b34cf1675a8b79c06301a9029e0c4b47d916bff0752e4b4cb289bf84f1912464

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

插件升级.exe
Size

148KB
MD5

76da6b8def232c26d12c0d7510d395cf
SHA1

7bc2bdb08a9ef794d5ab454e43e31f003f953b91
SHA256

1ad6475af8ddde5f8b1be0ace9c7bc9db6edf5ed37f47bc0056e68e53d17227a
SHA512

1de410712646b7f3ed2e07db834a62467ce7e54e5816e635c6e0102997448bf0364871fd17d28d2aa926abf8d06f26ebab5b7957d61ebd8a11b2a2083fa084e0
SSDEEP

3072:xG0l3R/FLkEmMePB3uyb5Y0d3XzeJiSZIkeUzlaw5SZIkeUzlawUi:U0PFxm3OiSdpaw5Sdpaw

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral5/files/0x000600000001507a-64.dat	acprotect
behavioral5/files/0x00060000000153ee-578.dat	acprotect
behavioral5/files/0x0006000000015ae3-580.dat	acprotect
behavioral5/files/0x0006000000015c9a-600.dat	acprotect
behavioral5/files/0x0006000000015b50-593.dat	acprotect
behavioral5/files/0x0006000000015ca8-577.dat	acprotect
behavioral5/files/0x000600000001565a-570.dat	acprotect
behavioral5/files/0x0006000000015662-569.dat	acprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLib-E862D7FEA3037BA37E7E466DA0EA99D8.lnk	winbody.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.dll-d1f22018eb4333fa4d3b6158c5759a37.lnk	books.exe

Executes dropped EXE 3 IoCs

pid	Process
1748	winbody.exe
2364	books.exe
2988	books.exe

Loads dropped DLL 13 IoCs

pid	Process
2184	插件升级.exe
2184	插件升级.exe
2184	插件升级.exe
2364	books.exe
1748	winbody.exe
2988	books.exe
2988	books.exe
2988	books.exe
2988	books.exe
2988	books.exe
2988	books.exe
2988	books.exe
2988	books.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x0034000000013a53-10.dat	upx
behavioral5/memory/2364-34-0x0000000000370000-0x00000000003B1000-memory.dmp	upx
behavioral5/memory/2184-24-0x0000000000420000-0x0000000000461000-memory.dmp	upx
behavioral5/memory/2988-61-0x0000000000370000-0x00000000003B1000-memory.dmp	upx
behavioral5/files/0x000600000001507a-64.dat	upx
behavioral5/memory/2988-70-0x0000000074BF0000-0x0000000074EA3000-memory.dmp	upx
behavioral5/memory/2988-571-0x0000000074F40000-0x0000000074F58000-memory.dmp	upx
behavioral5/memory/2988-573-0x00000000749A0000-0x0000000074ABA000-memory.dmp	upx
behavioral5/files/0x00060000000153ee-578.dat	upx
behavioral5/files/0x0006000000015ae3-580.dat	upx
behavioral5/memory/2988-585-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx
behavioral5/memory/2988-588-0x000000001E200000-0x000000001E27A000-memory.dmp	upx
behavioral5/memory/2988-599-0x0000000074970000-0x000000007498E000-memory.dmp	upx
behavioral5/memory/2988-602-0x000000001E800000-0x000000001E86E000-memory.dmp	upx
behavioral5/files/0x0006000000015c9a-600.dat	upx
behavioral5/memory/2364-596-0x0000000000370000-0x00000000003B1000-memory.dmp	upx
behavioral5/files/0x0006000000015b50-593.dat	upx
behavioral5/memory/2988-584-0x000000001E8C0000-0x000000001E8E1000-memory.dmp	upx
behavioral5/files/0x0006000000015ca8-577.dat	upx
behavioral5/files/0x000600000001565a-570.dat	upx
behavioral5/files/0x0006000000015662-569.dat	upx
behavioral5/memory/2988-1813-0x0000000074970000-0x000000007498E000-memory.dmp	upx
behavioral5/memory/2988-1809-0x000000001E200000-0x000000001E27A000-memory.dmp	upx
behavioral5/memory/2988-1797-0x00000000749A0000-0x0000000074ABA000-memory.dmp	upx
behavioral5/memory/2988-1782-0x0000000074BF0000-0x0000000074EA3000-memory.dmp	upx
behavioral5/memory/2364-1936-0x0000000000370000-0x00000000003B1000-memory.dmp	upx
behavioral5/memory/2988-1781-0x0000000000370000-0x00000000003B1000-memory.dmp	upx
behavioral5/memory/2988-1780-0x000000001E7A0000-0x000000001E7C7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsLib-E862D7FEA3037BA37E7E466DA0EA99D8 = "C:\\Users\\Admin\\AppData\\Roaming\\winbody.exe"	winbody.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows.dll-d1f22018eb4333fa4d3b6158c5759a37 = "C:\\Users\\Admin\\AppData\\Roaming\\books.exe"	books.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1748	2184	插件升级.exe	28
PID 2184 wrote to memory of 1748	2184	插件升级.exe	28
PID 2184 wrote to memory of 1748	2184	插件升级.exe	28
PID 2184 wrote to memory of 1748	2184	插件升级.exe	28
PID 2184 wrote to memory of 2364	2184	插件升级.exe	29
PID 2184 wrote to memory of 2364	2184	插件升级.exe	29
PID 2184 wrote to memory of 2364	2184	插件升级.exe	29
PID 2184 wrote to memory of 2364	2184	插件升级.exe	29
PID 2364 wrote to memory of 2988	2364	books.exe	30
PID 2364 wrote to memory of 2988	2364	books.exe	30
PID 2364 wrote to memory of 2988	2364	books.exe	30
PID 2364 wrote to memory of 2988	2364	books.exe	30

