3866eb85f05127359769f8f569a93cf63db26c41d30725ba6fc528754b92233f

General

Target

阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe
Size

13.0MB
MD5

2b33a8ca3e3d7fa2f1ae010ef161b148
SHA1

61689602270bc6c2590b2ff0639cbad6842d48cf
SHA256

3866eb85f05127359769f8f569a93cf63db26c41d30725ba6fc528754b92233f
SHA512

3163677a66bcfd672792139b2cc53861bb208f85f19f354410c894e0583523644449cd2fb89cb3841f5fc316173ecf6ae929e91352232efeba9a300db191adbd
SSDEEP

49152:kuQAa+joXOeSt0Z7qViOe2Fc+GoCJt25IbiXArylJM5cXTDNVwEVgQj:n0jUpIHrylJMoNzV3

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3712 created 3436	3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe	57

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	pythonwc.exe

Loads dropped DLL 2 IoCs

pid	Process
4344	pythonwc.exe
4344	pythonwc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3360	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe
3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3360	EXCEL.EXE
3360	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE
3360	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1176	3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe	85
PID 3712 wrote to memory of 1176	3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe	85
PID 1176 wrote to memory of 3360	1176	cmd.exe	87
PID 1176 wrote to memory of 3360	1176	cmd.exe	87
PID 1176 wrote to memory of 3360	1176	cmd.exe	87
PID 3712 wrote to memory of 4344	3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe	90
PID 3712 wrote to memory of 4344	3712	阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe
  "C:\Users\Admin\AppData\Local\Temp\阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.xlsx
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.xlsx"
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3360
- C:\Users\Admin\AppData\Local\Temp\pythonwc.exe
  "C:\Users\Admin\AppData\Local\Temp\pythonwc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll

Filesize
83KB

MD5
0c583614eb8ffb4c8c2d9e9880220f1d

SHA1
0b7fca03a971a0d3b0776698b51f62bca5043e4d

SHA256
6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9

SHA512
79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\cache.bin

Filesize
884KB

MD5
d8b343b5b8f7d2b8b044f7cdd6228311

SHA1
1c3cc5eb460ca4c98d431adb0c07a0356748edf5

SHA256
03ab7e367ad2131e30283b91e2bd7b162029b7f6ac2041b4a2291f95819a185e

SHA512
fc59b9143d7d21b2de969ffcf8acc22c53c80a7cef2d606e70e3a2b331343039b7db810ddd1244cd2c9aa2e4fd500f52a7cf50077ad9958064323513fa4f96f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\python38.dll

Filesize
4.3MB

MD5
e227f9b2c7851a3adf5bc2464803c731

SHA1
01dfc6e768cc6be405b8b5ded0ec8fb94070c340

SHA256
8c1ac8111df13577cfbc709ed6fa97b6e602ca7ae50b02d9bb3f7a6706e7fc05

SHA512
ab6a3cb16bf279bf0294cee2eb6f71bdb22c45b3344aebf3baaa772583821e16e7288d8d8810ba1e4792b0d92c41b199c92ddb30e7b43ab0901158acb75c43cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pythonwc.exe

Filesize
96KB

MD5
eec9115f8e5b1e4c825680b013dbe09e

SHA1
a286461276ff049caac768000aaa008e30664cd6

SHA256
1316319b6b332c4654861f655c6e663a46638c1e222e6d535a22c2f1c5423d35

SHA512
21ead461cb3aa93e6f1282f0229838b8df4efb7c0ddd8e4941f9627f0550300f650a40be8aed8b16c6c552099b0996da345a7548040254a533feefb7abc7bc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\阿里巴巴集团招聘部分JD信息2024_5_Talent.Alibaba-inc.xlsx

Filesize
20KB

MD5
7a2a55a22408a144e8dce067dce02fa3

SHA1
9c0930f71905b7f356f93849d98d837ef79e1b43

SHA256
d29be6b9f07b8d7ef61756e6c9584e784a8c1f6fe5b59c67fb56b99138077887

SHA512
62321727a884a969096b6b4624e65b3e81375b7fea59b995023e6bd8cd1d435b1d5b71f0ccb2c874ad265bf47883e079085cfd89a07293f1660c94310f0572cf

Download Submit
memory/3360-13-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-43-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-10-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-8-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-12-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-11-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-14-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-15-0x00007FF976AF0000-0x00007FF976B00000-memory.dmp

Filesize
64KB

Download
memory/3360-16-0x00007FF976AF0000-0x00007FF976B00000-memory.dmp

Filesize
64KB

Download
memory/3360-9-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-5-0x00007FF9B8B6D000-0x00007FF9B8B6E000-memory.dmp

Filesize
4KB

Download
memory/3360-6-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-70-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3360-4-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-67-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-7-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-44-0x00007FF9B8B6D000-0x00007FF9B8B6E000-memory.dmp

Filesize
4KB

Download
memory/3360-69-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-68-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3360-66-0x00007FF978B50000-0x00007FF978B60000-memory.dmp

Filesize
64KB

Download
memory/3712-25-0x00007FF700100000-0x00007FF700E04000-memory.dmp

Filesize
13.0MB

Download
memory/4344-52-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-51-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-46-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-45-0x000001D99D7D0000-0x000001D99D7D4000-memory.dmp

Filesize
16KB

Download
memory/4344-29-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-71-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-72-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-74-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download
memory/4344-75-0x000001D99CFB0000-0x000001D99D027000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads