21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Size

12.9MB
MD5

8a4674735cb781536188f313e1ab2fd5
SHA1

2327a59ab3ade1e4c5ac3545dde07dfed6306c6c
SHA256

21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4
SHA512

bdc1948eaa0f741bcbba4ce3a1c6d9131bdd907a1778cbe2cb98ce3d17c10931eb860f8972eaa1636ce7ea90d4bcb92f826600c769df2f2b3b2069b75fea69b3
SSDEEP

393216:e/+8+tPmRyDC7YThjbw7xcr95+8VqYTB6fW2Gmv:e/WtPmR8TpCxO95+8V5v2xv

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3428	sg.tmp
6120	360Safe.exe

Loads dropped DLL 10 IoCs

pid	Process
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe
6120	360Safe.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360Safe.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/628-0-0x0000000000400000-0x00000000005F4000-memory.dmp	upx
behavioral2/memory/628-458-0x0000000000400000-0x00000000005F4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360Safe.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeBackupPrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeRestorePrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: 33	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeIncBasePriorityPrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeCreateGlobalPrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: 33	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeIncBasePriorityPrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: 33	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeIncBasePriorityPrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeRestorePrivilege	3428	sg.tmp
Token: 35	3428	sg.tmp
Token: SeSecurityPrivilege	3428	sg.tmp
Token: SeSecurityPrivilege	3428	sg.tmp
Token: 33	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
Token: SeIncBasePriorityPrivilege	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6120	360Safe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2736	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	88
PID 628 wrote to memory of 2736	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	88
PID 628 wrote to memory of 3428	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	90
PID 628 wrote to memory of 3428	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	90
PID 628 wrote to memory of 3428	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	90
PID 628 wrote to memory of 6120	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	95
PID 628 wrote to memory of 6120	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	95
PID 628 wrote to memory of 6120	628	21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe	95

C:\Users\Admin\AppData\Local\Temp\21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe
"C:\Users\Admin\AppData\Local\Temp\21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\~6053324914940712263~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\21222d40e9cdee026290f15626de192203519039be6d1e737caef5448296fcd4.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6844832696559539610"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Safe.exe
  "C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Safe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6053324914940712263~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Common.dll

Filesize
517KB

MD5
d867cbb32dd3e28d55d1bec36defdf3a

SHA1
ef1df7f597b41fdfb4d79607c64ce3755e084a18

SHA256
dbfe435cd2f72c10e6dc6b8f0f7fd42c5942dd70ed3216b54ae1dbe5044700f3

SHA512
33b09d7b103f3c868528a43301a5614a46ada568c1cf54d9b8ddfedfd92dfad98de111676974bc4ce5e6d520e3423a75ba8c45ca457d0a716854d7b5fdcdec1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360NetBase.dll

Filesize
1.5MB

MD5
d426366da3f0aa57a4923ba04208b306

SHA1
9789ed3cb58b5567b154aea34c014da3a80bf495

SHA256
109b4add80e1cb1dfd0ab865ce2866faf1041ca63233bbc28facf1ecda8e7f23

SHA512
9e99d82d08b7b16ce5ca821bb6d776540eaed00a863ef028203363379b74f928c6266a397889195c1137be1fa7ef9ff3cbd77415633797e0967408864a64f19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Safe.exe

Filesize
926KB

MD5
f08f211a8c879012481cf40646ddd05e

SHA1
715bd4b6ef779aff3c5f299d5c3bf974d19d170f

SHA256
5400aab3f8d5c904c249e7d6857df1f7e2c1a0d2be2c36118bae534031972444

SHA512
3a2b0bb99431ebe5436d7ba6c53b5a8120b27a37f03ddd0cdffe7eca05a9110137b9a14dc1b8e8f2b0b7dc95deffd6f5215a484dde526c932ace6003c250ffc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Util.dll

Filesize
692KB

MD5
083fd0bb8ba68c42542ad380e533ce41

SHA1
edcb96d11d9f470422d42693b67f42d7fab3c6ad

SHA256
72d197aa91432b89ba55f26b445f007b3e0590974ca716d00070149bf3038220

SHA512
2764c4edf77723216448ff974fdd974d6e9e0b47fb090aed28d77f233b6e8df4d7e501a76f26baa929bfcfbdee430cfec12a856a5c4aa33bfdc1d8602896d9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360Ver.dll

