Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
FangSeQiang.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
FangSeQiang.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20240709-en
General
-
Target
FangSeQiang.exe
-
Size
2.2MB
-
MD5
10873d465c4f44e003618a2d952eccf9
-
SHA1
bcc51cd110b864986b27f27dd9718f75ab5a0a09
-
SHA256
a033f984b4bfeae116e8dd4c9813be890f05ce0fbf1727d45cb1e53aab977f2f
-
SHA512
3f9233ba3eee2901fe1a1d443556e6564baa0afd3ad984f22b5cd9bd7e33419a4aa8229092c5388c18f851dd2ad88825093754c87107bd74cfaedc2f1c78d6fc
-
SSDEEP
49152:y1ZMxeS4e9BtTs8VA/xs45bPuJnmHPuJnm1:y8gszIeMs45uJnmvuJnm
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe 1628 FangSeQiang.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1628 FangSeQiang.exe 1628 FangSeQiang.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2400 1628 FangSeQiang.exe 28 PID 1628 wrote to memory of 2400 1628 FangSeQiang.exe 28 PID 1628 wrote to memory of 2400 1628 FangSeQiang.exe 28 PID 1628 wrote to memory of 2400 1628 FangSeQiang.exe 28 PID 1628 wrote to memory of 2900 1628 FangSeQiang.exe 29 PID 1628 wrote to memory of 2900 1628 FangSeQiang.exe 29 PID 1628 wrote to memory of 2900 1628 FangSeQiang.exe 29 PID 1628 wrote to memory of 2900 1628 FangSeQiang.exe 29 PID 1628 wrote to memory of 2120 1628 FangSeQiang.exe 31 PID 1628 wrote to memory of 2120 1628 FangSeQiang.exe 31 PID 1628 wrote to memory of 2120 1628 FangSeQiang.exe 31 PID 1628 wrote to memory of 2120 1628 FangSeQiang.exe 31 PID 1628 wrote to memory of 2456 1628 FangSeQiang.exe 32 PID 1628 wrote to memory of 2456 1628 FangSeQiang.exe 32 PID 1628 wrote to memory of 2456 1628 FangSeQiang.exe 32 PID 1628 wrote to memory of 2456 1628 FangSeQiang.exe 32 PID 1628 wrote to memory of 2568 1628 FangSeQiang.exe 33 PID 1628 wrote to memory of 2568 1628 FangSeQiang.exe 33 PID 1628 wrote to memory of 2568 1628 FangSeQiang.exe 33 PID 1628 wrote to memory of 2568 1628 FangSeQiang.exe 33 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 2400 attrib.exe 2900 attrib.exe 2120 attrib.exe 2456 attrib.exe 2568 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FangSeQiang.exe"C:\Users\Admin\AppData\Local\Temp\FangSeQiang.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\È«ÆÁ½Øͼ2⤵
- Views/modifies file attributes
PID:2400
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\¼à¿Ø¼Ç¼2⤵
- Views/modifies file attributes
PID:2900
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h *.dll2⤵
- Views/modifies file attributes
PID:2120
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h *.bat2⤵
- Views/modifies file attributes
PID:2456
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h FangSeQiangService.exe2⤵
- Views/modifies file attributes
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5e630b9e068295f2425a7f1f4f8c4b770
SHA1f39df56a697065ccad344742d3ca45f023093736
SHA256145b73742f19fc194899575cba9fc0653e2e3a02728e8e51244f82409fcb5dd0
SHA5126fad4d3c36215fd0d21a31c6f05618835b3c7e22b61e04478031956da8425c72858ab31d33d2376068449adde19b4108f2026b2f044946767ebc6743f04c9ddd
-
Filesize
7KB
MD52d9d10efddd1014b754a36f289568b66
SHA198ecfb1b093832c3c553ac9991ec82188a2af018
SHA2562589f9ddbb6f3e23fcd0f539a71e7fd2d5ab339537920421a3bb84d62f491b4c
SHA512293d828f9bd2f59ee4d02b7162285c9120bb92d637631418dd2e802469c7a07b0cab9e2d287e4df42ae1ed6691743b3e15bd1e9982ecd94caeebaf0fc49caef0