503fedaaad4914ad8c22fd4a2311711ee049c5d5c8134d0961d4ba23a29d7447

Analysis

max time kernel
140s
max time network
26s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

简易封包工具_3.2.0.1.exe
Size

1.4MB
MD5

4b7c4479a1dc4d57be23d11b3ca2a01b
SHA1

e9e53ea73d4a0c842347e1a7c0bbe40da4e4702d
SHA256

da2cf03939dc1ce1a873b8bc08b26aa13a797245419047cfe47032346ee9eab1
SHA512

412d94582b0a6984b8db5262f31d7f4112e73e21a7077707ff319e5e9f7aec7f70698a9e3cb52d5297d9d98e07da7782cac727b75411e9b5bfe982b45fee1c09
SSDEEP

24576:gBXu9HGaVHErIJt/gxC6UQcCEX8a5DJ0mjP5eJms18haH4dEEMO9xLYd:gw9VHxJt4o6UQcCDadJFgfOhg4MOnL

Score

7^/10

defense_evasion upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral21/memory/1984-0-0x00000000008D0000-0x0000000000BB7000-memory.dmp	upx
behavioral21/memory/1984-17-0x00000000008D0000-0x0000000000BB7000-memory.dmp	upx
behavioral21/memory/1984-40-0x00000000008D0000-0x0000000000BB7000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral21/memory/1984-17-0x00000000008D0000-0x0000000000BB7000-memory.dmp	autoit_exe
behavioral21/memory/1984-40-0x00000000008D0000-0x0000000000BB7000-memory.dmp	autoit_exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

2012 cmd.exe
NTFS ADS 1 IoCs

Processes:

简易封包工具_3.2.0.1.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\CIMV2 简易封包工具_3.2.0.1.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

简易封包工具_3.2.0.1.exe

pid process

1984 简易封包工具_3.2.0.1.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

简易封包工具_3.2.0.1.exe

pid process

1984 简易封包工具_3.2.0.1.exe

pid	process
2012	cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\CIMV2	简易封包工具_3.2.0.1.exe

pid	process
1984	简易封包工具_3.2.0.1.exe

pid	process
1984	简易封包工具_3.2.0.1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

简易封包工具_3.2.0.1.execmd.exe

description	pid	process	target process
PID 1984 wrote to memory of 2012	1984	简易封包工具_3.2.0.1.exe	cmd.exe
PID 1984 wrote to memory of 2012	1984	简易封包工具_3.2.0.1.exe	cmd.exe
PID 1984 wrote to memory of 2012	1984	简易封包工具_3.2.0.1.exe	cmd.exe
PID 1984 wrote to memory of 2012	1984	简易封包工具_3.2.0.1.exe	cmd.exe
PID 2012 wrote to memory of 2380	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 2380	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 2380	2012	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2380 attrib.exe

pid	process
2380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\简易封包工具_3.2.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\简易封包工具_3.2.0.1.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h %Temp%\nsis
2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\nsis
3⤵
- Views/modifies file attributes
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logo1.jpg

Filesize
44KB

MD5
c6d39d004349be6a165bf37f1abe9d40

SHA1
6c8c4093f193f9c7497fff3a3b951649ab987afd

SHA256
5ab6102546d5703cd8005470e4d2cf3f2d13116a29880d6d29e416d30fda7d9b

SHA512
dea9adafe5dcdb479b957d8e0178a4ac6cc66787e2127842a8f01ecb806358041223ced54dc69d80b4f98668152f4b4c7162d6497cfc02029d5f84e8011b4049

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo2.jpg

Filesize
8KB

MD5
a514c6ecd2248035e7587c2f19678f4a

SHA1
2e1429e26849143b534c4a6e6844e9e06daaa15a

SHA256
5064c6102894549c38754a80c8020ec4c9f1b3e63fb84ac1753df8c80f0d3767

SHA512
4c7f6d8d12f68f31e3c5dd7e3ef10d24cb1be102e2283a63b85ce389666aa64aa40a78e22e111a6887c86067ecb2e9653a13cf61b9d2af18dedffae1adf8cd72

Download Submit
memory/1984-0-0x00000000008D0000-0x0000000000BB7000-memory.dmp

Filesize
2.9MB

Download
memory/1984-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1984-17-0x00000000008D0000-0x0000000000BB7000-memory.dmp

Filesize
2.9MB

Download
memory/1984-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1984-40-0x00000000008D0000-0x0000000000BB7000-memory.dmp

Filesize
2.9MB

Download