C:\Users\Admin\AppData\Local\Temp\插件升级.exe
"C:\Users\Admin\AppData\Local\Temp\插件升级.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\winbody.exe
  "C:\Users\Admin\AppData\Roaming\winbody.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1748
- C:\Users\Admin\AppData\Roaming\books.exe
  "C:\Users\Admin\AppData\Roaming\books.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Roaming\books.exe
    "C:\Users\Admin\AppData\Roaming\books.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23642\_hashlib.pyd

Filesize
375KB

MD5
fe9d1b72e0d336a8066d80423b2c63f6

SHA1
f78c95d1b0a8bfdbaa2ec3f353c7b295708a316b

SHA256
4a5b0119a05582cb85c35995d3f18c1a429461583c5cd1f2fd95a93ed2afe4ff

SHA512
201fc2c0b938128e6041256e8263b6e0da1fe4befcd4d525a1952b1f6e58e08bf645323d06a516774a30ab80769412e2941acbdd49e6dddefb1c43b27a7878d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23642\books.exe.manifest

Filesize
964B

MD5
521b79738d97bf62ce8383bdbadf5912

SHA1
cc87ac6b29303df511fdf1bce93219aa97605141

SHA256
3fbd99c265f1ec78763b80bc2da92498a8274de921b98ce7b5935020daa9ce75

SHA512
ee6c8308ffbc05954be0adc5132fb3473888cf69e2f81dc00e7a5b4f70e3faac58141dc4d44b9114171ee614e12d7da76dab3940cf9db25c2ad8c19019b77a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23642\python27.dll

Filesize
880KB

MD5
6138016baaf592eec469d8c12ce4dc8f

SHA1
5c60a6678d5174bd9b5ee62af37fc9cdf1e4e66b

SHA256
97e3d69aee31bc6f3a2e42c37f5f71ce4847f95fed464f0009ad081e7d1046ef

SHA512
24455441e57fcc4b6b5f8a2086d6f56ec77549980f62fc028d00431db7d644a1cb008e7f8356873d701aa04caecf5c2d553fe708af10a5c0251d67f291077e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23642\pythoncom27.dll

Filesize
116KB

MD5
b5e816d9d5b082ea838ff3c92c17e4eb

SHA1
c9cf16f2e5cab843f630120a315ac0ee386b2bd8

SHA256
2608e2dc017887d806212d99ee35b22c2d1e2cfb1500a9e42dabccb55d15a00b

SHA512
302f7e62c1ed5beb84abac166223849286c45ad2b37fd71f2cc3ecc38deaf2ef0c0d4b729e92361f719ec5f5f1bfe8ee22cac91c46ae62718ede780969d56e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23642\pywintypes27.dll

Filesize
52KB

MD5
31e477b8317230a3d3b487cd7602415a

SHA1
f819b5c858db5fed1040a8576313917374ca944a

SHA256
021363d1945a8f1ec102bc29ecb32a11afa51023a42b4d951a9a50be5a2a42a9

SHA512
4f91f80c0d0cf671e637618b810c4e5cdc0699adce6b88ffa55058deb4fff98bdbb319712c6138e3692b9353ad33af9871abd643c63a791844653a9e980000d3

Download Submit
C:\ods.log

Filesize
39KB

MD5
ff2d27403477d717742291f0f2b894b1

SHA1
d1fa3b8a32ecc318707c6278a83a4de682b0cd81

SHA256
5f5e8e09c861fe9f5f02f6c6434c25f67529c9cbffea55554a3be60e0264e5bd

SHA512
640c4262141fd39c6f8ffa9f1293e9df34eaf2b64365372755a12cd12eb2f75c9cb1dd5068af5716b2206fd185bbc6ff17a09cf06636bdffc4e63f29c934300f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23642\_ctypes.pyd

Filesize
37KB

MD5
d7f2a6f8ceef96a76dc55064c1d0d065

SHA1
336d2ad30f77baf2382a6d8d13618ecf918dff24

SHA256
95203f4fa2bb28f83939a8666ea6c975c8123b906a2eccae7f6d75ad9c77a84b

SHA512
14929cfbbedf8359be1e373ba69553335c700deff1951ecfa7a2bd53cb4fe157bd5c5d626edd97fcdbb2f3aa3e91ab076d79172673924828e6f59698e82e904b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23642\bz2.pyd

