b16b2bb2cf65357f42f046e187a668cc9ddaf564f0d14e766b55404be97c9686

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

????.exe
Size

117.8MB
MD5

e4fb5b6879486628df824ce3dcc2e007
SHA1

d02c1ac09bf788a8708b8d8e35d9091756087415
SHA256

08442e8713ab66e3117f06372fbbda290e770630d79c5f46274d22af0caa5375
SHA512

37084049a706301ee19c6b3fe9ccacaed9b9e0dc4ecb58d9d0487c04c1e6029078ca0c3cec5c261dc28be5ad76590a25e24dc3b1ba4585c3c6412965165401e7
SSDEEP

1572864:Zbjpp6KvAbWqERVxLKeHbOnOO7uTss/iiwFTKlWOQsQxhEEkkiYvEX74BWpR9nai:bUXe8qhYvia1klj/

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

____.exe____.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	____.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	____.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

____.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.飞机加速 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\____.exe --openAsHidden"	____.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

4916 sc.exe
3628 sc.exe
1300 sc.exe

pid	process
4916	sc.exe
3628	sc.exe
1300	sc.exe

Modifies registry class 1 IoCs

Processes:

____.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{4C43B7F5-024E-4F37-AEA1-E7E47802392B}	____.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

____.exe____.exe____.exe____.exe

pid process

3096 ____.exe
3096 ____.exe
264 ____.exe
264 ____.exe
1656 ____.exe
1656 ____.exe
4328 ____.exe
4328 ____.exe
4328 ____.exe
4328 ____.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

____.exe

pid process

3876 ____.exe
3876 ____.exe
3876 ____.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

____.exe

pid process

3876 ____.exe
3876 ____.exe
3876 ____.exe
3876 ____.exe

pid	process
3096	____.exe
3096	____.exe
264	____.exe
264	____.exe
1656	____.exe
1656	____.exe
4328	____.exe
4328	____.exe
4328	____.exe
4328	____.exe

pid	process
3876	____.exe
3876	____.exe
3876	____.exe

pid	process
3876	____.exe
3876	____.exe
3876	____.exe
3876	____.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

____.execmd.exeapn_service.exenet.exe____.execmd.execmd.exe

description	pid	process	target process
PID 3876 wrote to memory of 208	3876	____.exe	____.exe
PID 3876 wrote to memory of 208	3876	____.exe	____.exe
PID 3876 wrote to memory of 208	3876	____.exe	____.exe
PID 3876 wrote to memory of 3096	3876	____.exe	____.exe
PID 3876 wrote to memory of 3096	3876	____.exe	____.exe
PID 3876 wrote to memory of 3096	3876	____.exe	____.exe
PID 3876 wrote to memory of 264	3876	____.exe	____.exe
PID 3876 wrote to memory of 264	3876	____.exe	____.exe
PID 3876 wrote to memory of 264	3876	____.exe	____.exe
PID 3876 wrote to memory of 1656	3876	____.exe	____.exe
PID 3876 wrote to memory of 1656	3876	____.exe	____.exe
PID 3876 wrote to memory of 1656	3876	____.exe	____.exe
PID 3876 wrote to memory of 4916	3876	____.exe	sc.exe
PID 3876 wrote to memory of 4916	3876	____.exe	sc.exe
PID 3876 wrote to memory of 4916	3876	____.exe	sc.exe
PID 3876 wrote to memory of 3628	3876	____.exe	sc.exe
PID 3876 wrote to memory of 3628	3876	____.exe	sc.exe
PID 3876 wrote to memory of 3628	3876	____.exe	sc.exe
PID 3876 wrote to memory of 1300	3876	____.exe	sc.exe
PID 3876 wrote to memory of 1300	3876	____.exe	sc.exe
PID 3876 wrote to memory of 1300	3876	____.exe	sc.exe
PID 3876 wrote to memory of 5024	3876	____.exe	cmd.exe
PID 3876 wrote to memory of 5024	3876	____.exe	cmd.exe
PID 3876 wrote to memory of 5024	3876	____.exe	cmd.exe
PID 5024 wrote to memory of 3564	5024	cmd.exe	apn_service.exe
PID 5024 wrote to memory of 3564	5024	cmd.exe	apn_service.exe
PID 5024 wrote to memory of 3564	5024	cmd.exe	apn_service.exe
PID 3564 wrote to memory of 1308	3564	apn_service.exe	net.exe
PID 3564 wrote to memory of 1308	3564	apn_service.exe	net.exe
PID 3564 wrote to memory of 1308	3564	apn_service.exe	net.exe
PID 1308 wrote to memory of 1988	1308	net.exe	net1.exe
PID 1308 wrote to memory of 1988	1308	net.exe	net1.exe
PID 1308 wrote to memory of 1988	1308	net.exe	net1.exe
PID 1656 wrote to memory of 1688	1656	____.exe	cmd.exe
PID 1656 wrote to memory of 1688	1656	____.exe	cmd.exe
PID 1656 wrote to memory of 1688	1656	____.exe	cmd.exe
PID 1688 wrote to memory of 1908	1688	cmd.exe	cmd.exe
PID 1688 wrote to memory of 1908	1688	cmd.exe	cmd.exe
PID 1908 wrote to memory of 2916	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 2916	1908	cmd.exe	reg.exe
PID 3876 wrote to memory of 4328	3876	____.exe	____.exe
PID 3876 wrote to memory of 4328	3876	____.exe	____.exe
PID 3876 wrote to memory of 4328	3876	____.exe	____.exe

