845a305853710ebae7daeb42a7bd3638af0b0d62ed6b28cab345464e07ae6208

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

详情系统.exe
Size

2.5MB
MD5

cac20a183ef9a5b197b35fdb2909eff9
SHA1

211c850a88b18a012f36e2917cee758e26b88422
SHA256

845a305853710ebae7daeb42a7bd3638af0b0d62ed6b28cab345464e07ae6208
SHA512

0315f0b8d0838b9e3e572e63f4a1bccb35fd5c22f9824124661179b9c6e72be5bfacc0f410033e025e23c840add866c22d8fecf870bb7dcb035b420ffc768c77
SSDEEP

49152:YBkKZL6TWr4ukkiJpzqk9vMF2MFpuEAAWiQfIJ7DI:kkK3cukouE3UIt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2436	v8_context_snapshot.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	详情系统.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	v8_context_snapshot.exe
File opened (read-only)	\??\E:	v8_context_snapshot.exe
File opened (read-only)	\??\I:	v8_context_snapshot.exe
File opened (read-only)	\??\R:	v8_context_snapshot.exe
File opened (read-only)	\??\X:	v8_context_snapshot.exe
File opened (read-only)	\??\G:	v8_context_snapshot.exe
File opened (read-only)	\??\L:	v8_context_snapshot.exe
File opened (read-only)	\??\N:	v8_context_snapshot.exe
File opened (read-only)	\??\P:	v8_context_snapshot.exe
File opened (read-only)	\??\S:	v8_context_snapshot.exe
File opened (read-only)	\??\T:	v8_context_snapshot.exe
File opened (read-only)	\??\Y:	v8_context_snapshot.exe
File opened (read-only)	\??\Z:	v8_context_snapshot.exe
File opened (read-only)	\??\J:	v8_context_snapshot.exe
File opened (read-only)	\??\K:	v8_context_snapshot.exe
File opened (read-only)	\??\M:	v8_context_snapshot.exe
File opened (read-only)	\??\U:	v8_context_snapshot.exe
File opened (read-only)	\??\V:	v8_context_snapshot.exe
File opened (read-only)	\??\H:	v8_context_snapshot.exe
File opened (read-only)	\??\O:	v8_context_snapshot.exe
File opened (read-only)	\??\Q:	v8_context_snapshot.exe
File opened (read-only)	\??\W:	v8_context_snapshot.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
7	api.ipify.org

