5e1a5015faf7d12c0b6b3faf02e74ae3beaceb361956c98e4e461444d153a848

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

右键显示隐藏系统文件.exe
Size

414KB
MD5

6d41ee8c4bd2b574b02a29ce0b023eb9
SHA1

6357ac007742c6b8fc6c10eb303bf729af663ce9
SHA256

9f6bb66ec52ebb6d52006955dc94399c51d192dbec076df269de0552593b12ce
SHA512

e0732b54b4b4edcf35f1d99df9a7dddb9d6d1a91545be6657f55318e98f80ab5dbf7b0701b62c327be14e52bbe5b69b8117946deecbdd204ad3cb0fed5af3525
SSDEEP

6144:aTfFDbRnOTrZc1JWGkTfFDbRnOTrZc1JFo7TfFDbRnOTrZc1JlBE:I5OG2GW5OGlo95OGFBE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
296	set.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	右键显示隐藏系统文件.exe
1736	右键显示隐藏系统文件.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	右键显示隐藏系统文件.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	set.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
296	set.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 296	1736	右键显示隐藏系统文件.exe	31
PID 1736 wrote to memory of 296	1736	右键显示隐藏系统文件.exe	31
PID 1736 wrote to memory of 296	1736	右键显示隐藏系统文件.exe	31
PID 1736 wrote to memory of 296	1736	右键显示隐藏系统文件.exe	31

C:\Users\Admin\AppData\Local\Temp\右键显示隐藏系统文件.exe
"C:\Users\Admin\AppData\Local\Temp\右键显示隐藏系统文件.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\set.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\set.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\set.exe

Filesize
60KB

MD5
524a62841d9fab0d9d49f5bcff7bd8b1

SHA1
2c0243210aaebab392304237d6d651f8d72cb032

SHA256
065cdb23f4bf29e57a425f89c92631589a6d93489d2972ea5e13a6390352197a

SHA512
eb9aa16b64e8ea806c74acb8ea1bc96ad42124a4d2cb5617daf2f784172200a6ec5ecdb28d886483c7ee8b40407f5dbf443dc063dbdce5f43f842ed5747d4872

Download Submit
memory/1736-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download