885c8357f15159ce6dd37c13b1a7240da78a234844279492534639965d04b948

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AIR下载.exe
Size

7.4MB
MD5

d7c6a96daad7ce9718feb4aa4eaef4ac
SHA1

d66933a632350bced0ecff848117fcdf56defec7
SHA256

885c8357f15159ce6dd37c13b1a7240da78a234844279492534639965d04b948
SHA512

050edd902f036594e0803384511b2961662279c8cd318fd139a6fb7d7e992f6762191ddcbcfccae98491f5f9dad994fe465ad5860fd8a369bada958b8fbdadee
SSDEEP

196608:Xx5Y7l9hhMjFYrvZjNsN361iSjOXMJL4I+ekOKJMxgql/n1Dg:BEhmj8sN3qjOGLrTKuxgIO

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	Adobe AIR Installer.exe

Loads dropped DLL 5 IoCs

pid	Process
1932	AIR下载.exe
1932	AIR下载.exe
1932	AIR下载.exe
1932	AIR下载.exe
2936	Adobe AIR Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Installer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	Adobe AIR Installer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28
PID 1932 wrote to memory of 2936	1932	AIR下载.exe	28

C:\Users\Admin\AppData\Local\Temp\AIR下载.exe
"C:\Users\Admin\AppData\Local\Temp\AIR下载.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\AIR8A74.tmp\Adobe AIR Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AIR8A74.tmp\Adobe AIR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AIR8A74.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll

Filesize
13.1MB

MD5
3dc7b1cde9d26c2d84aaa75062347783

SHA1
0b839c6adc517783ae145908436ef2c8a1b5bd37

SHA256
697ec93b002ef7e0e6d9922ff88d468d41cd56aebb2c43c1a892235139abf70c

SHA512
351c43814b118df5dfbcb2b6c2ab9c3987ef7526bccc1088ba165e1a66ed13ef7123e25ba31fe1b09cc3977bdb17c405c1f756a7c5e3fab1c1638ae71b13d30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR8A74.tmp\setup.swf

Filesize
496KB

MD5
1fcf0884473c8833d5806dc556c50aa0

SHA1
dbb31d6c8d38b2ef68df3c4064576845fac921d9

SHA256
e941910b0fff4dbde533a361a68b1303752cf64bda68bb59d13cb90df3f140c8

SHA512
fbe32842ce16c59eb9feef0d00e2b877d52d22fa8699981194f0a657d5063061a9d519c5233160a6d0d3baed36655b69d9b5f2ec3e4aea9c4cf7e31c5e6699bd

Download Submit
\Users\Admin\AppData\Local\Temp\AIR8A74.tmp\Adobe AIR Installer.exe

Filesize
381KB

MD5
2aec293cc015d46ae68381ebf3cc73d8

SHA1
0a2f5e585b4854dfa0461d9f48ef002b064b59b4

SHA256
ab7c1484f834f290556c685980c0d315419ca213c5f360c7732c2f7b6e30a382

SHA512
62a9497c44877af655284878a40bb2f72e10775466734ca416b5bbf2d970aefd2fccfe4788cf3f811c3a7e6e1c613c7e6be652e5a5c1bc36379dc4f12afffdcd

Download Submit