Overview

overview

7

Static

static

3

676724453b...0d.exe

windows7-x64

7

676724453b...0d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe

  • Size

    4.8MB

  • MD5

    10c9464211d8fc212bfeeb972ed579d6

  • SHA1

    b095a0c0833d852a98ed554507ed24a4c9898e3f

  • SHA256

    676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d

  • SHA512

    b31c4534bfd66f52e11a85cd0eae9809a557459f45cfeff607fa90dec31e3680a6f33c6fd950ee3e23c8e21987874eb469e8e6526bf49f6932ff0af1615f36d3

  • SSDEEP

    98304:Ba5gyXi3zjeZhr19f7gHi/kZgc8hrEB3Ii8GnraqlwyWoQcXGcm3Xmm9rWIcYop1:Ba5gyS3zjeZhr19f7gHi/kZgc8hrEB3a

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe
    "C:\Users\Admin\AppData\Local\Temp\676724453b3d42c3b29dc1b869c877edaa37844df3b5871606dc92ed209d990d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\evb59AA.tmp
      chushihua.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\ÐÅ¿¼³õʼ»¯¹¤¾ß\init.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\xinkao" /f /v "xk" /t REG_BINARY /d 01000000ad8967c6bdf588cad1ad05e31692dce185c0a0a741a1e9fd02bbfef8be39e0ef9459096d06269541893c8c4bf684b3139d0894517b68a9b784860939b5760e240ac2a53a7e8b90b7eb2c15ec08542d4e3eba6ae0fff3409c3803eb02faa043ea5164ecd9a3455bf6071e3508ae209ee5b97460b7cf33bff6acb20a9683f2941d
          4⤵
            PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig
              5⤵
              • Gathers network information
              PID:3080
            • C:\Windows\SysWOW64\findstr.exe
              findstr /i "IPv4"
              5⤵
                PID:748
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\Local Settings\Software\xinkao" /f /v "xinkao" /t REG_SZ /d " 10.127.1.204"
              4⤵
              • Modifies registry class
              PID:3828
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\xinkao" /f /v "xinkao" /t REG_SZ /d " 10.127.1.204"
              4⤵
                PID:1412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\evb59AA.tmp
          Filesize

          1KB

          MD5

          fc804f040bc43e008743afcb677baad5

          SHA1

          2c23e78979a8178f246dec5452c7c1a8a9c052f5

          SHA256

          89a095c5c8db0209a7c6d8b838e8b1d51b0a1dc35555d0d318d9f6f76a4cdac7

          SHA512

          0633c9fec6afac07656e9e16909d3fa86e65318cb2742397f21c054a9f5bc30939151ff933879b492df71030689b235c11fb33ef2a812fb09a05ba5662e6a759

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsi5A39.tmp\nsExec.dll
          Filesize

          6KB

          MD5

          1f49d8af9be9e915d54b2441c4a79adf

          SHA1

          1ee4f809c693e31f34bc6d8153664a6dc2c3e499

          SHA256

          b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

          SHA512

          c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

          Download Submit

        • C:\Users\Admin\AppData\Local\ÐÅ¿¼³õʼ»¯¹¤¾ß\init.bat
          Filesize

          677B

          MD5

          9882bbfe52711ee196a7db25542db5f2

          SHA1

          c394bf81e8b864f870f9ebeb42fb31d09161e79e

          SHA256

          47f5adbc69839363178fed391b0695dc94720cd90976ec606380a62c205feaaf

          SHA512

          e5be4f44ec22ebd5698f31438afd7000a86caad2a3212f4a8912075b05cbb00c0124d9b37f629fa74f0f4b62d36da8059014f93072a7cc83320e9f7d97e0817b

          Download Submit

        • memory/1900-1-0x0000000077312000-0x0000000077313000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1900-0-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/1900-3-0x00000000029E0000-0x00000000029E3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1900-2-0x0000000077313000-0x0000000077314000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1900-26-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/5092-7-0x0000000000100000-0x0000000000101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5092-11-0x00000000000A0000-0x00000000000E7000-memory.dmp

          Filesize

          284KB

          Download

        • memory/5092-17-0x0000000077313000-0x0000000077314000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5092-16-0x0000000077312000-0x0000000077313000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5092-30-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/5092-31-0x00000000000A0000-0x00000000000E7000-memory.dmp

          Filesize

          284KB

          Download