8c545d0f75765af6e91f51dde82aeb0f0c94868de17f317d99670f02fa3b3d95

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

U盘详情检查.exe
Size

322KB
MD5

da52ce82c0ba2351d8b814731d525578
SHA1

e17e5ede5aae894754c37d0ccaa6ead6761ffabf
SHA256

28c6539883030f2be813676c5afebb52cbbf60cdbb403a7ab0cd62fb3bf8741d
SHA512

52d8a7bf311b3d47c43b3caf274411019c0d3e48f9c03af01152ee56f0666693e68c5285827d4bc70468af591f92cd87d2d29b53bfd35c259ace6d51de0eb6ff
SSDEEP

6144:cyvmHjHnJuvoXZ+AP0yRSmQGDa3ed9hsA5XhXr9jBCSpFp5tXLL7FO2xVO:cNjHncoATPwZr5X7VTv0G8

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	ChipGenius.exe

Loads dropped DLL 1 IoCs

pid	Process
2088	U盘详情检查.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2088-16-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	U盘详情检查.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChipGenius.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	ChipGenius.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2108	2088	U盘详情检查.exe	30
PID 2088 wrote to memory of 2108	2088	U盘详情检查.exe	30
PID 2088 wrote to memory of 2108	2088	U盘详情检查.exe	30
PID 2088 wrote to memory of 2108	2088	U盘详情检查.exe	30

C:\Users\Admin\AppData\Local\Temp\U盘详情检查.exe
"C:\Users\Admin\AppData\Local\Temp\U盘详情检查.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\ChipGenius\ChipGenius.exe
  "C:\Users\Admin\AppData\Local\Temp\ChipGenius\ChipGenius.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChipGenius\Chips.wdb

Filesize
87KB

MD5
911029c47b851e1f8edea7b00ae73ee0

SHA1
dc724be45ce6c6690016be97a7cbc85530c387b1

SHA256
3f51631bbe1181427bd0c53519cf24a53bbd06e9bf3d407fa490c55b831f1869

SHA512
1d97e29c10d83bc31a9c4e9d7fe8d76cfa9dbf37c71c36199b99d2b5261f336c73f32a6cf2533cb1486f0d46665bc85bf4027ef64d6540895d7deffb36c55631

Download Submit
\Users\Admin\AppData\Local\Temp\ChipGenius\ChipGenius.exe

Filesize
299KB

MD5
c225785c18c5ec684ea5a10fb3d56cc3

SHA1
05e12f3ec7cf52f915a974213b8aa3d7f3ffe28d

SHA256
8fd831c5bb24ee51f65699da378f127044314e7184042e44646b40c507d09bb4

SHA512
fbdbc67c8ab522ed940c4fe448587f3000b2754443c0d504b25203858c97442ac80795fa9005e889ad2bd6610a73449eb1dd29331bfb14b7d28333c8f6ab1c36

Download Submit
memory/2088-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-10-0x0000000002A20000-0x0000000002B3F000-memory.dmp

Filesize
1.1MB

Download
memory/2088-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-18-0x0000000002A20000-0x0000000002B3F000-memory.dmp

Filesize
1.1MB

Download
memory/2108-14-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2108-17-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download