Filesize
35KB

MD5
291f0811eb4a4a7df13b499c2d701623

SHA1
8ebcfc6f172fce8d4e03688ea6e42428c65f7c79

SHA256
5aa88b01d0f37d0b2652a17698ef0c003d2b4e87648e368c19c19766c4b68501

SHA512
18a36d8cf2eee44c8fbe7eb454f7aa78d88e51cd5382a158e1dd910c5a121275b45c7bf8f0629cee3a959db7a09d61ad7f0b4a58dc8e5347e6a028be7a1e3db0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23642\win32api.pyd

Filesize
34KB

MD5
96bc06d86df79fcb05915aa7e9e1ca76

SHA1
76f6f814869b2b1519c23f8dea96a67646c96882

SHA256
f66ee4eac6a46133597eb85a48b1caf10df74db817a96629629e33ac4e68ad57

SHA512
5ab22e797bf2cb83b620bc1f84b8e1e31f60973d92ac3ada829f66defbe9c63fc1c107422ffe5cd3042abd0ad36ec9c0c3149470026b8c9fcebe6e361e4adf92

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23642\win32com.shell.shell.pyd

Filesize
88KB

MD5
70b6a6e42eb081a629812393ab8b6dfc

SHA1
6d54a38b86ee4730fc6d24963ef56c8df95433c9

SHA256
6b6da79c99e28c32c7df3f85c96da029842fa0bcdbc20af08d4bc7644a772c36

SHA512
29873d11e596ebb95898be53f2e9ba2a7c2dadb9b5e51bdc89b9050f9beca574ebd855e5dd47ee88544028c4592c526f81308ff0f1906ea5fad7c97c7bb75b4f

Download Submit
\Users\Admin\AppData\Roaming\books.exe

Filesize
4.2MB

MD5
b346f27746c82026ddc8d6623bea4d5a

SHA1
b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a

SHA256
9a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2

SHA512
2f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef

Download Submit
\Users\Admin\AppData\Roaming\winbody.exe

Filesize
2.0MB

MD5
b195e7e16f89ac53a504c5b8d80fdf43

SHA1
042894b9486a0f04884a0b26ed4a486ad8c77ef0

SHA256
41d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42

SHA512
aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8

Download Submit
memory/1748-25-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-16-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-15-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-18-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-582-0x0000000000AF0000-0x0000000000DA5000-memory.dmp

Filesize
2.7MB

Download
memory/1748-19-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-17-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-587-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-13-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-66-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1748-14-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/1748-9-0x0000000000AF0000-0x0000000000DA5000-memory.dmp

Filesize
2.7MB

Download
memory/1748-7755-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2184-583-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/2184-69-0x00000000031F0000-0x00000000034A5000-memory.dmp

Filesize
2.7MB

Download
memory/2184-6-0x00000000031F0000-0x00000000034A5000-memory.dmp

Filesize
2.7MB

Download
memory/2184-26-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/2184-24-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/2364-596-0x0000000000370000-0x00000000003B1000-memory.dmp

Filesize
260KB

Download
memory/2364-60-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/2364-1936-0x0000000000370000-0x00000000003B1000-memory.dmp

Filesize
260KB

Download
memory/2364-34-0x0000000000370000-0x00000000003B1000-memory.dmp

Filesize
260KB

Download
memory/2988-584-0x000000001E8C0000-0x000000001E8E1000-memory.dmp

Filesize
132KB

Download
memory/2988-588-0x000000001E200000-0x000000001E27A000-memory.dmp

Filesize
488KB

Download
memory/2988-70-0x0000000074BF0000-0x0000000074EA3000-memory.dmp

Filesize
2.7MB

Download
memory/2988-61-0x0000000000370000-0x00000000003B1000-memory.dmp

Filesize
260KB

Download
memory/2988-599-0x0000000074970000-0x000000007498E000-memory.dmp

Filesize
120KB

Download
memory/2988-602-0x000000001E800000-0x000000001E86E000-memory.dmp

Filesize
440KB

Download
memory/2988-1569-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/2988-571-0x0000000074F40000-0x0000000074F58000-memory.dmp

Filesize
96KB

Download
memory/2988-1813-0x0000000074970000-0x000000007498E000-memory.dmp

Filesize
120KB

Download
memory/2988-1809-0x000000001E200000-0x000000001E27A000-memory.dmp

Filesize
488KB

Download
memory/2988-1797-0x00000000749A0000-0x0000000074ABA000-memory.dmp

Filesize
1.1MB

Download
memory/2988-1782-0x0000000074BF0000-0x0000000074EA3000-memory.dmp

Filesize
2.7MB

Download
memory/2988-573-0x00000000749A0000-0x0000000074ABA000-memory.dmp

Filesize
1.1MB

Download
memory/2988-1781-0x0000000000370000-0x00000000003B1000-memory.dmp

Filesize
260KB

Download
memory/2988-1780-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download
memory/2988-585-0x000000001E7A0000-0x000000001E7C7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads