Overview
overview
8Static
static
7xp仿win7�...��.exe
windows7-x64
3xp仿win7�...��.exe
windows10-2004-x64
3$PLUGINSDI...RL.dll
windows7-x64
3$PLUGINSDI...RL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$WINDIR/$W...��.exe
windows7-x64
3$WINDIR/$W...��.exe
windows10-2004-x64
3$WINDIR/36...��.exe
windows7-x64
7$WINDIR/36...��.exe
windows10-2004-x64
7$WINDIR/Re...C4.dll
windows7-x64
1$WINDIR/Re...C4.dll
windows10-2004-x64
1$WINDIR/Re...le.dll
windows7-x64
1$WINDIR/Re...le.dll
windows10-2004-x64
1$WINDIR/sy...ry.exe
windows7-x64
7$WINDIR/sy...ry.exe
windows10-2004-x64
7$WINDIR/sy...ry.exe
windows7-x64
8$WINDIR/sy...ry.exe
windows10-2004-x64
8xp仿win7�...��.url
windows7-x64
1xp仿win7�...��.url
windows10-2004-x64
1xp仿win7�...��.url
windows7-x64
1xp仿win7�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 17:05
Behavioral task
behavioral1
Sample
xp仿win7桌面主题/xp仿win7系列.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
xp仿win7桌面主题/xp仿win7系列.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$WINDIR/$WINDIR/Resources/Themes/xpwin7ϵж.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$WINDIR/$WINDIR/Resources/Themes/xpwin7ϵж.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$WINDIR/360ϵͳļ.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral12
Sample
$WINDIR/360ϵͳļ.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$WINDIR/Resources/Themes/Aero Ultimate7 RC4/Aero Ultimate7 RC4.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
$WINDIR/Resources/Themes/Aero Ultimate7 RC4/Aero Ultimate7 RC4.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$WINDIR/Resources/Themes/Aero Ultimate7 RC4/Shell/NormalColor/shellstyle.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral16
Sample
$WINDIR/Resources/Themes/Aero Ultimate7 RC4/Shell/NormalColor/shellstyle.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$WINDIR/system/360very.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
$WINDIR/system/360very.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$WINDIR/system32/drivers/360very.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
$WINDIR/system32/drivers/360very.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
xp仿win7桌面主题/使用必读.url
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral22
Sample
xp仿win7桌面主题/使用必读.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
xp仿win7桌面主题/华彩软件站.url
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
xp仿win7桌面主题/华彩软件站.url
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
$WINDIR/system32/drivers/360very.exe
-
Size
838KB
-
MD5
8bc025238d5921cec5236bad2771cb84
-
SHA1
2badb366b6b8860e01ebc4197fc2aa18ab531906
-
SHA256
d3504485deaa6841364b79b108b4c485eb2107c2cd6837d548bec6eccedabc1b
-
SHA512
770cc6977fe944c0eb9e66c3c3f005996b4b9def559684c8fae1b0683b25c2b5165bf828f386b00115f39e3da81824f9111e4a366d262d53d8e7002fe8f38606
-
SSDEEP
12288:Ftl5O9IqNzv1MN5AKZhffsDgH006Ai8Ao/oscoHqxURcYEkVBnlEoY:95QMvAKZhffL006AFnjMSlFY
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\360very.dll 360very.exe File opened for modification C:\Windows\SysWOW64\drivers\360very.dll 360very.exe -
Deletes itself 1 IoCs
pid Process 2168 cmd.exe -
resource yara_rule behavioral19/memory/2032-0-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral19/files/0x0005000000019228-11.dat upx behavioral19/memory/2032-83-0x0000000000400000-0x00000000004DB000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral19/memory/2032-83-0x0000000000400000-0x00000000004DB000-memory.dmp autoit_exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\windows\360系统垃圾文件清理.exe 360very.exe File opened for modification C:\Windows\com.bat 360very.exe File created C:\Windows\com.bat 360very.exe File created C:\windows\360系统垃圾文件清理.exe 360very.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes 360very.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DEE9A856-7B51-4B58-8C8E-65BD76155FB8} 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{DEE9A856-7B51-4B58-8C8E-65BD76155FB8} 360very.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.2548.cn/?zt7" 360very.exe Key deleted \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes 360very.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DEE9A856-7B51-4B58-8C8E-65BD76155FB8}" 360very.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "0" 360very.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DEE9A856-7B51-4B58-8C8E-65BD76155FB8}\URL = "http://www.baidu.com/baidu?cl=3&tn=kzxf_pg&word={searchTerms}&ie={inputEncoding}" 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes 360very.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\Version = "0" 360very.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{DEE9A856-7B51-4B58-8C8E-65BD76155FB8}\DisplayName = "百度搜索" 360very.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 360very.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DEE9A856-7B51-4B58-8C8E-65BD76155FB8}\DisplayName = "百度搜索" 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs 360very.exe Key deleted \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 360very.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes 360very.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DEE9A856-7B51-4B58-8C8E-65BD76155FB8}" 360very.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{DEE9A856-7B51-4B58-8C8E-65BD76155FB8}\URL = "http://www.baidu.com/baidu?cl=3&tn=kzxf_pg&word={searchTerms}&ie={inputEncoding}" 360very.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2548.cn/?zt7" reg.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2548.cn/?zt7" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.2548.cn/?zt7" reg.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell 360very.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage 360very.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2964 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2032 360very.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2032 360very.exe 2032 360very.exe 2032 360very.exe 2032 360very.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2032 360very.exe 2032 360very.exe 2032 360very.exe 2032 360very.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1080 2032 360very.exe 28 PID 2032 wrote to memory of 1080 2032 360very.exe 28 PID 2032 wrote to memory of 1080 2032 360very.exe 28 PID 2032 wrote to memory of 1080 2032 360very.exe 28 PID 1080 wrote to memory of 2680 1080 cmd.exe 30 PID 1080 wrote to memory of 2680 1080 cmd.exe 30 PID 1080 wrote to memory of 2680 1080 cmd.exe 30 PID 1080 wrote to memory of 2680 1080 cmd.exe 30 PID 1080 wrote to memory of 1992 1080 cmd.exe 31 PID 1080 wrote to memory of 1992 1080 cmd.exe 31 PID 1080 wrote to memory of 1992 1080 cmd.exe 31 PID 1080 wrote to memory of 1992 1080 cmd.exe 31 PID 1080 wrote to memory of 2816 1080 cmd.exe 32 PID 1080 wrote to memory of 2816 1080 cmd.exe 32 PID 1080 wrote to memory of 2816 1080 cmd.exe 32 PID 1080 wrote to memory of 2816 1080 cmd.exe 32 PID 2032 wrote to memory of 2168 2032 360very.exe 33 PID 2032 wrote to memory of 2168 2032 360very.exe 33 PID 2032 wrote to memory of 2168 2032 360very.exe 33 PID 2032 wrote to memory of 2168 2032 360very.exe 33 PID 2168 wrote to memory of 2964 2168 cmd.exe 35 PID 2168 wrote to memory of 2964 2168 cmd.exe 35 PID 2168 wrote to memory of 2964 2168 cmd.exe 35 PID 2168 wrote to memory of 2964 2168 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\$WINDIR\system32\drivers\360very.exe"C:\Users\Admin\AppData\Local\Temp\$WINDIR\system32\drivers\360very.exe"1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\com.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d http://www.2548.cn/?zt7 /f3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2680
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t reg_sz /d http://www.2548.cn/?zt7 /f3⤵
- Modifies Internet Explorer settings
PID:1992
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d http://www.2548.cn/?zt7 /f3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "C:\Users\Admin\AppData\Local\Temp\$WINDIR\system32\drivers\360very.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD53878cc22e9f121364300479e6ff3bd64
SHA1b53128153b214bc95f71998abef91e42abb5eb38
SHA256355a5de17976beb7a672bb51f3f7e795786f8c1083d795dc25de7ea25ca040b3
SHA5123da696c7ebfd43199870daeb58c02cb786f5aad276cf3282b7c8ecf39212f1fd40433a04ab86ed8c9ce22da91cf3cf8f198e084da2b2987260f4524d6ce74e91
-
Filesize
386B
MD538cd98ee04082c0c8aebfb7c7a5527b0
SHA1471151d314b09e685836dad51f79990d0169d269
SHA2561bb3c5d6a8b291d8099b0494119284526582bb1cbb86bf526ac876cec86b27ac
SHA512d275af25a3864b94a76d22fdd1cc9a4c1d21b71f02640bc0e9fdd8120b40f1f54265ec75ce0688d5befc751b584fb0286c2fa20ca5e060fa1146003493393cb0