7ad5db6178d3de2392f041b5402e9173bc0803d61e06b534c529bbcb5fa8ad37

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

金稅五期（电脑版）-uninstall.exe
Size

21.0MB
MD5

98ea3184eb9c88f9a8282e54b9b1df9d
SHA1

9ca39e8afaf165879687edba4f9d725945292b33
SHA256

7ad5db6178d3de2392f041b5402e9173bc0803d61e06b534c529bbcb5fa8ad37
SHA512

82a59577369a2c0bd84f2c11c1e88f4d2b1b58e985b07fed0535b7bd1badd85ad7cb3fbc3454b61d9bfcaa0efc08d45fbb5373686e2e567d8d114d78feba888f
SSDEEP

393216:9RbyUI273CAabyUI273CAjLeLfonQH3is0MIb63aL54BTRJsv6tWKFdu9Cd:9RbNIgyAabNIgyAqcSBT

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 2184	4600	svchost.exe	87

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3576	金稅五期（电脑版）-uninstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3576	金稅五期（电脑版）-uninstall.exe
3576	金稅五期（电脑版）-uninstall.exe
4600	svchost.exe
4600	svchost.exe
2184	dllhost.exe
2184	dllhost.exe
2184	dllhost.exe
2184	dllhost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
2184	dllhost.exe
2184	dllhost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe
4600	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	金稅五期（电脑版）-uninstall.exe
Token: SeDebugPrivilege	4600	svchost.exe
Token: SeDebugPrivilege	4600	svchost.exe
Token: SeDebugPrivilege	4600	svchost.exe
Token: SeDebugPrivilege	4600	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3576	金稅五期（电脑版）-uninstall.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1156	3576	金稅五期（电脑版）-uninstall.exe	20
PID 3576 wrote to memory of 1156	3576	金稅五期（电脑版）-uninstall.exe	20
PID 3576 wrote to memory of 1156	3576	金稅五期（电脑版）-uninstall.exe	20
PID 3576 wrote to memory of 1156	3576	金稅五期（电脑版）-uninstall.exe	20
PID 4600 wrote to memory of 2184	4600	svchost.exe	87
PID 4600 wrote to memory of 2184	4600	svchost.exe	87
PID 4600 wrote to memory of 2184	4600	svchost.exe	87
PID 4600 wrote to memory of 2184	4600	svchost.exe	87
PID 4600 wrote to memory of 2184	4600	svchost.exe	87

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2184

C:\Users\Admin\AppData\Local\Temp\金稅五期（电脑版）-uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\金稅五期（电脑版）-uninstall.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-5-0x000001974ABB0000-0x000001974ABB1000-memory.dmp

Filesize
4KB

Download
memory/2184-15-0x00000219B4440000-0x00000219B4441000-memory.dmp

Filesize
4KB

Download
memory/2184-22-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download
memory/3576-0-0x000002770C1A0000-0x000002770C1A1000-memory.dmp

Filesize
4KB

Download
memory/3576-1-0x0000000180000000-0x0000000180027000-memory.dmp

Filesize
156KB

Download
memory/4600-6-0x0000000180000000-0x0000000180089000-memory.dmp

Filesize
548KB

Download
memory/4600-10-0x00007FFF2B130000-0x00007FFF2B325000-memory.dmp

Filesize
2.0MB

Download