Analysis
-
max time kernel
2s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Furry开户工具.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Furry开户工具.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
libcurl-x64.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
libcurl-x64.dll
Resource
win10v2004-20240802-en
General
-
Target
Furry开户工具.exe
-
Size
370KB
-
MD5
75be151829b2bc2e9e081c1ede0fd0e0
-
SHA1
8cb585ca1e98abe3e3d9dfad899ba516d3583033
-
SHA256
43ed2eb30e5053663f55617b39dc89e8cce80b896c1c57ed507dd52be94c597b
-
SHA512
e6f88991819d41dfca51d682f28a829aa745e96e5bc674dac0e7b96e4a03ce6af5a1179fed29f9b73a0239fc695acb98b5b0f044735f9faaa55feaa3e4ca4266
-
SSDEEP
6144:QncHno/Bv6GDKHa1no2/bMgnwj+gQjjU0zhwnJBlTK:ULvDU2/bMZjtgjxzUlTK
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
Processes:
takeown.exepid Process 2932 takeown.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2420 WMIC.exe Token: SeSecurityPrivilege 2420 WMIC.exe Token: SeTakeOwnershipPrivilege 2420 WMIC.exe Token: SeLoadDriverPrivilege 2420 WMIC.exe Token: SeSystemProfilePrivilege 2420 WMIC.exe Token: SeSystemtimePrivilege 2420 WMIC.exe Token: SeProfSingleProcessPrivilege 2420 WMIC.exe Token: SeIncBasePriorityPrivilege 2420 WMIC.exe Token: SeCreatePagefilePrivilege 2420 WMIC.exe Token: SeBackupPrivilege 2420 WMIC.exe Token: SeRestorePrivilege 2420 WMIC.exe Token: SeShutdownPrivilege 2420 WMIC.exe Token: SeDebugPrivilege 2420 WMIC.exe Token: SeSystemEnvironmentPrivilege 2420 WMIC.exe Token: SeRemoteShutdownPrivilege 2420 WMIC.exe Token: SeUndockPrivilege 2420 WMIC.exe Token: SeManageVolumePrivilege 2420 WMIC.exe Token: 33 2420 WMIC.exe Token: 34 2420 WMIC.exe Token: 35 2420 WMIC.exe Token: SeIncreaseQuotaPrivilege 2420 WMIC.exe Token: SeSecurityPrivilege 2420 WMIC.exe Token: SeTakeOwnershipPrivilege 2420 WMIC.exe Token: SeLoadDriverPrivilege 2420 WMIC.exe Token: SeSystemProfilePrivilege 2420 WMIC.exe Token: SeSystemtimePrivilege 2420 WMIC.exe Token: SeProfSingleProcessPrivilege 2420 WMIC.exe Token: SeIncBasePriorityPrivilege 2420 WMIC.exe Token: SeCreatePagefilePrivilege 2420 WMIC.exe Token: SeBackupPrivilege 2420 WMIC.exe Token: SeRestorePrivilege 2420 WMIC.exe Token: SeShutdownPrivilege 2420 WMIC.exe Token: SeDebugPrivilege 2420 WMIC.exe Token: SeSystemEnvironmentPrivilege 2420 WMIC.exe Token: SeRemoteShutdownPrivilege 2420 WMIC.exe Token: SeUndockPrivilege 2420 WMIC.exe Token: SeManageVolumePrivilege 2420 WMIC.exe Token: 33 2420 WMIC.exe Token: 34 2420 WMIC.exe Token: 35 2420 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Furry开户工具.exepid Process 3052 Furry开户工具.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Furry开户工具.execmd.execmd.execmd.exedescription pid Process procid_target PID 3052 wrote to memory of 2544 3052 Furry开户工具.exe 31 PID 3052 wrote to memory of 2544 3052 Furry开户工具.exe 31 PID 3052 wrote to memory of 2544 3052 Furry开户工具.exe 31 PID 2544 wrote to memory of 2420 2544 cmd.exe 32 PID 2544 wrote to memory of 2420 2544 cmd.exe 32 PID 2544 wrote to memory of 2420 2544 cmd.exe 32 PID 3052 wrote to memory of 2416 3052 Furry开户工具.exe 34 PID 3052 wrote to memory of 2416 3052 Furry开户工具.exe 34 PID 3052 wrote to memory of 2416 3052 Furry开户工具.exe 34 PID 2416 wrote to memory of 1656 2416 cmd.exe 35 PID 2416 wrote to memory of 1656 2416 cmd.exe 35 PID 2416 wrote to memory of 1656 2416 cmd.exe 35 PID 3052 wrote to memory of 2364 3052 Furry开户工具.exe 36 PID 3052 wrote to memory of 2364 3052 Furry开户工具.exe 36 PID 3052 wrote to memory of 2364 3052 Furry开户工具.exe 36 PID 2364 wrote to memory of 2968 2364 cmd.exe 37 PID 2364 wrote to memory of 2968 2364 cmd.exe 37 PID 2364 wrote to memory of 2968 2364 cmd.exe 37 PID 3052 wrote to memory of 2964 3052 Furry开户工具.exe 39 PID 3052 wrote to memory of 2964 3052 Furry开户工具.exe 39 PID 3052 wrote to memory of 2964 3052 Furry开户工具.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nicconfig get ipaddress2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig get ipaddress3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Windows\System32\ntoskrnl.exe"2⤵PID:2964
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Modifies file permissions
PID:2932
-
-