f80caf5db206827ff34ab87bac897372fb88ce3c960daed5c712ae2477847a74

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DAV播放器.exe
Size

1.6MB
MD5

4054852fa3242f97dc73d04dc7f7ae21
SHA1

e7f40c024253007f72bb3ee2767bebc9f0afadd1
SHA256

814d6698819acc711c3d420747ba2f008894f858c94e4fd00806b275841340fc
SHA512

b52b9b8ee077a4c5557157da961438b1e46f96f9619acd677fdf3b24271ffad76ee42f27abd66864b32b2567d3e1088626715a1a8e0540ec8de954a3378936cd
SSDEEP

49152:1SVsEGUrfyrO5zL6eu+6TZ5NobXPNm2u7wGffBQqyHY:1S2EG0KOi9/I18x2qy4

Score

7^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000b0000000233e3-15.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3348	Player.exe

Loads dropped DLL 15 IoCs

pid	Process
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe
3348	Player.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4748-0-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-121-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-123-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-125-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-126-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-128-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-130-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-132-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-134-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-136-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-138-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-140-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-142-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-144-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-146-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/4748-148-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4748-121-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-123-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-125-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-126-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-128-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-130-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-132-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-134-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-136-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-138-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-140-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-142-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-144-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-146-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4748-148-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile	Player.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\.mp4\ = "mp4file"	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\open	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New\\Player.exe\" \"%1\""	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile\shell\open\command	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open\command	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New\\Player.exe\" \"%1\""	Player.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\.mpeg\ = "mpegfile"	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\DefaultIcon	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dav\ = "davfile"	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New\\Player.exe\" \"%1\""	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\open\command	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\shell\open	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\New\\Player.exe,2"	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dav	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile\shell	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile\shell\open	Player.exe
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\.mp4	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	Player.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile\DefaultIcon	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\New\\Player.exe,3"	Player.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\New\\Player.exe,1"	Player.exe
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\.mpeg	Player.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4748	DAV播放器.exe
4748	DAV播放器.exe
4748	DAV播放器.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3348	Player.exe
3348	Player.exe
3348	Player.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 3348	4748	DAV播放器.exe	85
PID 4748 wrote to memory of 3348	4748	DAV播放器.exe	85
PID 4748 wrote to memory of 3348	4748	DAV播放器.exe	85

C:\Users\Admin\AppData\Local\Temp\DAV播放器.exe
"C:\Users\Admin\AppData\Local\Temp\DAV播放器.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\New\Player.exe
  C:\Users\Admin\AppData\Local\Temp\New\Player.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\New\AmrDll.dll

Filesize
156KB

MD5
df2b804ef07e625280296eea4b338b76

SHA1
d047b71e497758f4e204a1e626733b5c98e4791b

SHA256
62e9db73e3e4fb5329befa14ea8a6c3911d07acac0e1fc2766a08fb6f8b81576

SHA512
dd8a01f53fffb8f63f7246434829b420e434a6a9770f746d4bd310477cbadea2de284ecb4c3187726656bf699e8c3d7d6b1598c89f6b2b5959a15e3d046a2007

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\Client.dll

Filesize
81KB

MD5
deba222ce51f5b8828f33876aaa5daa4

SHA1
b69229f4c84af21d802bf85fad56ec42ee43e500

SHA256
c7a7c651fb260ad86a251f81877a63130654a68f495d16332b909890723c1f57

SHA512
33a67c91329291f1967a4b0d546348aa940e91d4d59a309c9081ebaff12c1f1a075e0cd8fbfef23c187c7d1ef4d18e5e5b06f82cfd6848859d400f78e3e69ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\DllDeinterlace.dll

Filesize
48KB

MD5
8d3b62a4c04f5d00d3eb4dbc6445f7c3

SHA1
743a23a986cad77b043936f74772c891efa41708

SHA256
ecf16a6abdb777de4f45cbbf7eb491698c7947f2786f22c7590ea08b5ad869ce

SHA512
e0245f09aab7f4556c1edafa14cd18a879980c87c01e6bb7176fe24cdb9b239bbbe4053c4eb19b1204695114935d3f236dcad53ac474a3bd265a7da91b37c9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\Player.dll

Filesize
71KB

MD5
a3015801088d07f157245b47acc9e648

SHA1
0e3b01241c7421bdd739eddc196231d3684bd531

SHA256
0754e254e7b65a1145931f1e0a557a240ca50fc09f5ed6232d5677d7b9eab407

SHA512
eda1240a7c68188c0817247c0ff50e23b494619c1a9e37171fda2ae908bf6d87871e3ebd610601546084e5dc997d99a074c0095bc108729a8c1a57a85adf1e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\Player.exe

Filesize
1.6MB

MD5
8f8197bfb4a7a3e4722ac29a30edd5ac

SHA1
fb7e7bf7bf1bfac1116604a90d039dbe88867d8c

SHA256
37829a9598972c49a7e3f26f17db35f173c6f1d506b3bd1c457130644fe29eb9

SHA512
37eb0562860a6d012f16222a40f74276dfad02652d99cc7f0a473f942817b988407b580cecd0f2ecccbd8074879b014ba10e974a4b7d19def871c533bce827ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\decode.dll