Filesize
75KB

MD5
5c6bd56bac5219fa54043e2382f357b6

SHA1
7b708ec5fef2f440b463ea7748c65671983229d0

SHA256
8d7dfa7290ef26a34b80e0314acd3b39ea9099252d59322ee0c40b23beb546ea

SHA512
83f9340fba163572204ec7d93e61986576fddf1d75baf41873ec38c617db9af8ea1ddf140de88681f3661b6b927024d7dac7fcba62f4cfca3276d1703672940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\360conf.dll

Filesize
294KB

MD5
b98a1e65f209fe1f10f8564dec0f0c42

SHA1
cab41605d9b7241c134798723ecdf9d3dc2f2615

SHA256
885aa4f58297382396717563137d212fbcb4299f95426c40c43abcdcecf54246

SHA512
35cd81aaa9fbadb8b174f6b2d30fa6c2c0c91786e6714073598cb09f1028790f03609de63b51c2e966021bd7da8521ec06612f0582fc1a5752ee0df7b8259b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\360SafeAir.xml

Filesize
812B

MD5
28cc65e513ac4cde0ba7376ffdfca118

SHA1
81a6d00208ba09dbaf6b99103b2855efb119ebcf

SHA256
ad1b7c8bcd8d2ecdf26dd6b9a773d43cb2c8b74ccbe9c631caa3586c9d75c11d

SHA512
2cdead9458699aad63736c6a1e76dfdf68c41ded0838f8bb7e8a419cdd49ba868650982c16926bd2956cfe80e7882beca5d7ebfd743a8baad1c647b94a273ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\360SkinView\360skinview_theme.ui

Filesize
113KB

MD5
9537ad3564560c53c8583495e5a18603

SHA1
af95ba8b73f35c6c70c3a6124b3cfe7c8adb6559

SHA256
20de2505f78c13f447372bb2ebb6b04934d61f362bff061032385a78c7e5610e

SHA512
ca2a3a2a3351f95553e446cf853edce53e74d9c91f625929dff3e9b2509ab54e08c85594fdc0a258e60f32aebe07f453ebe2a25d98bd85e449e52ff6ce739950

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\MainFrame\CheckAutorunWarn.xml

Filesize
5KB

MD5
605f0115c870722b2db8ab3bf9bc6009

SHA1
5745728a3f5b57e846c19af38eeeebcc15130edd

SHA256
435dfe6c61a1376042e18730000417a2232718ab37c467995fc9e66dd269f684

SHA512
51c8d8c300ba8acfb806cefae6c0f2eb3920585754edb9a5ed8858c9df260fa9b4ba573c5abb7f35607c0c79d19bafcd228f4be4cdacb559c79838fe87106b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\MainFrame\ExamineStartup.xml

Filesize
15KB

MD5
2213fc3a469f981d0eb807d9b4e1e1f3

SHA1
6fd66d817276934ce8032b6c76f7f449c178dc9e

SHA256
fb8c3cbd15e503abc1664c1e02bad06138ff730145704b6abe44b53b734fe7b0

SHA512
fd2605f911f6f4a0a1bd459a32b8d6c31bea440fde7b91ee58083565e76d4927ebd19c6c1737f529f897bcc62460da3c4ef57d5b25493b5d9e6a0422d5c2096a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\MainFrame\Main.xml

Filesize
4KB

MD5
6c0cf1684c932a7efbd281bce239920e

SHA1
82d3af6149869b0ca44a76b571671c658883f8b2

SHA256
0b1de112b9d6beabcfff914b32fc442deaa2c8db40fda1fc0ec12a94de36cd52

SHA512
7aa5d3226edf8de91886253120520f7c550e71163d512fbc3fea03825562d4693a0d99fdac1d3026c81b0f9b9007b5b4a641d7676730b83995f6a506b955e722

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\MainFrame\ShareWeiboTips.xml

