Malware Analysis Report

2024-12-08 03:08

Sample ID 240510-pwd8paab79
Target installos.exe
SHA256 900490445c1e31cee6b8d0381d90911bd3ed818b9ea9da28d84abc5e50da6e37
Tags
upx privateloader bootkit loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

900490445c1e31cee6b8d0381d90911bd3ed818b9ea9da28d84abc5e50da6e37

Threat Level: Known bad

The file installos.exe was found to be: Known bad.

Malicious Activity Summary

upx privateloader bootkit loader persistence

PrivateLoader

Checks BIOS information in registry

UPX packed file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:40

Reported

2024-05-10 12:43

Platform

win7-20240221-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installos.exe"

Signatures

PrivateLoader

loader privateloader

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~SYLvWQWuN\SGIYX.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~SYLvWQWuN\SGIYX.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GHO\ = "GHOFile" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\ = "Gho映像文件" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WIM C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GHO C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\installos.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\ = "WIM映像文件" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\installos.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ESD C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ESD\ = "ESDFile" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WIM\ = "WIMFile" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\ = "ESD映像文件" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\installos.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\installos.exe

"C:\Users\Admin\AppData\Local\Temp\installos.exe"

C:\Users\Admin\AppData\Local\Temp\~SYLvWQWuN\SGIYX.exe

C:\Users\Admin\AppData\Local\Temp\~SYLvWQWuN\SGIYX.exe -mohong

Network

Country Destination Domain Proto
US 8.8.8.8:53 msdnapi.pe8.com udp
US 8.8.8.8:53 pe.shanbotv.com udp
CN 58.218.215.168:80 msdnapi.pe8.com tcp
CN 101.35.194.246:1819 pe.shanbotv.com tcp
CN 58.218.215.168:80 msdnapi.pe8.com tcp

Files

memory/1736-0-0x0000000000400000-0x0000000005677000-memory.dmp

memory/1736-1-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntdll.dll

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

C:\Windows\Temp\SGIRun.log

MD5 f4dad4f6728d82f72d560f53e5a57da6
SHA1 4f95583cb1c32bca8247fe99aeb83eabd49ff6ee
SHA256 81c653d997193317a73a09df22ae21c8ba1e19b1814b49a2f0a93e971fc78030
SHA512 2672f4d74c88bea21255334a7028fa1aceff754a635474b307fbf2e5fc5474247f345db5722e3bf348c890de4f3d7db6bfd586ea2aa190028bf25ce7aaeced86

\Users\Admin\AppData\Local\Temp\~SYLvWQWuN\SGIYX.exe

MD5 0cb9c0329fefacfd49c0f76c41c12b42
SHA1 35f3503e41adb04bb61fdc7a6a111b06522f8655
SHA256 173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d
SHA512 461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

memory/2576-40-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1736-66-0x000000000C4B0000-0x000000000C4C0000-memory.dmp

memory/1736-69-0x0000000000400000-0x0000000005677000-memory.dmp

memory/1736-73-0x0000000000400000-0x0000000005677000-memory.dmp

memory/1736-77-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1736-78-0x0000000000400000-0x0000000005677000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:40

Reported

2024-05-10 12:43

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installos.exe"

Signatures

PrivateLoader

loader privateloader

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~SPwuHFPaV\SGIYX.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~SPwuHFPaV\SGIYX.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\ = "Gho映像文件" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\ = "ESD映像文件" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\installos.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WIM\ = "WIMFile" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ESD C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ESD\ = "ESDFile" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESDFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\installos.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GHO\ = "GHOFile" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\installos.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GHO C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GHOFile C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WIM C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WIMFile\ = "WIM映像文件" C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\installos.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\installos.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\installos.exe

"C:\Users\Admin\AppData\Local\Temp\installos.exe"

C:\Users\Admin\AppData\Local\Temp\~SPwuHFPaV\SGIYX.exe

C:\Users\Admin\AppData\Local\Temp\~SPwuHFPaV\SGIYX.exe -mohong

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 msdnapi.pe8.com udp
US 8.8.8.8:53 pe.shanbotv.com udp
CN 101.35.194.246:1819 pe.shanbotv.com tcp
BE 88.221.83.203:443 www.bing.com tcp
CN 61.160.192.95:80 msdnapi.pe8.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
CN 61.160.192.95:80 msdnapi.pe8.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/4628-0-0x0000000000400000-0x0000000005677000-memory.dmp

memory/4628-1-0x0000000005830000-0x0000000005831000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~SPwuHFPaV\SGIYX.exe

MD5 0cb9c0329fefacfd49c0f76c41c12b42
SHA1 35f3503e41adb04bb61fdc7a6a111b06522f8655
SHA256 173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d
SHA512 461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

memory/2648-34-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\Temp\SGIRun.log

MD5 c5551e3cbdb93425f8ff4f5700cff8ff
SHA1 98f78efea5d1026c50dbdbf0c6942cfdc1180d6f
SHA256 ed5c3cf404607fc9b9839864d3e945c5dab4a793e6aad0afe96c1ff17504248c
SHA512 cc24f44aff75c9e57e9c3a4c119d030c4e43149195ba3a0c0c821c63d91c6dc319b63fe7dd3bdebf9455d742f4fa141357aa37bdcd44efe754ef51f0fe9182ed

memory/4628-61-0x0000000000400000-0x0000000005677000-memory.dmp

memory/4628-65-0x0000000000400000-0x0000000005677000-memory.dmp

memory/4628-69-0x0000000005830000-0x0000000005831000-memory.dmp

memory/4628-70-0x0000000000400000-0x0000000005677000-memory.dmp