Overview

overview

7

Static

static

7

fangdai_setup.exe

windows7-x64

7

fangdai_setup.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

FangDai.exe

windows7-x64

3

FangDai.exe

windows10-2004-x64

1

Update.dll

windows7-x64

1

Update.dll

windows10-2004-x64

3

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

新云软件.url

windows7-x64

1

新云软件.url

windows10-2004-x64

1

Analysis

  • max time kernel
    128s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 09:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    uninst.exe

  • Size

    42KB

  • MD5

    bcdabdb9e3e363a93b079fd4a198d1d8

  • SHA1

    4b0c74673e26bcf1731f2f020f1f96d107e686d0

  • SHA256

    16e6bd0a68d0c6a1974fb05488dccf3546c482cc1703c0f6dfdab4082fccdb2c

  • SHA512

    d01a264c9d4539276a9bb7828df7ad46df02ff5f39fca0f6f8307d23ec303a08a101e09f309b7e293a0eb18720c320d9002ce1c6347c7c5197ae35a579675fba

  • SSDEEP

    768:7hMZ0dF4ZFvQbn+eePu3cIQGCGbiC4k42M3wJJDfED+5Y6:7yZMSZFvknTePMZd4k4kJJDH5L

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninst.exe
    "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:4156

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nstE8DA.tmp\FindProcDLL.dll
          Filesize

          3KB

          MD5

          8614c450637267afacad1645e23ba24a

          SHA1

          e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

          SHA256

          0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

          SHA512

          af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          42KB

          MD5

          bcdabdb9e3e363a93b079fd4a198d1d8

          SHA1

          4b0c74673e26bcf1731f2f020f1f96d107e686d0

          SHA256

          16e6bd0a68d0c6a1974fb05488dccf3546c482cc1703c0f6dfdab4082fccdb2c

          SHA512

          d01a264c9d4539276a9bb7828df7ad46df02ff5f39fca0f6f8307d23ec303a08a101e09f309b7e293a0eb18720c320d9002ce1c6347c7c5197ae35a579675fba

          Download Submit

        • memory/4156-10-0x0000000010000000-0x0000000010003000-memory.dmp

          Filesize

          12KB

          Download