05ab33d6e6bb396e257db2ee43e60138114a3b130512e4a4d86c76b18de74462

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 13:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

隐藏分区挂载.exe
Size

901KB
MD5

c26657358ff8d4a91651ee1be57ff4eb
SHA1

3d9b59c6854ca5a2d5ebac1013b27b331250036f
SHA256

05ab33d6e6bb396e257db2ee43e60138114a3b130512e4a4d86c76b18de74462
SHA512

e7d59dd7eb20be9d25a3dbd72a8d08d480d3605262047f354b233c731d3da04ddb100e0e155c9f51c2f5e28ff6aa060902f316abf48d371daf0e9076a96eb650
SSDEEP

24576:jwowTtBsjRfY/S1IWuWxPxG61FtOCHMR7:jG2dgCIWuWfG61FoGMR7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	隐藏分区挂载器.EXE

Loads dropped DLL 1 IoCs

pid	Process
2976	隐藏分区挂载.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2644	隐藏分区挂载器.EXE
Token: SeIncBasePriorityPrivilege	2644	隐藏分区挂载器.EXE
Token: 33	2644	隐藏分区挂载器.EXE
Token: SeIncBasePriorityPrivilege	2644	隐藏分区挂载器.EXE
Token: 33	2644	隐藏分区挂载器.EXE
Token: SeIncBasePriorityPrivilege	2644	隐藏分区挂载器.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2644	2976	隐藏分区挂载.exe	28
PID 2976 wrote to memory of 2644	2976	隐藏分区挂载.exe	28
PID 2976 wrote to memory of 2644	2976	隐藏分区挂载.exe	28
PID 2976 wrote to memory of 2644	2976	隐藏分区挂载.exe	28

C:\Users\Admin\AppData\Local\Temp\隐藏分区挂载.exe
"C:\Users\Admin\AppData\Local\Temp\隐藏分区挂载.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\chxm1023\隐藏分区挂载器.EXE
  "C:\Users\Admin\AppData\Local\Temp\chxm1023\隐藏分区挂载器.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\chxm1023\隐藏分区挂载器.EXE

Filesize
609KB

MD5
b6c2334bf6556b47ea5697d488555cd1

SHA1
c46f02cf2bee8eaf4c2315c50a8fc53b9092fb35

SHA256
cf93ba79753facc8363b7fe815f47b651f42fe0ab0a6e3fc1bec22330d98651a

SHA512
becad79b89a384f266520d3cdc0944f62e9294b82f4391707b17d9bff70b5ff9cc5299912a5a359a214551c45e757648b1e1adabc09176ae10c9cfc4b23092cc

Download Submit
memory/2644-62-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-73-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-42-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2644-55-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2644-52-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2644-56-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2644-58-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2644-57-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2644-59-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2644-60-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2644-61-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-76-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-40-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-63-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2644-69-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-66-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-67-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-68-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-65-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-70-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-71-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-72-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-64-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-74-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2644-75-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2976-38-0x0000000002A10000-0x0000000002B20000-memory.dmp

Filesize
1.1MB

Download