Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:43
Behavioral task
behavioral1
Sample
章鱼搜索破解版/unpacked.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
章鱼搜索破解版/unpacked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
章鱼搜索破解版/章鱼搜索破解版.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
章鱼搜索破解版/章鱼搜索破解版.exe
Resource
win10v2004-20240426-en
General
-
Target
章鱼搜索破解版/章鱼搜索破解版.exe
-
Size
2.1MB
-
MD5
7282d8f855392bc1e4a1068110260ebe
-
SHA1
ce39db42aad19127c64da58675c62847cd321e5d
-
SHA256
4ce82ac6bf2f78c3f6a3d58e3961674a622f73160c0655af6e5994a2fe39972d
-
SHA512
0253722b35c100c14d10ed24d46a3d2840612ecd7f3f1b2454cfea8d9e21552c29a24f42b5117d9e72626c2c5cdfd17bb8f37017720f35fd61eff64b741da382
-
SSDEEP
24576:cbR5qCke9hWbpN2IIoprj1+EXtFiHQuDmCpYzg2FpbMm854hwXbk+V+O:cXqrWIIEXIoORpYz3K4
Malware Config
Signatures
-
resource yara_rule behavioral4/memory/4548-0-0x0000000000400000-0x000000000055BAED-memory.dmp upx behavioral4/memory/4548-29-0x0000000000400000-0x000000000055BAED-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.dll tray" unpacked.dll -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb 章鱼搜索破解版.exe File created C:\WINDOWS\Media\ActiveX.ocx 章鱼搜索破解版.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb 章鱼搜索破解版.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1280 章鱼搜索破解版.exe 1280 章鱼搜索破解版.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4548 unpacked.dll -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4548 unpacked.dll -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1280 章鱼搜索破解版.exe 4548 unpacked.dll 4548 unpacked.dll 4548 unpacked.dll 4548 unpacked.dll -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1280 wrote to memory of 4548 1280 章鱼搜索破解版.exe 82 PID 1280 wrote to memory of 4548 1280 章鱼搜索破解版.exe 82 PID 1280 wrote to memory of 4548 1280 章鱼搜索破解版.exe 82 PID 1280 wrote to memory of 4012 1280 章鱼搜索破解版.exe 93 PID 1280 wrote to memory of 4012 1280 章鱼搜索破解版.exe 93 PID 1280 wrote to memory of 4012 1280 章鱼搜索破解版.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dllunpacked.dll2⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4548
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\WINDOWS\Media\ActiveX.ocx /s2⤵PID:4012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD52ae006985074e066e98832bb643c6714
SHA1964ab257b7802dcdcf2099209f8125254e504e5c
SHA256bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567
SHA512d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a
-
Filesize
12B
MD5e153e6f751d7b30640cff939cf299a8c
SHA1d12c43a87b4d46ef1e3a3f8d6a4b645fe4c95dfb
SHA256a55c223f4deab41e67cc1037efc6c5ef0c28c18e99861360cacbfa24b2ca84f1
SHA5122bbdbe683f323caad94c4b1252ae284a8a5ee2eaa5768b274757601f31dbf5f5b98c419e8075f6c3f9b8111727d1707da9be29c3e78b85bff5774928a7a93764