZ7UOiip2uxRr3R0L+ERW:NfkEELsg/jZniiRxAL5W
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1656 send.exe 3820 Setup.exe -
Loads dropped DLL 2 IoCs
pid Process 1656 send.exe 3820 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000700000002320b-3.dat nsis_installer_1 behavioral2/files/0x000700000002320d-16.dat nsis_installer_1 behavioral2/files/0x000700000002320d-16.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4632 wrote to memory of 1656 4632 ada83f24db805cdc68a240df31289f0a.exe 88 PID 4632 wrote to memory of 1656 4632 ada83f24db805cdc68a240df31289f0a.exe 88 PID 4632 wrote to memory of 1656 4632 ada83f24db805cdc68a240df31289f0a.exe 88 PID 1656 wrote to memory of 3280 1656 send.exe 92 PID 1656 wrote to memory of 3280 1656 send.exe 92 PID 1656 wrote to memory of 3280 1656 send.exe 92 PID 4632 wrote to memory of 3820 4632 ada83f24db805cdc68a240df31289f0a.exe 90 PID 4632 wrote to memory of 3820 4632 ada83f24db805cdc68a240df31289f0a.exe 90 PID 4632 wrote to memory of 3820 4632 ada83f24db805cdc68a240df31289f0a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"3⤵PID:3280
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55ce60830e6db34a33f12be5018b21ca2
SHA11a4f855b358884d0c67053ec606a5a68aadf75b8
SHA2568a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903
-
Filesize
14KB
MD5107737e3282fefd85684f2fa3df6d1c3
SHA13befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA25621042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4
-
Filesize
392B
MD5a471bae0af2e0a77018ba787e8609652
SHA18860a5715a7e68a9e9311f9bae8ab1bc5cc71dfa
SHA2564a1fe69e5dddee6f0a6dda9f266a3124d686a2ae6005d8ee08aec8c4708d0fcb
SHA51229f814824749f986f52192f12cbe8570ac727373fe92db0a30e116fa5258d49dcccd87ed9f337ad7d3bcfd2306e4471b0f2305e514204d924f54f0a47104934d
-
Filesize
566B
MD531af488e9b0868704715cd35b98a84e4
SHA1c086a5005180297c34f4aa4a9d600a55b1b55a59
SHA256d3326a4a95120010b41fdb7d1a225dc609707aaa9700af2032c534e6dd8986fc
SHA512996da48ae810f9053ce44ca4de3fd38c47a902dd58d01addb0145bb9b7ee0c3b33716521f446b612af3e1b21d17fa4a25286634accc84fc063355dea4f763386
-
Filesize
1.8MB
MD5a6f4051f7da492db1ea4096f2effd24c
SHA1e2c64323fb25429f2c0c39cce159b68b43989b6f
SHA2564ffc6508abc6b72a8b552f1ea9a9127c5c201b4e1e07b0918c3b46921dfd5563
SHA5125c108d871b6afc4c1494f9776583e2b02ff6359c0a8bd20ce207d27c95c92610b5f0cf4984d4b1b888a358633547836d344407b161bc156f25fc87771f2ae2ee
-
Filesize
36KB
MD55aa5f1c916bac1a35ebea267e7a4840f
SHA11429790fa37313ddfece78c764992d21fa87b710
SHA256323501be982027bc5b18fbb1c8ee94d0219c02665003f91b7a75dc57e1c6a700
SHA5127da1ec129f6ffdd028a6d5e31b7b8474c560004e919b88956596bc4497d686f652c86029cc6477860a531c76e1b23170d181b8b31a2b71aa7c411dea7f9c8493