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
2688	tasklist.exe
1628	tasklist.exe
1460	tasklist.exe
2216	tasklist.exe
488	tasklist.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1636	PING.EXE
1988	PING.EXE
2012	PING.EXE
1416	PING.EXE
2708	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2292	详情系统.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe
2436	v8_context_snapshot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	详情系统.exe
Token: SeCreateTokenPrivilege	2292	详情系统.exe
Token: SeAssignPrimaryTokenPrivilege	2292	详情系统.exe
Token: SeLockMemoryPrivilege	2292	详情系统.exe
Token: SeIncreaseQuotaPrivilege	2292	详情系统.exe
Token: SeMachineAccountPrivilege	2292	详情系统.exe
Token: SeTcbPrivilege	2292	详情系统.exe
Token: SeSecurityPrivilege	2292	详情系统.exe
Token: SeTakeOwnershipPrivilege	2292	详情系统.exe
Token: SeLoadDriverPrivilege	2292	详情系统.exe
Token: SeSystemProfilePrivilege	2292	详情系统.exe
Token: SeSystemtimePrivilege	2292	详情系统.exe
Token: SeProfSingleProcessPrivilege	2292	详情系统.exe
Token: SeIncBasePriorityPrivilege	2292	详情系统.exe
Token: SeCreatePagefilePrivilege	2292	详情系统.exe
Token: SeCreatePermanentPrivilege	2292	详情系统.exe
Token: SeBackupPrivilege	2292	详情系统.exe
Token: SeRestorePrivilege	2292	详情系统.exe
Token: SeShutdownPrivilege	2292	详情系统.exe
Token: SeDebugPrivilege	2292	详情系统.exe
Token: SeAuditPrivilege	2292	详情系统.exe
Token: SeSystemEnvironmentPrivilege	2292	详情系统.exe
Token: SeChangeNotifyPrivilege	2292	详情系统.exe
Token: SeRemoteShutdownPrivilege	2292	详情系统.exe
Token: SeUndockPrivilege	2292	详情系统.exe
Token: SeSyncAgentPrivilege	2292	详情系统.exe
Token: SeEnableDelegationPrivilege	2292	详情系统.exe
Token: SeManageVolumePrivilege	2292	详情系统.exe
Token: SeImpersonatePrivilege	2292	详情系统.exe
Token: SeCreateGlobalPrivilege	2292	详情系统.exe
Token: 31	2292	详情系统.exe
Token: 32	2292	详情系统.exe
Token: 33	2292	详情系统.exe
Token: 34	2292	详情系统.exe
Token: 35	2292	详情系统.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	2436	v8_context_snapshot.exe
Token: SeCreateTokenPrivilege	2436	v8_context_snapshot.exe
Token: SeAssignPrimaryTokenPrivilege	2436	v8_context_snapshot.exe
Token: SeLockMemoryPrivilege	2436	v8_context_snapshot.exe
Token: SeIncreaseQuotaPrivilege	2436	v8_context_snapshot.exe
Token: SeMachineAccountPrivilege	2436	v8_context_snapshot.exe
Token: SeTcbPrivilege	2436	v8_context_snapshot.exe
Token: SeSecurityPrivilege	2436	v8_context_snapshot.exe
Token: SeTakeOwnershipPrivilege	2436	v8_context_snapshot.exe
Token: SeLoadDriverPrivilege	2436	v8_context_snapshot.exe
Token: SeSystemProfilePrivilege	2436	v8_context_snapshot.exe
Token: SeSystemtimePrivilege	2436	v8_context_snapshot.exe
Token: SeProfSingleProcessPrivilege	2436	v8_context_snapshot.exe
Token: SeIncBasePriorityPrivilege	2436	v8_context_snapshot.exe
Token: SeCreatePagefilePrivilege	2436	v8_context_snapshot.exe
Token: SeCreatePermanentPrivilege	2436	v8_context_snapshot.exe
Token: SeBackupPrivilege	2436	v8_context_snapshot.exe
Token: SeRestorePrivilege	2436	v8_context_snapshot.exe
Token: SeShutdownPrivilege	2436	v8_context_snapshot.exe
Token: SeDebugPrivilege	2436	v8_context_snapshot.exe
Token: SeAuditPrivilege	2436	v8_context_snapshot.exe
Token: SeSystemEnvironmentPrivilege	2436	v8_context_snapshot.exe
Token: SeChangeNotifyPrivilege	2436	v8_context_snapshot.exe
Token: SeRemoteShutdownPrivilege	2436	v8_context_snapshot.exe
Token: SeUndockPrivilege	2436	v8_context_snapshot.exe
Token: SeSyncAgentPrivilege	2436	v8_context_snapshot.exe
Token: SeEnableDelegationPrivilege	2436	v8_context_snapshot.exe
Token: SeManageVolumePrivilege	2436	v8_context_snapshot.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2292	详情系统.exe
2436	v8_context_snapshot.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2580	2292	详情系统.exe	28
PID 2292 wrote to memory of 2580	2292	详情系统.exe	28
PID 2292 wrote to memory of 2580	2292	详情系统.exe	28
PID 2580 wrote to memory of 2688	2580	cmd.exe	30
PID 2580 wrote to memory of 2688	2580	cmd.exe	30
PID 2580 wrote to memory of 2688	2580	cmd.exe	30
PID 2580 wrote to memory of 2780	2580	cmd.exe	31
PID 2580 wrote to memory of 2780	2580	cmd.exe	31
PID 2580 wrote to memory of 2780	2580	cmd.exe	31
PID 2580 wrote to memory of 2768	2580	cmd.exe	33
PID 2580 wrote to memory of 2768	2580	cmd.exe	33
PID 2580 wrote to memory of 2768	2580	cmd.exe	33
PID 2580 wrote to memory of 2708	2580	cmd.exe	34
PID 2580 wrote to memory of 2708	2580	cmd.exe	34
PID 2580 wrote to memory of 2708	2580	cmd.exe	34
PID 2292 wrote to memory of 2436	2292	详情系统.exe	35
PID 2292 wrote to memory of 2436	2292	详情系统.exe	35
PID 2292 wrote to memory of 2436	2292	详情系统.exe	35
PID 2580 wrote to memory of 1628	2580	cmd.exe	38
PID 2580 wrote to memory of 1628	2580	cmd.exe	38
PID 2580 wrote to memory of 1628	2580	cmd.exe	38
PID 2580 wrote to memory of 2136	2580	cmd.exe	39
PID 2580 wrote to memory of 2136	2580	cmd.exe	39
PID 2580 wrote to memory of 2136	2580	cmd.exe	39
PID 2580 wrote to memory of 1636	2580	cmd.exe	40
PID 2580 wrote to memory of 1636	2580	cmd.exe	40
PID 2580 wrote to memory of 1636	2580	cmd.exe	40
PID 2580 wrote to memory of 1460	2580	cmd.exe	43
PID 2580 wrote to memory of 1460	2580	cmd.exe	43
PID 2580 wrote to memory of 1460	2580	cmd.exe	43
PID 2580 wrote to memory of 1156	2580	cmd.exe	44
PID 2580 wrote to memory of 1156	2580	cmd.exe	44
PID 2580 wrote to memory of 1156	2580	cmd.exe	44
PID 2580 wrote to memory of 1988	2580	cmd.exe	45
PID 2580 wrote to memory of 1988	2580	cmd.exe	45
PID 2580 wrote to memory of 1988	2580	cmd.exe	45
PID 2580 wrote to memory of 2216	2580	cmd.exe	46
PID 2580 wrote to memory of 2216	2580	cmd.exe	46
PID 2580 wrote to memory of 2216	2580	cmd.exe	46
PID 2580 wrote to memory of 2264	2580	cmd.exe	47
PID 2580 wrote to memory of 2264	2580	cmd.exe	47
PID 2580 wrote to memory of 2264	2580	cmd.exe	47
PID 2580 wrote to memory of 2012	2580	cmd.exe	48
PID 2580 wrote to memory of 2012	2580	cmd.exe	48
PID 2580 wrote to memory of 2012	2580	cmd.exe	48
PID 2580 wrote to memory of 488	2580	cmd.exe	49
PID 2580 wrote to memory of 488	2580	cmd.exe	49
PID 2580 wrote to memory of 488	2580	cmd.exe	49
PID 2580 wrote to memory of 752	2580	cmd.exe	50
PID 2580 wrote to memory of 752	2580	cmd.exe	50
PID 2580 wrote to memory of 752	2580	cmd.exe	50
PID 2580 wrote to memory of 1416	2580	cmd.exe	51
PID 2580 wrote to memory of 1416	2580	cmd.exe	51
PID 2580 wrote to memory of 1416	2580	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\详情系统.exe
"C:\Users\Admin\AppData\Local\Temp\详情系统.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\cmd.exe
  cmd /c C:\ProgramData\开机广告屏蔽.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq v8_context_snapshot.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\system32\find.exe
    find /I /N "v8_context_snapshot.exe"
    3⤵
    PID:2780
- - C:\Windows\system32\cmd.exe
    cmd /C C:\ProgramData\v8_context_snapshot.exe
    3⤵
    PID:2768
- - C:\Windows\system32\PING.EXE
    ping -n 31 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2708
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq v8_context_snapshot.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1628
- - C:\Windows\system32\find.exe
    find /I /N "v8_context_snapshot.exe"
    3⤵
    PID:2136
- - C:\Windows\system32\PING.EXE
    ping -n 31 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1636
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq v8_context_snapshot.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1460
- - C:\Windows\system32\find.exe
    find /I /N "v8_context_snapshot.exe"
    3⤵
    PID:1156
- - C:\Windows\system32\PING.EXE
    ping -n 31 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1988
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq v8_context_snapshot.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2216
- - C:\Windows\system32\find.exe
    find /I /N "v8_context_snapshot.exe"
    3⤵
    PID:2264
- - C:\Windows\system32\PING.EXE
    ping -n 31 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2012
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq v8_context_snapshot.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:488
- - C:\Windows\system32\find.exe
    find /I /N "v8_context_snapshot.exe"
    3⤵
    PID:752
- - C:\Windows\system32\PING.EXE
    ping -n 31 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1416
- C:\ProgramData\v8_context_snapshot.exe
  "C:\ProgramData\v8_context_snapshot.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\开机广告屏蔽.bat

Filesize
327B

MD5
9da00aa36143a44d51d004990538ebcf

SHA1
41557831264f7e2abe0ba0d42e43462ae8f54d2b

SHA256
02036c09d4ed7e889ec5111627868b37a0d144b5975b622de131437663b66358

SHA512
440201d505863b3145d7ada1d50e3d355e88000f62d4717d1368e30a2dfdfd8d18ef8b3ea19f62a8e3497a5082e55048bd29eda9ef7f271d74b2012dda1be818

Download Submit
\ProgramData\v8_context_snapshot.exe

Filesize
2.5MB

MD5
cac20a183ef9a5b197b35fdb2909eff9

SHA1
211c850a88b18a012f36e2917cee758e26b88422

SHA256
845a305853710ebae7daeb42a7bd3638af0b0d62ed6b28cab345464e07ae6208

SHA512
0315f0b8d0838b9e3e572e63f4a1bccb35fd5c22f9824124661179b9c6e72be5bfacc0f410033e025e23c840add866c22d8fecf870bb7dcb035b420ffc768c77

Download Submit
memory/2292-17-0x0000000002560000-0x00000000025C2000-memory.dmp

Filesize
392KB

Download
memory/2292-3-0x0000000002560000-0x00000000025C2000-memory.dmp

Filesize
392KB

Download
memory/2292-4-0x0000000002560000-0x00000000025C2000-memory.dmp

Filesize
392KB

Download
memory/2292-1-0x00000000020C0000-0x000000000211B000-memory.dmp

Filesize
364KB

Download
memory/2292-0-0x0000000002560000-0x00000000025C2000-memory.dmp

Filesize
392KB

Download
memory/2436-22-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download
memory/2436-23-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download
memory/2436-24-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download
memory/2436-25-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download
memory/2436-27-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download
memory/2436-26-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download
memory/2436-44-0x00000000023D0000-0x0000000002432000-memory.dmp

Filesize
392KB

Download