Filesize
224KB

MD5
72136b840380c2e57dcee7d2b7db49fc

SHA1
1249264fc8849a9bf21f00621edf8874c4f4ebab

SHA256
0747ff507a30ea5634cb4c50f7f41ddd286945e938fc6e3d0ac2099e8540a40f

SHA512
a306ecf23c8bfc68db0cb5429fe49aa672f3a27f71b437c327fb654f80eb37c6eb3bb7c3974bfbacf348dd1cf54880fa6e88d78aa09bd442327518cff16b2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\dhplay.dll

Filesize
372KB

MD5
9b3cb502468e54ab85efbe64cae2bbbe

SHA1
1d7c3fe062f7f695eeeebca3a48b81b9b48778d4

SHA256
a0acfea9393cb4f69bef3c4b6cfdd04f3772a5dff5061ec398c01aa92f6a3d95

SHA512
c7e0f3d445c74f7633d844273064bcb181b8e62de959078a00d82bd77cc04df38981a2bb834ff5f2ab987ca1d98124c82ea5e07ec2b64c2297f74df54080c754

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\dllh264.dll

Filesize
288KB

MD5
6a30cb71634a90fe97fbbc1971eeffc8

SHA1
cce7dfe320b6b435a6c988a0d4aed7109d86e409

SHA256
f495b5f0e9a7c20324b1fc1275da8d62189338fb71b15edc728677acbb080054

SHA512
2369b28b9ac9522a40296798f08a250c61d8ba295dd4c01f5bb2eb56f211139b41fd2248b33a571301b5ef46fc6b8ee7f4d8d4c5e83a51ac2f5c815fa08fcea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\eng.ini

Filesize
1KB

MD5
82398c5de751dd5ed4254bf6da056c87

SHA1
97f07825076785d8210e41ab451fddfa3d0f4d22

SHA256
372c6ecf45f7fb12122026a27d086ee38a0c32aee7eb932356d890f01aea3d02

SHA512
c6484156724b4ba5f24c5f66804fdd590231f7167a38de5b97a757f9b407a11b154272bb99a3d02b767c65d0c3330bfae60c7f26de02a6147f7b4d69ce55a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\mp4.dll

Filesize
204KB

MD5
257b3b6e987c7fc3933a7f4101c8b6fd

SHA1
f318535fbfb4bea6b38e2862df35695bf712884b

SHA256
4d17f4b83847cdc6839f1f0b3cd22569f9d426075bd66711a69dd71870ade102

SHA512
3b3f5ad29e50a2b5d986ab45a6c6bb5e082f2b2d918f935b23df632718591ca0ee5a21b4a8051ff97aa4ee799b16a85e3bc261338ead82c1d3762df55d05612e

Download Submit
C:\Users\Admin\AppData\Local\Temp\New\render.dll

Filesize
92KB

MD5
5640051b66bc1fe744c0e5e52c600b12

SHA1
1040ef229b01fc436612cdf3e043c77a0f39c0ec

SHA256
b7c0c800a22f8625f7a4b5ea01e3db42277c48e59600328e3ffa21af8bc83200

SHA512
dbd5828aef6c9b34af9cece9aca59960ce1ff3be5e315b3f422076bfb0ee7cda2ec420cf9a6efc6984785471b8b4f2acd8b078a8e3e8a838284aec94d6742281

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut32D9.tmp

Filesize
81KB

MD5
01e98de55cc91f62d407b0d84e3fa186

SHA1
c9eafa58bb4d31cc62e4b91b0aa5493e05c1f93d

SHA256
43a418bd94e2a06c5ce3ff2d86d577273a88955d0695c4743fc08479f3b7488f

SHA512
01f0a4c47a23efb6ab6c43f0da3722b2665c04f79d572c96e7dd7a5c7d0fbd452fbd7f89b11b9513c02ac7dbdde3b194c5899304a0e9c94e468edee71d4bd3f6

Download Submit
memory/3348-116-0x00000000008B0000-0x00000000008BD000-memory.dmp

Filesize
52KB

Download
memory/3348-122-0x0000000010000000-0x00000000100CE000-memory.dmp

Filesize
824KB

Download
memory/3348-95-0x0000000010000000-0x00000000100CE000-memory.dmp

Filesize
824KB

Download
memory/3348-113-0x0000000000F00000-0x0000000000F29000-memory.dmp

Filesize
164KB

Download
memory/3348-111-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/3348-108-0x0000000000E90000-0x0000000000EF4000-memory.dmp

Filesize
400KB

Download
memory/3348-94-0x0000000000DE0000-0x0000000000E15000-memory.dmp

Filesize
212KB

Download
memory/3348-119-0x0000000000F30000-0x0000000000F7B000-memory.dmp

Filesize
300KB

Download
memory/3348-97-0x0000000000E20000-0x0000000000E85000-memory.dmp

Filesize
404KB

Download
memory/4748-126-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-132-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-123-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-125-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-128-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-130-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-121-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-134-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-136-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-138-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-140-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-142-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-144-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-146-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4748-148-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download