Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 14:37
Behavioral task
behavioral1
Sample
setup阅览6056.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
setup阅览6056.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
表格32116.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
表格32116.exe
Resource
win10v2004-20240508-en
General
-
Target
setup阅览6056.exe
-
Size
1.3MB
-
MD5
c31fe2ec9986b848e5c2845a0a86cc96
-
SHA1
890973203dbe9b858b56dcb95f322a73b1045ef5
-
SHA256
264a0dfb60214f932c86546ce5f2c59f0354d08265d6ed1cffc74e0da881cb68
-
SHA512
f5895c92c9c685da924750615f9f330652b334fffb104ea493d78cdc46ecfcbb819b48ca600aeb0dee827f27f2d371e6263b9a79d6d51301f515bdcc665efbbf
-
SSDEEP
24576:o9sj8qJc2q9jgt/aPvCoWdjEd3n82cYOCfa+ar9/wr5tCqKUpZuB2phRUg6ZoiD8:1Jg9yCnFWwX82cj+ax/05t62phsI
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2168-0-0x000000013FA30000-0x000000013FD25000-memory.dmp vmprotect behavioral1/memory/2168-2-0x000000013FA30000-0x000000013FD25000-memory.dmp vmprotect behavioral1/memory/2168-1-0x000000013FA30000-0x000000013FD25000-memory.dmp vmprotect behavioral1/memory/2168-6-0x000000013FA30000-0x000000013FD25000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2168 setup阅览6056.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2168 setup阅览6056.exe 2168 setup阅览6056.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1196 2168 setup阅览6056.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe"C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
-