4e20147c17b6763d515d55f9389ff4b7641d85f91426e6244dc73d7458de1aa2

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 20:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DEADLY 8强力卸载工具.exe
Size

520KB
MD5

e9a686c455f0e4fd7b78e6d7cafe4528
SHA1

eafc8a49d5d2ed28ae38f6b1d178218401438e4f
SHA256

bb5cf8861c497565c8e13fd2a6977baa1d88002ef01ee3f693093eda9a21d903
SHA512

c6894b66729e5256a30956b40451264faa187274c6ad8a5738ab01fa9c16c829da85802a9713d093d6e911aa45271364b34412b709849b4434cb1cf05125751b
SSDEEP

12288:679WjXvVP/LNU5DBF3r/YaKEq0YhnTWV3Y2E0:679h9/2hClY2E0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	DEADLY 8强力卸载工具.exe

Executes dropped EXE 1 IoCs

pid	Process
5108	aukid.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Delj.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Unloadr.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\vis7bcd.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\tskill.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\yes.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Deldead.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\rcvr.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Setup.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\aukid.exe	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Vis7	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Unload.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\deltempf.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Unloadr.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\deareg.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Deldead.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\qxaz.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\deareg.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\DelTemp.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\cjbb.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\No.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\hmload.com	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\bootlace.com	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\grub.exe	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\yes.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Yes.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Yes.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\aukid.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\qxaz.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Yydeadly.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\DelTemp.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\delyy.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Unload.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\delboot.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\deltempf.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Sd.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Xf.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\taskkill.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\config.sys	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\config.sys	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\kil.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Xf.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Yydeadly.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\bootlace.com	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\cjbb.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\taskkill.exe	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\delboot.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\visxp\hmload.com	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\tskill.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Delj.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\delyy.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\kil.bat	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\No.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\vis7bcd.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Vis7\taskkill.exe	DEADLY 8强力卸载工具.exe
File opened for modification	C:\WINDOWS\SysWOW64\yydll\Vis7\taskkill.exe	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\rcvr.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Sd.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\Setup.bat	DEADLY 8强力卸载工具.exe
File created	C:\WINDOWS\SysWOW64\yydll\visxp\grub.exe	DEADLY 8强力卸载工具.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5108	aukid.exe
5108	aukid.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 5108	4792	DEADLY 8强力卸载工具.exe	84
PID 4792 wrote to memory of 5108	4792	DEADLY 8强力卸载工具.exe	84
PID 4792 wrote to memory of 5108	4792	DEADLY 8强力卸载工具.exe	84
PID 5108 wrote to memory of 1032	5108	aukid.exe	86
PID 5108 wrote to memory of 1032	5108	aukid.exe	86
PID 5108 wrote to memory of 1032	5108	aukid.exe	86

C:\Users\Admin\AppData\Local\Temp\DEADLY 8强力卸载工具.exe
"C:\Users\Admin\AppData\Local\Temp\DEADLY 8强力卸载工具.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\yydll\aukid.exe
  "C:\Windows\System32\yydll\aukid.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\yydll\kil.bat
    3⤵
    PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\yydll\Vis7\taskkill.exe

Filesize
76KB

MD5
94bdcafbd584c979b385adee14b08ab4

SHA1
1985a9d34271cd24d28c15452c822bd4b9b50f90

SHA256
cb1822a981e9821d571af16b7e37beba5feb8e3dedcdd0461119af9aac0358b3

SHA512
86382a441958d0e0135977891b99a4884496882b01aba8c18fba29e8b0827cfb2c17d5bca7f3b915d6c68f3da11a309f169bbdb009bb04bdf28a1093b78029ef

Download Submit
C:\WINDOWS\SysWOW64\yydll\taskkill.exe

Filesize
83KB

MD5
b356393f854a12cd9aba9a679df0794b

SHA1
2d56a354ccd6ca1cc01a4b764b0f677c8f92ec6b

SHA256
94f9c99f0a332eab680d99e8ebbd7ee9851a31c237a3558bc3cc0a7e3f8f8d7e

SHA512
a7fa192c374ea47d03637d3728f8d511e43eee7354da15dea0173ecfcb21026eba95a19a0e012f00e478f2c5e1edebf923c97af66f9a1215fd63c26c643d10f4

Download Submit
C:\Windows\SysWOW64\yydll\aukid.exe

Filesize
224KB

MD5
8adae4cf8c4806d262c63c7f806d5d01

SHA1
e294bc6c7e74e120abee831f0a89e387b07cbdc5

SHA256
d38518fa3c8a4e3121366de4f992c44dce28872c32e33231ebcf5087a6e6e257

SHA512
13b2ab7b924a0907795921117ef2e9f781d8dcc2b37c3052975d760c877708075d9e7afd8891216ca7bf9ed742fabc799371de964fe44c6b1c102fcfbc7ed610

Download Submit
C:\Windows\SysWOW64\yydll\kil.bat

Filesize
526B

MD5
2187655e85d04a2eb428eb5c5c053da6

SHA1
548e4653d5e176b220c15dfdb20ac260a2f4f47c

SHA256
fb2285815567ecb454ea1db5122f2ef56bbb74f6197d1626a4f0f4718a8e23b2

SHA512
ccad3844d60b58ed9a642acb4b996452093ebb1ce4c6eee3116b8172c45c3077cd1938b5d069a7c34d8f438299cab331f556ecea61c54cedf2b6aed9eb852479

Download Submit