e4d899b71ba483dc9ccf5e66958e98a22efefb22f5c4980220f86679b366cdb4

Analysis

max time kernel
132s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lvxing360/国内机票查询.exe
Size

1.6MB
MD5

ab4d973a85b9d67e193b695532faf043
SHA1

25d5c37e2992c5f8b0ded21a16f6bd4d2e2f9ec9
SHA256

84daf510d8556e6588c17769faf77f4d0f9f11925e763d06670f44b1e08934ca
SHA512

bdb414a589cfb7eaf648090575dcf4fdbf46806a849478427dad96d2d0ddf559f2a625f90a51ad5a0a17f3a12c3fd721b8e68c976b5cd0ef92b72a5d0c1c2859
SSDEEP

49152:P6GlsD7+DiKoHcudNHdQXyzMakc3NJSa7Oicgk3A/mdFe5so6MG8D5rCt50kajLF:PblsWDiKo88MyxH6LsNd1bj37oeSWz9V

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	国内机票查询.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	国内机票查询.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	国内机票查询.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1432	国内机票查询.exe
1432	国内机票查询.exe
1432	国内机票查询.exe
1432	国内机票查询.exe

C:\Users\Admin\AppData\Local\Temp\lvxing360\国内机票查询.exe
"C:\Users\Admin\AppData\Local\Temp\lvxing360\国内机票查询.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lvxing360\data\ticketinfo.html

Filesize
3KB

MD5
ba79030344552a7af8e3e96805f26015

SHA1
dd9e6656887d693213b6e35e6c83c4f3711c846e

SHA256
4b2dd535df8be12bfbf468b26db42d27edcdded4922a9e0e6f38c06d58730eac

SHA512
d3f41231fae56d5f96e112156774d2757a66c4f2cc5fdf2af7b1da6330e90517b0094b12d0d3b1678f30b33972596d789dd73fd1ec7bef9ed6145dfe705b1eae

Download Submit