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\____.exe
C:\Users\Admin\AppData\Local\Temp\____.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\apnetwork /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\apnetwork\Crashpad --annotation=_productName=apnetwork --annotation=_version=0.0.14 --annotation=prod=Electron --annotation=ver=16.2.1 --initial-client-data=0x474,0x47c,0x480,0x450,0x484,0x770a970,0x770a980,0x770a98c
2⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=gpu-process --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 /prefetch:2
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --mojo-platform-channel-handle=1980 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:264

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2348 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
4⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
5⤵
PID:2916

C:\Windows\SysWOW64\sc.exe
sc delete FadeService
2⤵
- Launches sc.exe
PID:4916

C:\Windows\SysWOW64\sc.exe
sc delete APNetworkService
2⤵
- Launches sc.exe
PID:3628

C:\Windows\SysWOW64\sc.exe
sc queryex APNetworkService
2⤵
- Launches sc.exe
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe" /install"
2⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe
"C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe" /install
3⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\net.exe
net start APNetworkService
4⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start APNetworkService
5⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=gpu-process --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2896 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe
C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\Crashpad\settings.dat

Filesize
40B

MD5
578e8b61419e3237c74cf1937592d992

SHA1
6d0b444952e5ea0b5877e83fbe2cd43fe83d32ae

SHA256
988556fc5becee727314cd982b1f2269adfedd201c384fa5e4e3e3e685b19561

SHA512
cf1d48b6e8e62dde972c2d59ea1132e03de0861be61c7db3ee2e1be0c8a6c3144e23cc57668f6b3f43107914ad3c50cf981251a31c3475462a085ac463dc518b

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\config.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\config.json

Filesize
29B

MD5
0799ca7d102110a905ca21b94611a6bb

SHA1
95a4c4747e5d602e2974fe61e5c6e1d86f8ca5fa

SHA256
5274b4d9db541cc217801862c8caf3bb075979b25dd5ced8ea4506aba43664fa

SHA512
eb8ed75921c4d5c8fc9b932ff5651cb45bb788ab233ee8d6093b12768a320a0b76b528d814fabcd4034b06e69465e930bb9e54a058cd242064480de76911281d

Download Submit
\??\pipe\crashpad_3876_XLHWSZKLCCOOCPZJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4328-196-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-198-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-197-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-202-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-206-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-208-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-207-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-205-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-204-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4328-203-0x000000000DA10000-0x000000000DA11000-memory.dmp

Filesize
4KB

Download
memory/4628-183-0x0000000063D40000-0x0000000063D4F000-memory.dmp

Filesize
60KB

Download