Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 14:37
Behavioral task
behavioral1
Sample
setup阅览6056.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
setup阅览6056.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
表格32116.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
表格32116.exe
Resource
win10v2004-20240508-en
General
-
Target
setup阅览6056.exe
-
Size
1.3MB
-
MD5
c31fe2ec9986b848e5c2845a0a86cc96
-
SHA1
890973203dbe9b858b56dcb95f322a73b1045ef5
-
SHA256
264a0dfb60214f932c86546ce5f2c59f0354d08265d6ed1cffc74e0da881cb68
-
SHA512
f5895c92c9c685da924750615f9f330652b334fffb104ea493d78cdc46ecfcbb819b48ca600aeb0dee827f27f2d371e6263b9a79d6d51301f515bdcc665efbbf
-
SSDEEP
24576:o9sj8qJc2q9jgt/aPvCoWdjEd3n82cYOCfa+ar9/wr5tCqKUpZuB2phRUg6ZoiD8:1Jg9yCnFWwX82cj+ax/05t62phsI
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4904-0-0x00007FF632040000-0x00007FF632335000-memory.dmp vmprotect behavioral2/memory/4904-1-0x00007FF632040000-0x00007FF632335000-memory.dmp vmprotect behavioral2/memory/4904-2-0x00007FF632040000-0x00007FF632335000-memory.dmp vmprotect behavioral2/memory/4904-5-0x00007FF632040000-0x00007FF632335000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4904 setup阅览6056.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4904 setup阅览6056.exe 4904 setup阅览6056.exe 4904 setup阅览6056.exe 4904 setup阅览6056.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3396 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4904 wrote to memory of 3396 4904 setup阅览6056.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe"C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904
-