Overview
overview
3Static
static
3plc连接�...on.dll
windows7-x64
1plc连接�...on.dll
windows10-2004-x64
1plc连接�...mo.exe
windows7-x64
1plc连接�...mo.exe
windows10-2004-x64
1plc连接�...ls.dll
windows7-x64
1plc连接�...ls.dll
windows10-2004-x64
1plc连接�...on.dll
windows7-x64
1plc连接�...on.dll
windows10-2004-x64
1plc连接�...15.dll
windows7-x64
1plc连接�...15.dll
windows10-2004-x64
1plc连接�...ng.dll
windows7-x64
1plc连接�...ng.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
plc连接工具/Debug/HslCommunication.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
plc连接工具/Debug/HslCommunication.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
plc连接工具/Debug/HslCommunicationDemo.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
plc连接工具/Debug/HslCommunicationDemo.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
plc连接工具/Debug/HslControls.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
plc连接工具/Debug/HslControls.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
plc连接工具/Debug/Newtonsoft.Json.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
plc连接工具/Debug/Newtonsoft.Json.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
plc连接工具/Debug/WeifenLuo.WinFormsUI.Docking.ThemeVS2015.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
plc连接工具/Debug/WeifenLuo.WinFormsUI.Docking.ThemeVS2015.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
plc连接工具/Debug/WeifenLuo.WinFormsUI.Docking.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
plc连接工具/Debug/WeifenLuo.WinFormsUI.Docking.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
General
-
Target
plc连接工具/Debug/HslCommunicationDemo.exe
-
Size
2.8MB
-
MD5
9e101482300b2ebc62730d8c45c4f2cf
-
SHA1
e00afa9114172892e1124fc654cd4a707a643aea
-
SHA256
ac0741d2316267a70d73c6b29555c03ae2a239cf3260e14165126421d168d62e
-
SHA512
916fcb56edea5bc4acd876bbff5c643bf19afdd17a99ff4e72b60058c801f27b9690ca2ed12d1d87320b914ec31083ecd6bb101647f48aff8576160e3e5c6d4d
-
SSDEEP
49152:HbAvYBsXyt6iOwreftEHUMzKXu61FnDNkhnGkaNZOb8KA3v7TAerP:HbAABsXyt6ixre9+2nDNSvaNZOb0TPP
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe 5084 HslCommunicationDemo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5084 HslCommunicationDemo.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5084 HslCommunicationDemo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\plc连接工具\Debug\HslCommunicationDemo.exe"C:\Users\Admin\AppData\Local\Temp\plc连接工具\Debug\HslCommunicationDemo.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4544