Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 07:49
Static task
static1
Behavioral task
behavioral1
Sample
hxqqhmyxcjq/QQ号码QQ邮箱采集器2.7.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
hxqqhmyxcjq/QQ号码QQ邮箱采集器2.7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
hxqqhmyxcjq/绿软基地.url
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
hxqqhmyxcjq/绿软基地.url
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
hxqqhmyxcjq/补丁.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
hxqqhmyxcjq/补丁.exe
Resource
win10v2004-20240508-en
General
-
Target
hxqqhmyxcjq/补丁.exe
-
Size
1016KB
-
MD5
0d31499dabf4f53785ea86663ae38cb4
-
SHA1
ee0d556f10c70634ac1c713f745d730eb2fa260e
-
SHA256
81ab5f96c0bbdc26bdcd0ae2320b6ed9015bed79412ba06b7d8bbef2a43f72a3
-
SHA512
81439aeeb1b91a20788bcb1df7b8d271d618f536e449f05bec77f31a14ad5d5b1560a3d960460596e4382f19a6ab2e551c0789195730bdb34e06b0e6e300234b
-
SSDEEP
12288:5o21WV9yO+WmN1LA0jcaG/sR5nWFpPoSIwNgm8aJMegx28iaMgmn:5DOg1NxA0jcT/fbe078aJo28iaMgu
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral5/memory/2180-5-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-3-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-7-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-2-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-1-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-25-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-35-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-11-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-46-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-41-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-39-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-37-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-33-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-31-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-29-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-27-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-23-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-21-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-19-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-17-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-15-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-13-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-9-0x0000000000620000-0x000000000065E000-memory.dmp upx behavioral5/memory/2180-47-0x0000000000620000-0x000000000065E000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
补丁.exepid process 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
补丁.exepid process 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
补丁.exedescription pid process Token: SeDebugPrivilege 2180 补丁.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
补丁.exepid process 2180 补丁.exe 2180 补丁.exe 2180 补丁.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
补丁.exedescription pid process target process PID 2180 wrote to memory of 380 2180 补丁.exe wininit.exe PID 2180 wrote to memory of 380 2180 补丁.exe wininit.exe PID 2180 wrote to memory of 380 2180 补丁.exe wininit.exe PID 2180 wrote to memory of 380 2180 补丁.exe wininit.exe PID 2180 wrote to memory of 380 2180 补丁.exe wininit.exe PID 2180 wrote to memory of 380 2180 补丁.exe wininit.exe PID 2180 wrote to memory of 388 2180 补丁.exe csrss.exe PID 2180 wrote to memory of 388 2180 补丁.exe csrss.exe PID 2180 wrote to memory of 388 2180 补丁.exe csrss.exe PID 2180 wrote to memory of 388 2180 补丁.exe csrss.exe PID 2180 wrote to memory of 388 2180 补丁.exe csrss.exe PID 2180 wrote to memory of 388 2180 补丁.exe csrss.exe PID 2180 wrote to memory of 428 2180 补丁.exe winlogon.exe PID 2180 wrote to memory of 428 2180 补丁.exe winlogon.exe PID 2180 wrote to memory of 428 2180 补丁.exe winlogon.exe PID 2180 wrote to memory of 428 2180 补丁.exe winlogon.exe PID 2180 wrote to memory of 428 2180 补丁.exe winlogon.exe PID 2180 wrote to memory of 428 2180 补丁.exe winlogon.exe PID 2180 wrote to memory of 472 2180 补丁.exe services.exe PID 2180 wrote to memory of 472 2180 补丁.exe services.exe PID 2180 wrote to memory of 472 2180 补丁.exe services.exe PID 2180 wrote to memory of 472 2180 补丁.exe services.exe PID 2180 wrote to memory of 472 2180 补丁.exe services.exe PID 2180 wrote to memory of 472 2180 补丁.exe services.exe PID 2180 wrote to memory of 488 2180 补丁.exe lsass.exe PID 2180 wrote to memory of 488 2180 补丁.exe lsass.exe PID 2180 wrote to memory of 488 2180 补丁.exe lsass.exe PID 2180 wrote to memory of 488 2180 补丁.exe lsass.exe PID 2180 wrote to memory of 488 2180 补丁.exe lsass.exe PID 2180 wrote to memory of 488 2180 补丁.exe lsass.exe PID 2180 wrote to memory of 496 2180 补丁.exe lsm.exe PID 2180 wrote to memory of 496 2180 补丁.exe lsm.exe PID 2180 wrote to memory of 496 2180 补丁.exe lsm.exe PID 2180 wrote to memory of 496 2180 补丁.exe lsm.exe PID 2180 wrote to memory of 496 2180 补丁.exe lsm.exe PID 2180 wrote to memory of 496 2180 补丁.exe lsm.exe PID 2180 wrote to memory of 596 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 596 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 596 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 596 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 596 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 596 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 676 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 676 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 676 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 676 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 676 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 676 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 748 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 748 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 748 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 748 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 748 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 748 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 812 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 812 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 812 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 812 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 812 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 812 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 848 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 848 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 848 2180 补丁.exe svchost.exe PID 2180 wrote to memory of 848 2180 补丁.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe"C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\补丁.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2180-0-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/2180-5-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-3-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-7-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-2-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-1-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-25-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-35-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-11-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-46-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-45-0x00000000779DF000-0x00000000779E0000-memory.dmpFilesize
4KB
-
memory/2180-44-0x00000000779E0000-0x00000000779E1000-memory.dmpFilesize
4KB
-
memory/2180-41-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-39-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-37-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-33-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-31-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-29-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-27-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-23-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-21-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-19-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-17-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-15-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-13-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-9-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB
-
memory/2180-47-0x0000000000620000-0x000000000065E000-memory.dmpFilesize
248KB