9818f5ae8db0a91f8375c40cf80c0ed333d92e2692babd57c2fcd35ec76a1218

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

表格-uninstall.exe
Size

67KB
MD5

63d3c299bf6192a6c627c3092333ae77
SHA1

a661cb7a1e16af2e9385860baf5b9ab5bf3982a4
SHA256

531e5806c4df096d9eea5f9e98b2ea67ba2b5dae88a96879c986698646b6f223
SHA512

d19a0b4013452094ee9105e07f61db65efd08327c90e1d95767c7beefe921dfcd51c892ed880e211b2f4c9d31d905accc572f68e6add66a4568c6f2b99938350
SSDEEP

1536:WwMNhzHy/NTQt17OvUo9OMarkzer/rdX:8TST+Or2r/rd

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
154.91.90.51
Port:
21
Username:
123
Password:
123

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4752	winword.exe

Loads dropped DLL 1 IoCs

pid	Process
4752	winword.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	表格-uninstall.exe
File opened (read-only)	\??\E:	表格-uninstall.exe
File opened (read-only)	\??\N:	表格-uninstall.exe
File opened (read-only)	\??\O:	表格-uninstall.exe
File opened (read-only)	\??\S:	表格-uninstall.exe
File opened (read-only)	\??\U:	表格-uninstall.exe
File opened (read-only)	\??\Y:	表格-uninstall.exe
File opened (read-only)	\??\G:	表格-uninstall.exe
File opened (read-only)	\??\M:	表格-uninstall.exe
File opened (read-only)	\??\P:	表格-uninstall.exe
File opened (read-only)	\??\Q:	表格-uninstall.exe
File opened (read-only)	\??\H:	表格-uninstall.exe
File opened (read-only)	\??\K:	表格-uninstall.exe
File opened (read-only)	\??\R:	表格-uninstall.exe
File opened (read-only)	\??\T:	表格-uninstall.exe
File opened (read-only)	\??\V:	表格-uninstall.exe
File opened (read-only)	\??\W:	表格-uninstall.exe
File opened (read-only)	\??\X:	表格-uninstall.exe
File opened (read-only)	\??\B:	表格-uninstall.exe
File opened (read-only)	\??\I:	表格-uninstall.exe
File opened (read-only)	\??\J:	表格-uninstall.exe
File opened (read-only)	\??\L:	表格-uninstall.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	表格-uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winword.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe
900	表格-uninstall.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
900	表格-uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 4752	900	表格-uninstall.exe	88
PID 900 wrote to memory of 4752	900	表格-uninstall.exe	88
PID 900 wrote to memory of 4752	900	表格-uninstall.exe	88

C:\Users\Admin\AppData\Local\Temp\表格-uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\表格-uninstall.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900
- C:\ProgramData\Adobe\winword.exe
  C:\ProgramData\Adobe\winword.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\winword.exe

Filesize
1.4MB

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
C:\ProgramData\Adobe\wwlib.dll

Filesize
85KB

MD5
dd6d3e65f67821f07acca9ba0e31908f

SHA1
be8fbb43593aff066c082043a83e8901d5e2993b

SHA256
ff53f566a2a46602b38259e64345541c86b09c8c907b6179e4e338e762dfeb4f

SHA512
8ca45354be17af363d6764e3ce450ffa72a527b1bbf2dbe46e2ec3e00845044eb2516a57b3b3e91ca6d343dff39da304bdf80a43af55f11609c428265db00aba

Download Submit
memory/900-14-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-8-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-16-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-7-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-17-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-9-0x0000000003A90000-0x0000000003AC2000-memory.dmp

Filesize
200KB

Download
memory/900-11-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-19-0x0000000010000000-0x00000000101AE000-memory.dmp

Filesize
1.7MB

Download
memory/900-12-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-13-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-2-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/900-15-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-6-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-4-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-10-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-5-0x00000000034A0000-0x00000000034C2000-memory.dmp

Filesize
136KB

Download
memory/900-18-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-36-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-3-0x0000000003410000-0x0000000003491000-memory.dmp

Filesize
516KB

Download
memory/900-33-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-32-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-34-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-35-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/900-37-0x0000000003C10000-0x0000000003C48000-memory.dmp

Filesize
224KB

Download
memory/4752-30-0x000000002F2E1000-0x000000002F2E2000-memory.dmp

Filesize
4KB

Download