Resubmissions
20-05-2024 09:12
240520-k6gpcach32 7Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 09:12
Behavioral task
behavioral1
Sample
setup查6013.exe
Resource
win7-20240419-en
11 signatures
150 seconds
General
-
Target
setup查6013.exe
-
Size
556KB
-
MD5
a765c3d97bf8f3d152e5717605d1e5f0
-
SHA1
e02a5e18b81292a41bd0fd54e06556df73d28022
-
SHA256
f35846a408f689f391e863d4aa60babebb770cf1be54603baaa2365144af9d1b
-
SHA512
cdf551c9639abf8cc07863b4d24b0721232e40731a1e0f3b74d2337f7fa39e4f4a39c2a627576337f031729c410eb966a2a2859220aafc1159a0b5c069841ba5
-
SSDEEP
12288:y8AJRvlgwO7RVPFRS8dFdJxeJSVZB86ds4YojpgYW2YCd3lf2qiyWBM:yG15nIQm6drYopg3bWVj6BM
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4456-2-0x00007FF630750000-0x00007FF630845000-memory.dmp upx behavioral2/memory/4456-0-0x00007FF630750000-0x00007FF630845000-memory.dmp upx -
resource yara_rule behavioral2/memory/4456-2-0x00007FF630750000-0x00007FF630845000-memory.dmp vmprotect behavioral2/memory/4456-0-0x00007FF630750000-0x00007FF630845000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Explorer.EXE File opened (read-only) \??\K: Explorer.EXE File opened (read-only) \??\O: Explorer.EXE File opened (read-only) \??\R: Explorer.EXE File opened (read-only) \??\U: Explorer.EXE File opened (read-only) \??\Z: Explorer.EXE File opened (read-only) \??\G: Explorer.EXE File opened (read-only) \??\M: Explorer.EXE File opened (read-only) \??\N: Explorer.EXE File opened (read-only) \??\P: Explorer.EXE File opened (read-only) \??\V: Explorer.EXE File opened (read-only) \??\Q: Explorer.EXE File opened (read-only) \??\W: Explorer.EXE File opened (read-only) \??\X: Explorer.EXE File opened (read-only) \??\Y: Explorer.EXE File opened (read-only) \??\S: Explorer.EXE File opened (read-only) \??\T: Explorer.EXE File opened (read-only) \??\B: Explorer.EXE File opened (read-only) \??\E: Explorer.EXE File opened (read-only) \??\H: Explorer.EXE File opened (read-only) \??\J: Explorer.EXE File opened (read-only) \??\L: Explorer.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4456 setup查6013.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Explorer.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4456 setup查6013.exe 4456 setup查6013.exe 4456 setup查6013.exe 4456 setup查6013.exe 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3452 Explorer.EXE 3452 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3452 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4456 wrote to memory of 3452 4456 setup查6013.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\setup查6013.exe"C:\Users\Admin\AppData\Local\Temp\setup查6013.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456
-