Overview
overview
3Static
static
3优易163�...re.dll
windows7-x64
3优易163�...re.dll
windows10-2004-x64
3优易163�...pc.dll
windows7-x64
3优易163�...pc.dll
windows10-2004-x64
3优易163�...ew.dll
windows7-x64
3优易163�...ew.dll
windows10-2004-x64
3优易163�...p1.dll
windows7-x64
3优易163�...p1.dll
windows10-2004-x64
3优易163�...PI.dll
windows7-x64
3优易163�...PI.dll
windows10-2004-x64
3优易163�...er.dll
windows7-x64
3优易163�...er.dll
windows10-2004-x64
3优易163�...xt.dll
windows7-x64
3优易163�...xt.dll
windows10-2004-x64
3优易163�...et.dll
windows7-x64
3优易163�...et.dll
windows10-2004-x64
3优易163�...ln.dll
windows7-x64
3优易163�...ln.dll
windows10-2004-x64
3优易163�...ll.dll
windows7-x64
3优易163�...ll.dll
windows10-2004-x64
3优易163�...ec.dll
windows7-x64
3优易163�...ec.dll
windows10-2004-x64
3优易163�...��.exe
windows7-x64
3优易163�...��.exe
windows10-2004-x64
3使用说明.html
windows7-x64
3使用说明.html
windows10-2004-x64
3使用说明.url
windows7-x64
1使用说明.url
windows10-2004-x64
1极速软�...��.url
windows7-x64
1极速软�...��.url
windows10-2004-x64
1Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
优易163邮箱注册机 1.1 绿色版/EDataStructure.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
优易163邮箱注册机 1.1 绿色版/EDataStructure.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
优易163邮箱注册机 1.1 绿色版/Exmlrpc.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
优易163邮箱注册机 1.1 绿色版/Exmlrpc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
优易163邮箱注册机 1.1 绿色版/HtmlView.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
优易163邮箱注册机 1.1 绿色版/HtmlView.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
优易163邮箱注册机 1.1 绿色版/dp1.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
优易163邮箱注册机 1.1 绿色版/dp1.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
优易163邮箱注册机 1.1 绿色版/eAPI.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
优易163邮箱注册机 1.1 绿色版/eAPI.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
优易163邮箱注册机 1.1 绿色版/eImgConverter.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
优易163邮箱注册机 1.1 绿色版/eImgConverter.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
优易163邮箱注册机 1.1 绿色版/iext.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
优易163邮箱注册机 1.1 绿色版/iext.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
优易163邮箱注册机 1.1 绿色版/internet.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
优易163邮箱注册机 1.1 绿色版/internet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
优易163邮箱注册机 1.1 绿色版/krnln.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
优易163邮箱注册机 1.1 绿色版/krnln.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
优易163邮箱注册机 1.1 绿色版/shell.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
优易163邮箱注册机 1.1 绿色版/shell.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
优易163邮箱注册机 1.1 绿色版/spec.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
优易163邮箱注册机 1.1 绿色版/spec.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral23
Sample
优易163邮箱注册机 1.1 绿色版/优易163邮箱注册软件.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
优易163邮箱注册机 1.1 绿色版/优易163邮箱注册软件.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
使用说明.html
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
使用说明.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
使用说明.url
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
使用说明.url
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
极速软件下载.url
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
极速软件下载.url
Resource
win10v2004-20240802-en
General
-
Target
使用说明.html
-
Size
79B
-
MD5
e42e985ca15fa65fdf0ce8ba8c88fc9f
-
SHA1
c2f83bf5752b437420b5453eac38f3fcdac9ed26
-
SHA256
befe46777de125b91e2e2496d7f311797b1902cb27c96780729749b86fca877c
-
SHA512
c1d5d28db26910be83f19b074f56dec07e4d1b3900080113a16ccbc46fd6682edb229b7927b0501a90f1e7773d74a340e35fc4589be600401570672fb357ea85
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2720 msedge.exe 2720 msedge.exe 4904 msedge.exe 4904 msedge.exe 2140 msedge.exe 2140 msedge.exe 2140 msedge.exe 2140 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4904 wrote to memory of 3048 4904 msedge.exe 81 PID 4904 wrote to memory of 3048 4904 msedge.exe 81 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 4348 4904 msedge.exe 82 PID 4904 wrote to memory of 2720 4904 msedge.exe 83 PID 4904 wrote to memory of 2720 4904 msedge.exe 83 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84 PID 4904 wrote to memory of 3500 4904 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\使用说明.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab96846f8,0x7ffab9684708,0x7ffab96847182⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,851610062400984544,14049454401613391433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4156
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD506b4abf8c370d441b7c06f1ae1100080
SHA1f7e3cc811807b8a1e6ead264178843a152b646ed
SHA2565da8966c666df07c08bfe39d8e76886658ba642fb5c1b1b2fa69e2a3385826da
SHA512990f57c7d1ab1b1a32f89d16cd1c1ab5e717dcd7f9a500d44690d69f58bb962129e9d500c3a7a323accb8f60fe46cd05d4a4f18590e7eba7d5da72da9ea6ceb4
-
Filesize
6KB
MD5fb14e248d68a70cd914197a535c6692f
SHA1c530f75ca3e45ba45cd694970afc7425913e526e
SHA256a61c71c936df1d71eb045472affc6e9f913b7accc2cac0e0fa6d2e2469a29168
SHA512799fef849d3627b681e18bb7e2f2781f81abf088ce42da0b688133eb13b3c828499fc8d5c84cc07eb843babc4476eeb142e56019262e6b3cca28f2b23ae61385
-
Filesize
5KB
MD5b07081682064f85ccecb52fdd2b690f2
SHA1348b52da6e179a7c1e642756b7851d255e1eb09f
SHA256517e8d3f5a6a0194a3e4c1d31c739dc66a0c436426088d6ba523ef9460fa729e
SHA512480c8147d599d761ac52c65702e92f65dd3dc3a2ecc85bb1c16e6c849af931685fe8948bfb7c3507acfd4b2977b9c132b2bc162031157c9bb94ccbaa9c88095c
-
Filesize
6KB
MD57e61d1b4d6c93dd6565ac5838e383615
SHA1175975d1accd48c2b51b7bd17e7faf440a77b05c
SHA256a110397bc1a451675ecbb99743661cf0577be540f0fde780270914517a6ec45a
SHA512a1ecf003f7a9063cb9bcf7f03222cbfc3e74e4354b906896daf2d149aeebca85373ca31e4d672d820d4a752828604fb09928f248c49bd55dc990d0d7c8ce7921
-
Filesize
10KB
MD5ba62ffae0f52bd19ca54c54f4aa9aa00
SHA1fcee532764906eb179db9987dfcfe7da4cfa0b04
SHA256d7179475b23d8f5750b0594858c3282efe10916025d1dfbe5be7b9b1e91acd2c
SHA512efa3a05d41ca190da2d84e1c47270737ee25c01e033e1fdf8b2b0e918b2ededc0a3867ac9fabdeae2040a437c072418845b4e368438619b1b55fe567e9c34bb2