Overview

overview

8

Static

static

3

.exe

windows7-x64

8

.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-08-2024 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .exe

  • Size

    7.8MB

  • MD5

    ddce1d8422132feb58ce06d08e4dd570

  • SHA1

    4861bb5afca9bcf464f93fdbd31d5bcdb6af8344

  • SHA256

    263e7ca7701fe761a6f8cf28bebb4690cff47812b7cbc1c3a301e99a4cb86bec

  • SHA512

    ee5685523a427af864a3f7a49b5cdd7ee778fbf71fd51fd1a5d5d09afbb86c9a9ca953a4f716d04f0ad2a5408935b4cd2a15d21d8ba611e57f97828ae67d23dc

  • SSDEEP

    196608:quBUad84j8rEW8ycQk50hYuwtpB797AxhBu7OTK:qgUK89lcQIruwtpBZoXK

Score
8/10
discovery

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Loads dropped DLL 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 12 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    1⤵
    • Manipulates Digital Signatures
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\2128.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2800
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2664
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1124
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2896
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1316
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1496
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2132
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1740
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2904
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2228
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1764
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2360
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:868
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1136
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2036
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2976
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2068
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2244
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2252
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2044
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1840
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1100
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2184
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:976
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 2128"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Windows\SysWOW64\find.exe
        find /i "2128"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2032
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2128.bat
    Filesize

    230B

    MD5

    a19d99b8fcbf227bb41eb387f2934544

    SHA1

    f63797f56f7ad9259422250bf78e8f4bbc7e2dd3

    SHA256

    87a711c16a85c873722079e7cbf99bef788cffb362630eee62138b01c1a46c1d

    SHA512

    534ca832a8ec00a3b40860f10015f589fc0c0835b549bdd8f8df07c1b2d6a146ec761b66be6973dd646c31288254abff5a3e3d22d9ea9f89e50401c47451a9fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2128f787e44\TApi.dll
    Filesize

    1.8MB

    MD5

    20a87544961d0189b6f180fb330e96bd

    SHA1

    4eb6d4edecad1472ede74989753043704b754300

    SHA256

    e3a682bc9ab15846da7105c819b138c9aee29fbf43ab4c9d349ea9bac9ed6773

    SHA512

    239034fc0c7544556508f6a4c56697c1ed2b36a1c025c2429e1600c8b8497c82a10db9cb4093be3a74e597084c7397b576021b764173bb1a04c8de9a41fc59a6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2128f787e44\TLib.dll
    Filesize

    707KB

    MD5

    84d18da644ec2559aa8a9f5cdc3948c0

    SHA1

    660c10a221ace21b418e526de45453ef972e66c1

    SHA256

    b8ab64b00c2cb719d7dabdacf17187ff75e053aad1aeae7298b4e596a6edf354

    SHA512

    5d9e3e639995a921d0ec4fe591ceda6541895e07987644d7fdd039289e828564bb918a4ed0f6c6304ef8a89013b8dd05ddfa09ce51049e0ea1f45899e294c864

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2128f787e44\t_baibaoyun_win32.dll
    Filesize

    1.2MB

    MD5

    22fb4088016272b0284a927187d89808

    SHA1

    ced1857001bb07529f3e4d5d66a00fca586081a3

    SHA256

    960fdf8a31e985b7c69b934ad3f19b55f4d52804113401060a7b7a7cf79391df

    SHA512

    6c195991a47694885acc429e192c29056e056ee3fb8d2dfa45cbb977cc129c80e1f8718ceba6686e47144dfa60515bf45cd2eee008cbfc0df5a7ea706758b116

    Download Submit

  • memory/2128-0-0x0000000003A90000-0x000000000403B000-memory.dmp

    Filesize

    5.7MB

    Download