0f17ed61871ba102b6c81509b40b2f8bdc2c69f8c8892eb79bf8bd7f43b2b956

General

Target

极速音码4.3版.exe
Size

2.6MB
MD5

705cc717392ad313589b252947aef6a9
SHA1

4f76abc31e28e3b9b8e418d6a3ab6c3b2d65e859
SHA256

c47c4076bfcc44dae795a1ac587f85834d4e493fc13f58a3631d8ac7450fe8d1
SHA512

e57033f9433866dde72c20d74bf564dd8710bbf9b6096102091a8c502225e73d91c3661c4bf32186a3567fc5a0b9f85fdeb37602f3052b352ac541dfa8ae6424
SSDEEP

49152:dxa01KN5PmcsuUkPBUJtCY//x+wm2pSLiICmjvCXAzsWGSFOWf1j0Oeci:va012Vmc8kPYS2oLXjCks7SFnNo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2180	setup.exe
1584	is-HE0VJ.tmp

Loads dropped DLL 7 IoCs

pid	Process
1444	极速音码4.3版.exe
2180	setup.exe
2180	setup.exe
2180	setup.exe
2180	setup.exe
1584	is-HE0VJ.tmp
1584	is-HE0VJ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1584	is-HE0VJ.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 1444 wrote to memory of 2180	1444	极速音码4.3版.exe	28
PID 2180 wrote to memory of 1584	2180	setup.exe	29
PID 2180 wrote to memory of 1584	2180	setup.exe	29
PID 2180 wrote to memory of 1584	2180	setup.exe	29
PID 2180 wrote to memory of 1584	2180	setup.exe	29
PID 2180 wrote to memory of 1584	2180	setup.exe	29
PID 2180 wrote to memory of 1584	2180	setup.exe	29
PID 2180 wrote to memory of 1584	2180	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\极速音码4.3版.exe
"C:\Users\Admin\AppData\Local\Temp\极速音码4.3版.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\7zS37A4.tmp\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\is-F12JJ.tmp\is-HE0VJ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-F12JJ.tmp\is-HE0VJ.tmp" /SL4 $500F4 C:\Users\Admin\AppData\Local\Temp\7zS37A4.tmp\setup.exe 121458 50688
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS37A4.tmp\License.rtf

Filesize
5KB

MD5
aed9ba94e20e6687a1fb1c7a76b59b8e

SHA1
2142c0c749e264af09f07534305e1ff82e3372a0

SHA256
f20f87c2494a0a883acad5ae2dbe98a71916bacc8383d4cb76bdc11435ce5359

SHA512
97f0a57f15077f1baa9021fa075da55e3eb7f039da7fe38dce384856fb4a50ab36a1ed0f56b763d17c2e3c9d13e37b24689189345105e52412f7db3a3bcb34a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37A4.tmp\ReadMe.rtf

Filesize
13KB

MD5
5a613ceff1bfd5dd5c3d609959993c2b

SHA1
580b48b3e8b4284e860c4640f0127b96f3bc0c4c

SHA256
7edd81934d0420bcd929f413ece4b9ae4a2b7923bac9cd13ee4c13cec08bcc34

SHA512
f42a54384baac8479ef1be9dcb90399ad1628e36355527626da3338082d34b1c5f254f4cd641cd54dd305d9d9c17cb88d21510f8a67bef09e38dd44b77a91a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS37A4.tmp\setup.ini

Filesize
1KB

MD5
aa3ea266eaad357e8a8c8c085a184690

SHA1
71c533913d27f7e59dae4e36d74015acb6717077

SHA256
f2dd3e21e456589365d680b6ff8367f7fe17f78fbc3757a986ad21c224464005

SHA512
8d4ea7212791705bd9f94402824217a77d1ce124cf52a4c07fe7da628719bb23f62f73f8fd667379d42c35e1978b449ed57dd641f5bafe5653da2cd79ea6e5b1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS37A4.tmp\setup.exe

Filesize
327KB

MD5
c8312539183238da82cad059956be573

SHA1
e94b880a8bc82e04ea64c527fd80bae291edf31c

SHA256
d4584d5ce4110012c3c71f099d5684232da42618ef9a093440b60781879f0c7c

SHA512
37ae31434085ba9f94d22ba117fa2af4f9e769b19e338cd0248e37c633b4d94e3db9970a6a913f52c2744c0dfea0beccdf4c4a7d192bb7f709cf5188eedd60b3

Download Submit
\Users\Admin\AppData\Local\Temp\is-96F26.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F12JJ.tmp\is-HE0VJ.tmp

Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
memory/1584-392-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2180-375-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2180-391-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing