Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 13:43
Behavioral task
behavioral1
Sample
章鱼搜索破解版/unpacked.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
章鱼搜索破解版/unpacked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
章鱼搜索破解版/章鱼搜索破解版.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
章鱼搜索破解版/章鱼搜索破解版.exe
Resource
win10v2004-20240426-en
General
-
Target
章鱼搜索破解版/章鱼搜索破解版.exe
-
Size
2.1MB
-
MD5
7282d8f855392bc1e4a1068110260ebe
-
SHA1
ce39db42aad19127c64da58675c62847cd321e5d
-
SHA256
4ce82ac6bf2f78c3f6a3d58e3961674a622f73160c0655af6e5994a2fe39972d
-
SHA512
0253722b35c100c14d10ed24d46a3d2840612ecd7f3f1b2454cfea8d9e21552c29a24f42b5117d9e72626c2c5cdfd17bb8f37017720f35fd61eff64b741da382
-
SSDEEP
24576:cbR5qCke9hWbpN2IIoprj1+EXtFiHQuDmCpYzg2FpbMm854hwXbk+V+O:cXqrWIIEXIoORpYz3K4
Malware Config
Signatures
-
resource yara_rule behavioral3/memory/3036-16-0x0000000000400000-0x000000000055BAED-memory.dmp upx behavioral3/memory/3036-46-0x0000000000400000-0x000000000055BAED-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.dll tray" unpacked.dll -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb 章鱼搜索破解版.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.mdb 章鱼搜索破解版.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.ldb 章鱼搜索破解版.exe File created C:\WINDOWS\Media\ActiveX.ocx 章鱼搜索破解版.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb 章鱼搜索破解版.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.mdb 章鱼搜索破解版.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.ldb 章鱼搜索破解版.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2424 章鱼搜索破解版.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3036 unpacked.dll -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3036 unpacked.dll -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2424 章鱼搜索破解版.exe 3036 unpacked.dll 3036 unpacked.dll 3036 unpacked.dll 3036 unpacked.dll -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2424 wrote to memory of 3036 2424 章鱼搜索破解版.exe 28 PID 2424 wrote to memory of 3036 2424 章鱼搜索破解版.exe 28 PID 2424 wrote to memory of 3036 2424 章鱼搜索破解版.exe 28 PID 2424 wrote to memory of 3036 2424 章鱼搜索破解版.exe 28 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31 PID 2424 wrote to memory of 2856 2424 章鱼搜索破解版.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dllunpacked.dll2⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\WINDOWS\Media\ActiveX.ocx /s2⤵PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD52ae006985074e066e98832bb643c6714
SHA1964ab257b7802dcdcf2099209f8125254e504e5c
SHA256bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567
SHA512d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a
-
Filesize
12B
MD5a73431462998145c37a7b8da674bc0bb
SHA18532ec2289490763fb304a88918bf74fa53dd716
SHA25612b90653bfe0d052d84ead17226688a5c5ce278f28128d5e36b0096c900dfa95
SHA512958a8d7b1c85a210010207f39da13f04b7c40d792bd9bf2f4ff27dc3a86ef3b7bc2d44dad1accc13e1bbc94a0a92dbdbcf79e694be04fc7c6b5554bd08a3c7f8