Overview
overview
10Static
static
3PO87453004...om.exe
windows7-x64
7PO87453004...om.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Spadestren...hr.app
macos-10.15-amd64
1Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
PO874530040021 YIKANG INQUIRY.com.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO874530040021 YIKANG INQUIRY.com.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Spadestrens/retouchr.app
Resource
macos-20240410-en
General
-
Target
PO874530040021 YIKANG INQUIRY.com.exe
-
Size
322KB
-
MD5
86a0fbc943d577f93faf00394997bb22
-
SHA1
bc1bd20d88ce7f659dbab2752d670f8cce3ff8e3
-
SHA256
b4834413f9bedbc2d64ba07d1401e4d1eb44a54adbca90bb79fc67bf03fa4ab5
-
SHA512
c047b8a78a8513fa37a4147d45dfe92c3534693ab5394ee96d50090d71cd28097da09b409e4d00c0e5d6ef1451d29119156c80bd227d7eb5172ea8c7c3713c72
-
SSDEEP
6144:A9X0GAbjQDWloo891UylPBX6xuY6RzWBw39tASqEHSVI9AWKw133:G0t/looK1UABXTUI9/Kw133
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 4 IoCs
Processes:
PO874530040021 YIKANG INQUIRY.com.exepid process 4088 PO874530040021 YIKANG INQUIRY.com.exe 4088 PO874530040021 YIKANG INQUIRY.com.exe 4088 PO874530040021 YIKANG INQUIRY.com.exe 4088 PO874530040021 YIKANG INQUIRY.com.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
PO874530040021 YIKANG INQUIRY.com.exePO874530040021 YIKANG INQUIRY.com.exepid process 4088 PO874530040021 YIKANG INQUIRY.com.exe 2324 PO874530040021 YIKANG INQUIRY.com.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO874530040021 YIKANG INQUIRY.com.exedescription pid process target process PID 4088 set thread context of 2324 4088 PO874530040021 YIKANG INQUIRY.com.exe PO874530040021 YIKANG INQUIRY.com.exe -
Drops file in Windows directory 2 IoCs
Processes:
PO874530040021 YIKANG INQUIRY.com.exedescription ioc process File opened for modification C:\Windows\resources\0409\overanalysis\Nonmercenaries39.ini PO874530040021 YIKANG INQUIRY.com.exe File opened for modification C:\Windows\Fonts\Anthidium.Sel114 PO874530040021 YIKANG INQUIRY.com.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO874530040021 YIKANG INQUIRY.com.exepid process 4088 PO874530040021 YIKANG INQUIRY.com.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
PO874530040021 YIKANG INQUIRY.com.exedescription pid process target process PID 4088 wrote to memory of 2324 4088 PO874530040021 YIKANG INQUIRY.com.exe PO874530040021 YIKANG INQUIRY.com.exe PID 4088 wrote to memory of 2324 4088 PO874530040021 YIKANG INQUIRY.com.exe PO874530040021 YIKANG INQUIRY.com.exe PID 4088 wrote to memory of 2324 4088 PO874530040021 YIKANG INQUIRY.com.exe PO874530040021 YIKANG INQUIRY.com.exe PID 4088 wrote to memory of 2324 4088 PO874530040021 YIKANG INQUIRY.com.exe PO874530040021 YIKANG INQUIRY.com.exe PID 4088 wrote to memory of 2324 4088 PO874530040021 YIKANG INQUIRY.com.exe PO874530040021 YIKANG INQUIRY.com.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA17cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8
-
Filesize
4KB
MD5035bdb470a6807313bd005bd98341ffc
SHA15017d1e5a23f1c64594f737e6fccd519729c3b3e
SHA25626fa900e3426b4dd272707e1aaf428b5ee06bdc2cc2bbaecdab6b54f11f38f27
SHA512f888baed5267b05b13722e839634254393aa99b2adf1a2ae6e799d3a901665e7ebda0fa1202db20a6765a8aff58e2ed6f4e822028be426db732eb10ec783aa05
-
Filesize
9KB
MD5eb2c74e05b30b29887b3219f4ea3fdab
SHA191173d46b34e7bae57acabdbd239111b5bcc4d9e
SHA256d253ca5aba34b925796777893f114cc741b015af7868022ab1db2341288c55ed
SHA5121bb035260223ec585170f891c2624b9ae98671f225e74b913b40bb77b66e3b9c2016037bc8e4b0ae16367d82590a60a0a3bd95d05139ea2454f02020d1b54dae
-
Filesize
1KB
MD5d8282e5f6dbd0c2921c52069562e22b3
SHA16062e6a0dbf08b79b83301aaa4f47b30e9b24406
SHA25681234a2404ceb2c66339a7f87083edd7781e5dd75ed90166a036befb04050472
SHA5126a2954e3e15a7027d9ec206997f4db70c8eaa0e2b4c067e2b681191b405613d54ce861a97090c025d7e0a223c68635d7869c74e317d53edb724b0320eccde875