Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 14:37
Behavioral task
behavioral1
Sample
setup阅览6056.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
setup阅览6056.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
表格32116.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
表格32116.exe
Resource
win10v2004-20240508-en
General
-
Target
表格32116.exe
-
Size
1.3MB
-
MD5
0719269952aad2cd949db1a31b397e33
-
SHA1
192a3a067bf20d949fa1118cd61565bcf0429c39
-
SHA256
e95424c1c5dd0e5a3e62dc4c70a44c28dbf87676a31b8aab3040d92e226dcf1d
-
SHA512
f2fd905c728548600e051b91350a5999542f0d3b7f54adca900c22f795a5f7f75dd3f65066c3ca1065866d4fbbda7e72ab993a4a66e38fe207ff8e832c8eaf73
-
SSDEEP
24576:mT2s55UHvNiKR5VSfDJ1+6VyB6RYS3ZZ4YkolZHfR4gyhJDnouji97f:m587VS7lVZnjllR4gyhJDtjg7f
Malware Config
Signatures
-
resource yara_rule behavioral4/memory/4508-0-0x00007FF68F280000-0x00007FF68F582000-memory.dmp vmprotect behavioral4/memory/4508-1-0x00007FF68F280000-0x00007FF68F582000-memory.dmp vmprotect behavioral4/memory/4508-5-0x00007FF68F280000-0x00007FF68F582000-memory.dmp vmprotect behavioral4/memory/4508-6-0x00007FF68F280000-0x00007FF68F582000-memory.dmp vmprotect behavioral4/memory/4508-2-0x00007FF68F280000-0x00007FF68F582000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\laashmxh\\1716215920.lnk" Explorer.EXE -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Explorer.EXE File opened (read-only) \??\P: Explorer.EXE File opened (read-only) \??\S: Explorer.EXE File opened (read-only) \??\Z: Explorer.EXE File opened (read-only) \??\J: Explorer.EXE File opened (read-only) \??\E: Explorer.EXE File opened (read-only) \??\I: Explorer.EXE File opened (read-only) \??\K: Explorer.EXE File opened (read-only) \??\L: Explorer.EXE File opened (read-only) \??\O: Explorer.EXE File opened (read-only) \??\R: Explorer.EXE File opened (read-only) \??\U: Explorer.EXE File opened (read-only) \??\B: Explorer.EXE File opened (read-only) \??\X: Explorer.EXE File opened (read-only) \??\M: Explorer.EXE File opened (read-only) \??\Q: Explorer.EXE File opened (read-only) \??\T: Explorer.EXE File opened (read-only) \??\H: Explorer.EXE File opened (read-only) \??\V: Explorer.EXE File opened (read-only) \??\W: Explorer.EXE File opened (read-only) \??\Y: Explorer.EXE File opened (read-only) \??\G: Explorer.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4508 表格32116.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4508 表格32116.exe 4508 表格32116.exe 4508 表格32116.exe 4508 表格32116.exe 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE 3548 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3548 Explorer.EXE Token: SeCreatePagefilePrivilege 3548 Explorer.EXE Token: SeShutdownPrivilege 3548 Explorer.EXE Token: SeCreatePagefilePrivilege 3548 Explorer.EXE Token: SeShutdownPrivilege 3548 Explorer.EXE Token: SeCreatePagefilePrivilege 3548 Explorer.EXE Token: SeShutdownPrivilege 3548 Explorer.EXE Token: SeCreatePagefilePrivilege 3548 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3548 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3548 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4508 wrote to memory of 3548 4508 表格32116.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\表格32116.exe"C:\Users\Admin\AppData\Local\Temp\表格32116.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508
-