3da791f8ab359af88b00348860e6c053e3e466b6fccf5bccd796b9a6c77f698b

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

百万库管王.exe
Size

2.3MB
MD5

a370d9c49ed51bdcc870073623959ea4
SHA1

9c65acd7cb0e054ef9c9fdbd2b55b1bd35871500
SHA256

dc7c1721de62a39629266e204692a78fe171f51b333b0e6be6346a50fab5174d
SHA512

649a0465819dd331ad6b4382486913f3fe83a0548dc4cb2d24bf1249af007ac8d20c75bcd620d6a80ea9f1699e49de517133d0c48bb1cedb052f2d0baddb5054
SSDEEP

49152:mVOdsoTKxYnpPqvnX2ZKv8bLvovjw/o1gH14U42bm5rZDxLFzm78:mcds9xcpqnX2EWnFyym5rZ1FJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2312	百万库管王.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	百万库管王.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	百万库管王.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2312	3168	百万库管王.exe	84
PID 3168 wrote to memory of 2312	3168	百万库管王.exe	84
PID 3168 wrote to memory of 2312	3168	百万库管王.exe	84

C:\Users\Admin\AppData\Local\Temp\百万库管王.exe
"C:\Users\Admin\AppData\Local\Temp\百万库管王.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\is-95DS1.tmp\百万库管王.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-95DS1.tmp\百万库管王.tmp" /SL5="$502A2,1986376,146944,C:\Users\Admin\AppData\Local\Temp\百万库管王.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-95DS1.tmp\百万库管王.tmp

Filesize
1.1MB

MD5
6b0c5bb2b8ae83d99e16e3384b7b5544

SHA1
7175101d100d98506ab4b742f34fe245085e5e6b

SHA256
af8390db4c1c2e79e8fbd881d834b86b1c1888267cf916723c47b40947630bb0

SHA512
151d4f24f523186ae06cfd7278aa0898a7c34e0fb5ccaa3887d45351f4bb1f4b95509ce4f6ff3468fb747a31f24fd8b4e1f2330ca2931c30f24a45ca8d41cfc3

Download Submit
memory/2312-7-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2312-13-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3168-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3168-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3168-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download