378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

资料_install (1).exe
Size

1.5MB
MD5

85df64b647baf466f4621d1be7d005e1
SHA1

c090110069d644c54c8508e8e65ddcfae25949fc
SHA256

5ffe8edc15b6cb41122f6cc2550621e81776bc6914ea6388aecd17eec073aea4
SHA512

52f7676cd7cfd91eda286dabc13139272ac8e809c70ac80c11139193659b5f28ae75876b12845a9cc60215529d780d466c36d4e2722344b7fce870454fd15b26
SSDEEP

49152:tEBdH3KQaSIE1vlbkOAZOEzRT9IynYMHK3zT27yEbYp:mBpPZIUvlkpRCyd2zwylp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2152	资料_install (1).tmp
2940	资料_install (1).tmp
2560	lPix.exe
1964	lPix.tmp
1664	lPix.exe
1076	lPix.tmp

Loads dropped DLL 18 IoCs

pid	Process
2932	资料_install (1).exe
2152	资料_install (1).tmp
2152	资料_install (1).tmp
2704	资料_install (1).exe
2940	资料_install (1).tmp
2940	资料_install (1).tmp
2752	cmd.exe
2560	lPix.exe
1964	lPix.tmp
1964	lPix.tmp
3036	cmd.exe
1664	lPix.exe
1076	lPix.tmp
1076	lPix.tmp
1076	lPix.tmp
1076	lPix.tmp
1384	regsvr32.exe
1428	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lPix.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	资料_install (1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2964	timeout.exe
3024	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2200	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2940	资料_install (1).tmp
2940	资料_install (1).tmp
1076	lPix.tmp
1076	lPix.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	资料_install (1).tmp
1076	lPix.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE
2200	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2932 wrote to memory of 2152	2932	资料_install (1).exe	30
PID 2152 wrote to memory of 2896	2152	资料_install (1).tmp	31
PID 2152 wrote to memory of 2896	2152	资料_install (1).tmp	31
PID 2152 wrote to memory of 2896	2152	资料_install (1).tmp	31
PID 2152 wrote to memory of 2896	2152	资料_install (1).tmp	31
PID 2896 wrote to memory of 2964	2896	cmd.exe	33
PID 2896 wrote to memory of 2964	2896	cmd.exe	33
PID 2896 wrote to memory of 2964	2896	cmd.exe	33
PID 2896 wrote to memory of 2964	2896	cmd.exe	33
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2896 wrote to memory of 2704	2896	cmd.exe	34
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2704 wrote to memory of 2940	2704	资料_install (1).exe	35
PID 2940 wrote to memory of 2752	2940	资料_install (1).tmp	36
PID 2940 wrote to memory of 2752	2940	资料_install (1).tmp	36
PID 2940 wrote to memory of 2752	2940	资料_install (1).tmp	36
PID 2940 wrote to memory of 2752	2940	资料_install (1).tmp	36
PID 2940 wrote to memory of 2868	2940	资料_install (1).tmp	37
PID 2940 wrote to memory of 2868	2940	资料_install (1).tmp	37
PID 2940 wrote to memory of 2868	2940	资料_install (1).tmp	37
PID 2940 wrote to memory of 2868	2940	资料_install (1).tmp	37
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2752 wrote to memory of 2560	2752	cmd.exe	40
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2868 wrote to memory of 2200	2868	cmd.exe	41
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 2560 wrote to memory of 1964	2560	lPix.exe	42
PID 1964 wrote to memory of 3036	1964	lPix.tmp	43
PID 1964 wrote to memory of 3036	1964	lPix.tmp	43
PID 1964 wrote to memory of 3036	1964	lPix.tmp	43
PID 1964 wrote to memory of 3036	1964	lPix.tmp	43

C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp" /SL5="$4010A,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
      "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp" /SL5="$601F8,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Public\Documents\lPix.exe
        
        C:\Users\Public\Documents\lPix.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp" /SL5="$401F4,544961,235520,C:\Users\Public\Documents\lPix.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 3
        10⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3024
        
        C:\Users\Public\Documents\lPix.exe
        
        "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp" /SL5="$501EA,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll
        13⤵
        Loads dropped DLL
        
        PID:1428
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        7⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\unins000.dat

Filesize
3KB

MD5
10e5e58b0f68862da3980e123de613bc

SHA1
a44c201768dfb80765ebea4b560b9340c215a2bc

SHA256
16dcede65eaa9afbfdc0920fbd748d2871133b36ed6aa17865c8167d3d89a293

SHA512
257f53b15d42f17371b5b227e5705bd583dd0e3857d1aded95e95fa6a32250fc3782cc1c8636521bcfcc6fccfa0605f030d5109a8df2d9c9849330c357261b34

Download Submit
C:\Users\Admin\AppData\Local\unins000.exe

Filesize
1.2MB

MD5
7d32e1d324403f5baf3443502f6732b9

SHA1
583a56865861c01413abda1daa132b577920504c

SHA256
4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313

SHA512
8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b

Download Submit
C:\Users\Admin\AppData\Local\unins000.exe

Filesize
1.2MB

MD5
957a6b79d0a55eb26e806e520a56027c

SHA1
4de71cf351276a32f03900ded66a1d0217ab10b1

SHA256
55d7374f4731aaa60d7930ecf5348b08f48f3cbb372a1805609d41ff21e89297

SHA512
d5e295c47e93e18f272f99b2960f2b476ef261a2a7c65635a2c4d74798d4f0409a970ad0039b6258f9addf9d39b2b7e8b5ecb129ca4e2bd123402ad2ddb5cc34

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

Filesize
722KB

MD5
385e36fd28d88b4fe7051de59bcd616c

SHA1
0c6bac3bda42f8dedfba7559d092da5baaac81b4

SHA256
f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0

SHA512
5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f

Download Submit
C:\Users\Public\Documents\LDcA.xls

Filesize
18KB

MD5
d1ff725260128c439f9bce6f7a26f5ec

SHA1
a22f5c06fd34b59daa1475789f659e324368a76f

SHA256
dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d

SHA512
41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c

Download Submit
\Users\Admin\AppData\Local\Temp\is-G7DHN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp

Filesize
1.2MB

MD5
bef5bad133138ce27f0c6e73d5a2e5f9

SHA1
1cfc9e170e100fc23073cdfcf590594e18598314

SHA256
55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65

SHA512
f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

Download Submit
\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp

Filesize
1.2MB

MD5
cf45d17c6928f460e9c66d8efd61d15f

SHA1
04f45e51c5ee587ac54084e051837cc4688f3fea

SHA256
a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b

SHA512
178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596

Download Submit
\Users\Public\Documents\lPix.exe

Filesize
985KB

MD5
8cb4b8edf79a9edaf533920c9a4d2757

SHA1
8d5b6701db176148d9bbe8cc97338798c518201c

SHA256
c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2

SHA512
82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0

Download Submit
memory/1076-109-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1664-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-111-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2152-41-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2152-8-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2200-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2560-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2940-38-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download