4e20147c17b6763d515d55f9389ff4b7641d85f91426e6244dc73d7458de1aa2

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEADLY 8强力卸载工具兼容UAC版.exe
Size

518KB
MD5

2c222fed0258e22b16b65684b0c1e3f0
SHA1

8c607eff94606048da8a72c79fd9062f21909075
SHA256

58e0e941d2bac2c9f50b354712dab551561acd4d75b146c10f2e0697d4b2bfa6
SHA512

ea213416da92e876e8433a65107b9443f15740a9a9316e50985fe5d4ab15344c3f86dfc45615a13aa1db205aa3a5b42f46870276954a0160456ae66d1dda155f
SSDEEP

12288:F79WjXvVf/LNU5CBF3r/Y0FU9P9oF9ZT9XeJUEslK6NWY:F79xo/XFUNe/ZNcUvv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	DEADLY 8强力卸载工具兼容UAC版.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	aukid.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Unload.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\grub.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\config.sys	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\No.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Yes.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\aukid.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Yydeadly.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Delj.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\deltempf.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Sd.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\aukid.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Vis7	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\deareg.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\qxaz.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\bootlace.com	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\deareg.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\DelTemp.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Sd.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\rcvr.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\delboot.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Delj.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\delyy.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\kil.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\No.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Unload.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Yes.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\delboot.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Deldead.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\delyy.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\hmload.com	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Vis7\taskkill.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\tskill.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\qxaz.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Setup.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Unloadr.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\DelTemp.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\deltempf.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Setup.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\grub.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\bootlace.com	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Vis7\taskkill.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\taskkill.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\yes.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\rcvr.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\vis7bcd.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Xf.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\config.sys	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\tskill.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\vis7bcd.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Yydeadly.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\taskkill.exe	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Unloadr.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\Xf.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\hmload.com	DEADLY 8强力卸载工具兼容UAC版.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Deldead.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\kil.bat	DEADLY 8强力卸载工具兼容UAC版.exe
File created	C:\WINDOWS\SysWOW64\yydll\yes.exe	DEADLY 8强力卸载工具兼容UAC版.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4784	aukid.exe
4784	aukid.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4784	3196	DEADLY 8强力卸载工具兼容UAC版.exe	84
PID 3196 wrote to memory of 4784	3196	DEADLY 8强力卸载工具兼容UAC版.exe	84
PID 3196 wrote to memory of 4784	3196	DEADLY 8强力卸载工具兼容UAC版.exe	84
PID 4784 wrote to memory of 3636	4784	aukid.exe	85
PID 4784 wrote to memory of 3636	4784	aukid.exe	85
PID 4784 wrote to memory of 3636	4784	aukid.exe	85

C:\Users\Admin\AppData\Local\Temp\DEADLY 8强力卸载工具兼容UAC版.exe
"C:\Users\Admin\AppData\Local\Temp\DEADLY 8强力卸载工具兼容UAC版.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SysWOW64\yydll\aukid.exe
  "C:\Windows\System32\yydll\aukid.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\yydll\kil.bat
    3⤵
    PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\yydll\Vis7\taskkill.exe

Filesize
76KB

MD5
94bdcafbd584c979b385adee14b08ab4

SHA1
1985a9d34271cd24d28c15452c822bd4b9b50f90

SHA256
cb1822a981e9821d571af16b7e37beba5feb8e3dedcdd0461119af9aac0358b3

SHA512
86382a441958d0e0135977891b99a4884496882b01aba8c18fba29e8b0827cfb2c17d5bca7f3b915d6c68f3da11a309f169bbdb009bb04bdf28a1093b78029ef

Download Submit
C:\WINDOWS\SysWOW64\yydll\taskkill.exe

Filesize
83KB

MD5
b356393f854a12cd9aba9a679df0794b

SHA1
2d56a354ccd6ca1cc01a4b764b0f677c8f92ec6b

SHA256
94f9c99f0a332eab680d99e8ebbd7ee9851a31c237a3558bc3cc0a7e3f8f8d7e

SHA512
a7fa192c374ea47d03637d3728f8d511e43eee7354da15dea0173ecfcb21026eba95a19a0e012f00e478f2c5e1edebf923c97af66f9a1215fd63c26c643d10f4

Download Submit
C:\Windows\SysWOW64\yydll\aukid.exe

Filesize
224KB

MD5
8adae4cf8c4806d262c63c7f806d5d01

SHA1
e294bc6c7e74e120abee831f0a89e387b07cbdc5

SHA256
d38518fa3c8a4e3121366de4f992c44dce28872c32e33231ebcf5087a6e6e257

SHA512
13b2ab7b924a0907795921117ef2e9f781d8dcc2b37c3052975d760c877708075d9e7afd8891216ca7bf9ed742fabc799371de964fe44c6b1c102fcfbc7ed610

Download Submit
C:\Windows\SysWOW64\yydll\kil.bat

Filesize
526B

MD5
2187655e85d04a2eb428eb5c5c053da6

SHA1
548e4653d5e176b220c15dfdb20ac260a2f4f47c

SHA256
fb2285815567ecb454ea1db5122f2ef56bbb74f6197d1626a4f0f4718a8e23b2

SHA512
ccad3844d60b58ed9a642acb4b996452093ebb1ce4c6eee3116b8172c45c3077cd1938b5d069a7c34d8f438299cab331f556ecea61c54cedf2b6aed9eb852479

Download Submit