Overview
overview
10Static
static
32024年河...��.exe
windows7-x64
102024年河...��.exe
windows10-2004-x64
10b286a5a36a...0b.exe
windows7-x64
1b286a5a36a...0b.exe
windows10-2004-x64
5content_17...69.scr
windows7-x64
10content_17...69.scr
windows10-2004-x64
10uninst.exe
windows7-x64
1uninst.exe
windows10-2004-x64
8《融通�...��.exe
windows7-x64
1《融通�...��.exe
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
2024年河北移动冬日取暖.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
2024年河北移动冬日取暖.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
b286a5a36ab9f02b8c2b6b57d2282f0b.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral4
Sample
b286a5a36ab9f02b8c2b6b57d2282f0b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
content_1730298613069.scr
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
content_1730298613069.scr
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
uninst.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
uninst.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
《融通集团员工个人身份信息泄露处置手册》.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
《融通集团员工个人身份信息泄露处置手册》.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
b286a5a36ab9f02b8c2b6b57d2282f0b.exe
-
Size
21.0MB
-
MD5
b286a5a36ab9f02b8c2b6b57d2282f0b
-
SHA1
646560f8be01066d2b2ded465fc272fbd318c0c5
-
SHA256
8baa66ade6cb8c14841a51e97bfda8836ca0e387009c96c075984b11476ee1ab
-
SHA512
e5994f11f566e30fb880bacba629674f00af0bfeac24c789e9eefebc11dc4b3eea3465bbe1a15adb4a3e42b8d9622965bdaac02e7b15ecbf8a028dfc9ac161ef
-
SSDEEP
393216:qRbyUI273CAabyUI273CAmwGHgVDonQaNkhWtIZanwwU+fSJsv6tWKFdu9Cs:qRbNIgyAabNIgyAmwKMl+f
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid Process procid_target PID 4256 set thread context of 4928 4256 svchost.exe 88 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
b286a5a36ab9f02b8c2b6b57d2282f0b.exepid Process 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b286a5a36ab9f02b8c2b6b57d2282f0b.exesvchost.exedllhost.exepid Process 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe 4256 svchost.exe 4256 svchost.exe 4928 dllhost.exe 4928 dllhost.exe 4928 dllhost.exe 4928 dllhost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4928 dllhost.exe 4928 dllhost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe 4256 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
b286a5a36ab9f02b8c2b6b57d2282f0b.exesvchost.exedescription pid Process Token: SeDebugPrivilege 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe Token: SeDebugPrivilege 4256 svchost.exe Token: SeDebugPrivilege 4256 svchost.exe Token: SeDebugPrivilege 4256 svchost.exe Token: SeDebugPrivilege 4256 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b286a5a36ab9f02b8c2b6b57d2282f0b.exepid Process 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b286a5a36ab9f02b8c2b6b57d2282f0b.exesvchost.exedescription pid Process procid_target PID 4376 wrote to memory of 1156 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe 19 PID 4376 wrote to memory of 1156 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe 19 PID 4376 wrote to memory of 1156 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe 19 PID 4376 wrote to memory of 1156 4376 b286a5a36ab9f02b8c2b6b57d2282f0b.exe 19 PID 4256 wrote to memory of 4928 4256 svchost.exe 88 PID 4256 wrote to memory of 4928 4256 svchost.exe 88 PID 4256 wrote to memory of 4928 4256 svchost.exe 88 PID 4256 wrote to memory of 4928 4256 svchost.exe 88 PID 4256 wrote to memory of 4928 4256 svchost.exe 88
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
-
C:\Users\Admin\AppData\Local\Temp\b286a5a36ab9f02b8c2b6b57d2282f0b.exe"C:\Users\Admin\AppData\Local\Temp\b286a5a36ab9f02b8c2b6b57d2282f0b.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376