e2d1396e68a7663d1b49d1679bdcecc88ee084595789285a3b07e29d27296a3e

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

硕思闪客精灵.exe
Size

8.3MB
MD5

fa450d0813179d6bd841fdc6a88f2b53
SHA1

f208f71bd78bc8608f5e460a5f4f596fa2474d4b
SHA256

e2d1396e68a7663d1b49d1679bdcecc88ee084595789285a3b07e29d27296a3e
SHA512

3d184fb37f2090fc7083b6339899f90f95db94e0b097cc7a8aa1d2e569ec74e60de8142a0ffba1138b138ba7a4832dec7871d8fd20f68bb9d056f42148298c78
SSDEEP

98304:kbryTpxTk4V3rE25o188sgvi8a3KBiTc/X85o0ojZCmd2Hb33bGI8tp5S9ZhG3by:xtxTjgvudKX85I0m0LKIg+9ZhGZlFc7N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
780	7za.exe
640	SWFDecompiler.exe

Loads dropped DLL 7 IoCs

pid	Process
640	SWFDecompiler.exe
640	SWFDecompiler.exe
640	SWFDecompiler.exe
640	SWFDecompiler.exe
640	SWFDecompiler.exe
640	SWFDecompiler.exe
640	SWFDecompiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
640	SWFDecompiler.exe
640	SWFDecompiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
640	SWFDecompiler.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 780	4204	硕思闪客精灵.exe	91
PID 4204 wrote to memory of 780	4204	硕思闪客精灵.exe	91
PID 4204 wrote to memory of 780	4204	硕思闪客精灵.exe	91
PID 4204 wrote to memory of 640	4204	硕思闪客精灵.exe	94
PID 4204 wrote to memory of 640	4204	硕思闪客精灵.exe	94
PID 4204 wrote to memory of 640	4204	硕思闪客精灵.exe	94
PID 640 wrote to memory of 4644	640	SWFDecompiler.exe	99
PID 640 wrote to memory of 4644	640	SWFDecompiler.exe	99

C:\Users\Admin\AppData\Local\Temp\硕思闪客精灵.exe
"C:\Users\Admin\AppData\Local\Temp\硕思闪客精灵.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\7ZS.7z -y -oC:\Users\Admin\AppData\Local\Temp\Release\
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Users\Admin\AppData\Local\Temp\Release\SWFDecompiler.exe
  C:\Users\Admin\AppData\Local\Temp\Release\SWFDecompiler.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sothink.com/support/flash.htm
    3⤵
    PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8
1⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=2468,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:1
1⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3832,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:1
1⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5416,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:1
1⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5456,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
1⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5912,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
1⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6080,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:1
1⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
1⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6232,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:1
1⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6460,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:8
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
553KB

MD5
0d55ba3c5ca7f20522aba98ffc673004

SHA1
f2d49e1259aba91b5691d6280409258fa9ac6a10

SHA256
45b8f9918ce24da60273573fcdec3be5bc4156e337c4f475aaee7a4991ce4eae

SHA512
ac21d069461038949b19f27c85251fded3b6d8a718f8e9a0da26906c3a8c33eeafdb3dfce14833a3aa38c80a596d93a41ea24e735097676b46938bd1bc403fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\GldData.dll

Filesize
2.8MB

MD5
9262690d61f8812b4ddf144d1a67ea49

SHA1
eb2ce6993cdb8a6f04aca58f0b890a35825aef00

SHA256
cddd1d7797b705d6bcbccc3b2d35491f15af97ccf52cf4d65a2f10ba7902e343

SHA512
cacd102402befccc4e18b632c624eac612fced4d2882597f6aba90725b79ca718fb1d1a7df15560be0af971dd6257d87af762a76329340a06fa11bb9516c7ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\GraphPainter.dll

Filesize
1.9MB

MD5
e2a94ac1264bc409ae1cf93e40ae655e

SHA1
162c4816f3b0afd4eb6ccd34323a4331f275e7ff

SHA256
d637655f59c4e8bc39248195c04bf2c55531685aead8c3048a06ebb0ba666cdc

SHA512
95fcce46d06c267cd4ad1f59f5c7c57935b9f52d0d6f4cae5236ca52ca82c928878cc2d0aca9fc8c2de50bae8a71c5445dde1134692fb809424ddcefb4796e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\ImgMorphDXSupport.dll

Filesize
56KB

MD5
fa3f848add6c27085a07fa436e7a9827

SHA1
9fb55edebbfdc212f82f4711d813b5bbdddb1dbf

SHA256
7a8ee2511fa2f0abac2dfb739d50af6580e6d697e5c577d86c570058973f3a1b

SHA512
d136196fc73b5a6dc2f4aa227a4602cc1da666f714d7cbf7be1ee331c6d5d5a9fcd3138064365bb44ecee43594cff2aa56d659ace346590d8e9deb2e0f4a16be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\LGPL.txt

Filesize
50KB

MD5
9e298627a894a63d2bf4495f35cee284

SHA1
82415af518c4156215033bc997c9506289a64d42

SHA256
29cf795698483fda42d722fbd18712ed296bf3084d26932b34ce6c6dad7a597c

SHA512
24f8b861316636c6ff3bbb80c5f85d8c0bcceaf50f7791038ad660f4668131da7356c4c70e435dc8408c142656ae8a33eaddbfa7315ec445df8e38ad2a0d2a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Lame.DLL

Filesize
309KB

MD5
97420212d070f724af851cd94442f689

SHA1
b0f548ee0cc15477fb1ff61355a5650ccf13605f

SHA256
1bb5c73d802fc513e38d53414676239cbe3c2658edede7cfd1a081aabe1c7665

SHA512
0fbe40d8199182b2a76514ff626baa138aceb926899e9e503911d347961d77d70f09fc31a9dca7b3ff8070381211593479857b9788573c0fd666b2b76dc56570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\LangSwitch.exe

Filesize
79KB

MD5
78468542d4395c7487d0ef405ced1ac5

SHA1
a36dee3203cc7b192cc1e2f7697803c5b3840f99

SHA256
549b2f0bd007ab0dbc571373011d8aae161db18d3f5f33bfe688cecb19e3416a

SHA512
6bbf13244bbdbc33ad1c56b08b1eef3ae8370d43c01000662e3f2e8d09693d0860c7f5eadaf50b42a4a46f5c8ded43587650613f66eb663aadde03d22b0dd714

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Languages\Chinese-simplified.txt

Filesize
115KB

MD5
396a0c5f87097d3f5d65efb7f3c3b3fb

SHA1
cceb439c11af3daca584116d3c25d618155e25d1

SHA256
c4f15c8d5ecfb0dc577f0e3a84100d0d5ce1cddf6acbaeb9d313489327597d75

SHA512
6395b6627fed7460725c719a5d86be6410210f011245776cbbe645de4837289236e98420875bdaf38edb523b73e35d07d1f3faaadbcaeda552b1119228d5e4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Languages\Languages.xml

Filesize
205B

MD5
ce1785f1ce3baf2ef15d9dd98ebc97b1

SHA1
75bd612bf3b289c28e56f5fa9d250609cc3fd503

SHA256
aac33b763df9b914b151995e5b1530d6f59190154f5235dd39968c87c165d416

SHA512
4ec4551f72876a6c38675bb77cb8f634510e8da44e29d81dfbc05c31864ac2ff79f1c2715a84a4dce048408b3267bd28c2754b7449ff2bf047272b6b24f5ee58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Libsndfile.dll

Filesize
362KB

MD5
54395e2ea5cfc8283d624facac3d7ed4

SHA1
fb0e9bf6b4955917f3db0babab09314097bc1515

SHA256
558152428f4fa0fc0c91fc34070d6b5be8d6944cf049845ea00c37a22c526742

SHA512
40e29be5115c5fb83cc50919aea811a9ed7b6b49ef8ce540c0ff8dcdefe2486adec910c3c6adf3c6a2b9118e32b9b07532e055bb99c8d06ad84ff8f8aec5f5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\License.txt

Filesize
4KB

MD5
e3f25f24307d955622c1abfc828223d1

SHA1
db9be7f0ece3f7a0d0421d421cbdfb384c69c9c4

SHA256
6e2263721c92f3892ca4b8102e98b58c5aab8ef2bdb6907f9dd1293d1be4e8e0

SHA512
f49e9de492337db3fe3e9198b2ed8f243847d68e48aae0a9a305f1f84ad46e5a41e8bbb14a9855a9221cf7d5bd9860b57bb2be00818033e8909dc038429eed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Readme.txt

Filesize
30KB

MD5
899afcb385d8a579dd5170d5c7de7314

SHA1
0d4dee99622ecd47f7518090087789e61ef56e27

SHA256
8b93413d000b601e74e3baac8670ee260c02261ccee31becad75f9d3d809f17d

SHA512
3ddc6f1e76016a8f7e3ae8531d84358313af350aceff45f14b018937914a13be9fc61185359ed6ffac6ce484cfa89cff8114c55606785450ce51044f6f648370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\SWFDecompiler.exe

Filesize
3.7MB

MD5
370db1cf98a0f0c334adc8af2bec9483

SHA1
b6146ec880ef141b7155314c922dcf7c9e8b9565

SHA256
568a8ea5062f482587f6401747b646433968799250467dc45081800a0e6ef7a5

SHA512
b75f657d325ab4a3ddb1db79829e7b53d1e92313e9f6c62dbac669763f292b1c4a3c97599034b1eccafe0f4f1e0d88e85861b71555412795c69134e3cf9e60a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Tools\EXE2SWFExtractor.exe

Filesize
1.9MB

MD5
4f43642c6d5effed0e4499a5444704d6

SHA1
0d73d0187ff9922c6fcbb317e2ab008c1047a66e

SHA256
a54d7a8f6733f405c275aa7765dea9c4b0765c690df195cc24d8e82614dde209

SHA512
b3038ab9a3c741e110773c1e12dec8bbfbbc3a48d6ac18da91871820c9611ec63785fa57be911b7aaeeebd57b667be3487c88078f4a165add125998ef787a118

