Overview
overview
7Static
static
7replacesetup.exe
windows7-x64
7replacesetup.exe
windows10-2004-x64
7Clash Pack....1.exe
windows7-x64
7Clash Pack....1.exe
windows10-2004-x64
7Sinicizati...er.exe
windows7-x64
7Sinicizati...er.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3asar/linux...�.docx
windows7-x64
4asar/linux...�.docx
windows10-2004-x64
1Clash-for-...rer.js
windows7-x64
3Clash-for-...rer.js
windows10-2004-x64
3Clash-for-...ain.js
windows7-x64
3Clash-for-...ain.js
windows10-2004-x64
3Clash-for-...rer.js
windows7-x64
3Clash-for-...rer.js
windows10-2004-x64
3简易封�....1.exe
windows7-x64
7简易封�....1.exe
windows10-2004-x64
7Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 16:15
Behavioral task
behavioral1
Sample
replacesetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
replacesetup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Clash Packager/简易封包工具_3.2.0.1.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Clash Packager/简易封包工具_3.2.0.1.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Sinicization/npp.8.1.4.Installer.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Sinicization/npp.8.1.4.Installer.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
asar/linux安装asar文件解压打包组件.docx
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
asar/linux安装asar文件解压打包组件.docx
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
Clash-for-Windows_Chinese-CFA/chinese_file/Manual-Chinese/renderer.js
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Clash-for-Windows_Chinese-CFA/chinese_file/Manual-Chinese/renderer.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
Clash-for-Windows_Chinese-CFA/chinese_file/Sinicization_files/main.js
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Clash-for-Windows_Chinese-CFA/chinese_file/Sinicization_files/main.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
Clash-for-Windows_Chinese-CFA/chinese_file/Sinicization_files/renderer.js
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
Clash-for-Windows_Chinese-CFA/chinese_file/Sinicization_files/renderer.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
简易封包工具_3.2.0.1.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
简易封包工具_3.2.0.1.exe
Resource
win10v2004-20240709-en
General
-
Target
Clash Packager/简易封包工具_3.2.0.1.exe
-
Size
1.4MB
-
MD5
4b7c4479a1dc4d57be23d11b3ca2a01b
-
SHA1
e9e53ea73d4a0c842347e1a7c0bbe40da4e4702d
-
SHA256
da2cf03939dc1ce1a873b8bc08b26aa13a797245419047cfe47032346ee9eab1
-
SHA512
412d94582b0a6984b8db5262f31d7f4112e73e21a7077707ff319e5e9f7aec7f70698a9e3cb52d5297d9d98e07da7782cac727b75411e9b5bfe982b45fee1c09
-
SSDEEP
24576:gBXu9HGaVHErIJt/gxC6UQcCEX8a5DJ0mjP5eJms18haH4dEEMO9xLYd:gw9VHxJt4o6UQcCDadJFgfOhg4MOnL
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral3/memory/2552-0-0x0000000000080000-0x0000000000367000-memory.dmp upx behavioral3/memory/2552-17-0x0000000000080000-0x0000000000367000-memory.dmp upx behavioral3/memory/2552-40-0x0000000000080000-0x0000000000367000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral3/memory/2552-17-0x0000000000080000-0x0000000000367000-memory.dmp autoit_exe behavioral3/memory/2552-40-0x0000000000080000-0x0000000000367000-memory.dmp autoit_exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
NTFS ADS 1 IoCs
Processes:
简易封包工具_3.2.0.1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Clash Packager\winmgmts:\localhost\root\CIMV2 简易封包工具_3.2.0.1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
简易封包工具_3.2.0.1.exepid process 2552 简易封包工具_3.2.0.1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
简易封包工具_3.2.0.1.exepid process 2552 简易封包工具_3.2.0.1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
简易封包工具_3.2.0.1.execmd.exedescription pid process target process PID 2552 wrote to memory of 2624 2552 简易封包工具_3.2.0.1.exe cmd.exe PID 2552 wrote to memory of 2624 2552 简易封包工具_3.2.0.1.exe cmd.exe PID 2552 wrote to memory of 2624 2552 简易封包工具_3.2.0.1.exe cmd.exe PID 2552 wrote to memory of 2624 2552 简易封包工具_3.2.0.1.exe cmd.exe PID 2624 wrote to memory of 2700 2624 cmd.exe attrib.exe PID 2624 wrote to memory of 2700 2624 cmd.exe attrib.exe PID 2624 wrote to memory of 2700 2624 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Clash Packager\简易封包工具_3.2.0.1.exe"C:\Users\Admin\AppData\Local\Temp\Clash Packager\简易封包工具_3.2.0.1.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h %Temp%\nsis2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\nsis3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\logo1.jpgFilesize
44KB
MD5c6d39d004349be6a165bf37f1abe9d40
SHA16c8c4093f193f9c7497fff3a3b951649ab987afd
SHA2565ab6102546d5703cd8005470e4d2cf3f2d13116a29880d6d29e416d30fda7d9b
SHA512dea9adafe5dcdb479b957d8e0178a4ac6cc66787e2127842a8f01ecb806358041223ced54dc69d80b4f98668152f4b4c7162d6497cfc02029d5f84e8011b4049
-
C:\Users\Admin\AppData\Local\Temp\logo2.jpgFilesize
8KB
MD5a514c6ecd2248035e7587c2f19678f4a
SHA12e1429e26849143b534c4a6e6844e9e06daaa15a
SHA2565064c6102894549c38754a80c8020ec4c9f1b3e63fb84ac1753df8c80f0d3767
SHA5124c7f6d8d12f68f31e3c5dd7e3ef10d24cb1be102e2283a63b85ce389666aa64aa40a78e22e111a6887c86067ecb2e9653a13cf61b9d2af18dedffae1adf8cd72
-
memory/2552-0-0x0000000000080000-0x0000000000367000-memory.dmpFilesize
2.9MB
-
memory/2552-1-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/2552-17-0x0000000000080000-0x0000000000367000-memory.dmpFilesize
2.9MB
-
memory/2552-19-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/2552-40-0x0000000000080000-0x0000000000367000-memory.dmpFilesize
2.9MB