Overview

overview

8

Static

static

3

.exe

windows7-x64

8

.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .exe

  • Size

    7.8MB

  • MD5

    ddce1d8422132feb58ce06d08e4dd570

  • SHA1

    4861bb5afca9bcf464f93fdbd31d5bcdb6af8344

  • SHA256

    263e7ca7701fe761a6f8cf28bebb4690cff47812b7cbc1c3a301e99a4cb86bec

  • SHA512

    ee5685523a427af864a3f7a49b5cdd7ee778fbf71fd51fd1a5d5d09afbb86c9a9ca953a4f716d04f0ad2a5408935b4cd2a15d21d8ba611e57f97828ae67d23dc

  • SSDEEP

    196608:quBUad84j8rEW8ycQk50hYuwtpB797AxhBu7OTK:qgUK89lcQIruwtpBZoXK

Score
8/10
discovery

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 11 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    1⤵
    • Manipulates Digital Signatures
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\640.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3092
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4084
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2396
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1604
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5016
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:676
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3936
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3164
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1448
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4952
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4528
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4504
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4232
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3752
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2928
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4896
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4828
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4416
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:712
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1080
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4780
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2300
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4808
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4008
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5012
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "pid eq 640"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\SysWOW64\find.exe
        find /i "640"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2056
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\640.bat
    Filesize

    228B

    MD5

    12321bb41d982e8a2f036d4966461e53

    SHA1

    6dca85f6b8f171e4b85fa77fe4a32b23afe04422

    SHA256

    10b00519ae7d1201fc23bc6f9010464b0feb40d62151bb12cb2ee585c28b25f6

    SHA512

    af1ea64dc6db82cef763a9c006f588100860cd59a7bded57fef772ccf88b050a0f6c22d432b327270fa27f83fdee6719a0d8e978306dc37939cfa4118de22cbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\640e57683f\TApi.dll
    Filesize

    1.8MB

    MD5

    20a87544961d0189b6f180fb330e96bd

    SHA1

    4eb6d4edecad1472ede74989753043704b754300

    SHA256

    e3a682bc9ab15846da7105c819b138c9aee29fbf43ab4c9d349ea9bac9ed6773

    SHA512

    239034fc0c7544556508f6a4c56697c1ed2b36a1c025c2429e1600c8b8497c82a10db9cb4093be3a74e597084c7397b576021b764173bb1a04c8de9a41fc59a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\640e57683f\TLib.dll
    Filesize

    707KB

    MD5

    84d18da644ec2559aa8a9f5cdc3948c0

    SHA1

    660c10a221ace21b418e526de45453ef972e66c1

    SHA256

    b8ab64b00c2cb719d7dabdacf17187ff75e053aad1aeae7298b4e596a6edf354

    SHA512

    5d9e3e639995a921d0ec4fe591ceda6541895e07987644d7fdd039289e828564bb918a4ed0f6c6304ef8a89013b8dd05ddfa09ce51049e0ea1f45899e294c864

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\640e57683f\t_baibaoyun_win32.dll
    Filesize

    1.2MB

    MD5

    22fb4088016272b0284a927187d89808

    SHA1

    ced1857001bb07529f3e4d5d66a00fca586081a3

    SHA256

    960fdf8a31e985b7c69b934ad3f19b55f4d52804113401060a7b7a7cf79391df

    SHA512

    6c195991a47694885acc429e192c29056e056ee3fb8d2dfa45cbb977cc129c80e1f8718ceba6686e47144dfa60515bf45cd2eee008cbfc0df5a7ea706758b116

    Download Submit