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Tools\Languages\Chinese-simplified.txt

Filesize
1KB

MD5
b1b044be931ba9303fcf070a39a5edce

SHA1
81988417800c29b28eaaf5dde238395e89567ada

SHA256
71b7ffdc1fd8106b4244cef3f3e04d989672505eab1abfd2538ea9e910acaf78

SHA512
af998e35f000a98cbf879e153406bed114fa2d9aa17d897fc97bab5b7c4af9f7c3d235ed1f49b87c50d2ee1eff6c6c426225f08579b6344f0337e3cd4e4673db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\certdata.dat

Filesize
218KB

MD5
7e68fd47dcba9001eb5f406c773f6bc6

SHA1
18b645e696aea0b39cc4cd9cef2c52726156c279

SHA256
2bcf2e228677e925cef17051fd3cf951b30fe7ed69beea396f7f5e497c435898

SHA512
a91e66210ca409ac248a1832ba029bc420a284b63005a1ea89b06c3178683e3e9d658b6cb0299759497515ec8b7b2da41642a9e949c34e1d1ea86ec2237154a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\gdiplus.dll

Filesize
1.6MB

MD5
5e79b6ccd6ed8d1932ff52f54c2bede1

SHA1
6ba69225b5c0b3e69bc8413972a235568508ddeb

SHA256
7f9b6fb0db9bd2efe098a37bf39e96200b20a4c395c911ea8afb621bbf3fe2ea

SHA512
f3bb1a3e908670ff0a318270aed8363469ebee8208a6d77c30673827579e30a544e2f307e03afdb626bb85ce534c58a7d6c343cff06a810de9ad43dfca1b5688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\gldDataLFStyleCtrl.dll

Filesize
3.8MB

MD5
7f02b4b1fdb84c0f6764384ba6bab1a0

SHA1
6f52ef3f0301d2c2e07d131fbfff83b26a587dd2

SHA256
343280e017f69c89eee9e169f21a4d16a925ca7a4f8334d63d9e1a6753059527

SHA512
c0e75b1bf10d915b8e9f4f41b4777bf5c99e5611e586e6acd3fc78e665231eac00fa23a2bd6aca96801e7f66b99e9f400ef4377e5c80347ae2fd203055dbd000

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\gldDataTransform.dll

Filesize
2.6MB

MD5
27e6e2c7871199d2497b3c8aa8e7b38f

SHA1
b00ddeca7e424e43908d8c84b985a6e48b99c291

SHA256
1986c081e721f363a60b04bd7e70cfa43975cdf6eb2d56249bb176d819bc8474

SHA512
0325219aba885740fddd495432023ebeeb6ef2860b9e979d9d030add601398918e52d32c2fa90a247a4a4c4fa2bb61fb5d7de55ae078d752ed5ac77f1dbd34bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\sprite.js

Filesize
21KB

MD5
73846f33424bf675b8baf66221189349

SHA1
b7b15d623c4aad3385da3252b0e5e7b251b1aa05

SHA256
cafbd59cd05cf0bf96bcbfae691913ac9d5f798f9fb43095b00b2f06e6eeeb6c

SHA512
8f49077d11a2a8906e83e9f60e07405334f42dbf8ac292f2f5e312ad67b2e096ed64980ef334ebab116e8c4fc4c7928b4dff1ec901677c9cf1f2eefa0836b4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\使用必看.txt

Filesize
501B

MD5
5723ae0d05fb1f4ea8903da2c1250c68

SHA1
0290750d32812f501f71cf587dd0765aeb9ed01e

SHA256
7038ba0d9d44e875e31be8cd7e450c88acdb3abdae7110d14438301479093ee9

SHA512
3604834690c71674391e144cde997d7ff88e808b88e292d1ba5d3768575151336e9a0d29597c15755fcc2cbfe085734b73c5e8c2d9e662d2626b5aa2a3482323

Download Submit
C:\Users\Admin\AppData\Local\Temp\autE84D.tmp

Filesize
7.4MB

MD5
5ef47cfa0be09a60c6b4b3da4d7ffcb2

SHA1
9248d534a6a6346755206170a03a5216738b8db4

SHA256
e5f745dd269b539f714d3d6bdb40cf380de4732d5496660df7a8de4528fa9121

SHA512
5ae5a15f560ebbe407150b515c993598300b5cfa6e770c403c947dfe0874ce5cbf70868f96cc7b16a0f8c173732cc96f1a56e2c950b39cc0a8f5b6cb904b57e6

Download Submit
memory/640-76-0x0000000002020000-0x0000000002084000-memory.dmp

Filesize
400KB

Download
memory/640-87-0x0000000000400000-0x00000000019E9000-memory.dmp

Filesize
21.9MB

Download
memory/640-78-0x0000000000400000-0x00000000019E9000-memory.dmp

Filesize
21.9MB

Download