Filesize
5KB

MD5
5f961b0d27811cc2478cc50f153925a6

SHA1
65a6ef4094e2067415c9c587b736bafaab8eb822

SHA256
7013014162b38b673a449212564e58865a468727927b023e92dccb4f6a641a53

SHA512
d10ccd3eff0c6849c16b31819b06fb0d111051f15fda918bb9ff6020b4d5851c91a24a1e45e414a165d2253f946dfcff03b9c079d744044dcc02a23eec33621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\SpeedupOpt\SpeedupOpt_theme.ui

Filesize
743KB

MD5
8c8248827d6ce3a78e95ac9e9b365163

SHA1
af8b91baf2e640d80ce6711f774815a9c236b565

SHA256
ed2de300ab266f184d8c49c5dabbfcd22927f8034bcebf14cdd2b0d5ff98339e

SHA512
ab9ed33eb98112096ce1ff9329bf939126c73f82843f94ebd3294fc39ec39b8ba941ea361fae0010cb53afb4e6c02b74f6e138d0c3410ba57bf2d9f59ae9ca70

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\common_font\font_theme.ui

Filesize
113KB

MD5
23e329483914784878f8c73cda312d9d

SHA1
f0ebf7ea3c5e0bf915f6d54124cd4bb8db149bda

SHA256
45b877414f8f7d92d46f69824b6707243c7ce3d29e9017f5663b885f57042216

SHA512
e5573ae9b46db087fefc46cdb466478b55ffed5f47c70eef4e63d6045a9457b4762393a7cde65dc93bc9ba7e49bf6a3370cb3c0f78102b1d09aa0af5a3121f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\default_theme.ui

Filesize
1.2MB

MD5
7f0ddb6af37c9bb61a89fe7e8e767828

SHA1
9f9131abd840b9d5fc89ad6eed5a36bab8a33c0b

SHA256
591570d1237699f48b9fc91659d1a52845a18e94fc02f6437742d805edd8ef72

SHA512
d394d73934b8481b48a359d40ab5231b887209ee73a572b956bd52135940dab2aa323ba8db3b3efadaf6ff1098bdf4b7e05759eb06ff2ea9ef70530d600a080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\default\speedldskin\speedldskin_theme.ui

Filesize
17KB

MD5
96e74b5e57694f04013c30713da84582

SHA1
3f5e15749909403f4b3854d1f0abfdc4f51ff17e

SHA256
f32bfe68fb51f9cdc23091a6920ae4d968491063b1ba4936b2451f86b2111d07

SHA512
a0e430234efe17965494e60f15adf659a3083a89fcd8a255fd90bb099175333445df5ab4333929aa33a446004bed33af2192b7b8180d8447c803143e119d1960

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\dengtaw_vip_1\dengtaw_vip_1.xml

Filesize
50B

MD5
7d14c7e478964d29f094dcfce54e1ab5

SHA1
be14703e4ffa2c552cb8332a6470adfa86511bbf

SHA256
a16d7c7b81831c2c3177d1d608833f97bea119c515ded53967a28e9132f48f20

SHA512
8827309e852bd0f834ba75f30a90b74ec700a9836941c3dc2da04d874aff638d27ece678527a91c88d685cc2ac77e2c5585c738b75384e3c12634ca71ab9c007

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\gougou1013_vip_1\skin.ini

Filesize
31B

MD5
fbd11dbac7cf2992da47b76a0e2dd542

SHA1
52dda269a662553f08783cd5f6def54f25ff9920

SHA256
91b512334ec1b7c9591da602f394b2c9e293bb8a26ad7f13f08c36ca13307f1f

SHA512
410d1d801a1c498f39cdad486eb7b25ab45bb31b7b6d99473e1322289e132cedc40937f2cb78b2c0710a06edb4d9a5ae1e9ca1b95670a937e4691ef78ea22819

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Config\newui\themes\labixiaoxinw_vip_1\skin.ini

Filesize
31B

MD5
afaaf6cf792648c4e0c9f4ea42e2d02f

SHA1
0fb1b6d0d519f3ee939e8e305d5707d4e116ccf9

SHA256
64d8997e98b3c3990d51f78a986b3d36a6de277f9ed9b8526a483ec525c0cec3

SHA512
f805bf5e68a24370bb06099d7916b93a27e934de58fc3704dd021c112acc5ffdc209e79cd2aedb94294d93f0e5f21bcbb3c52704e494e129c701aef474d981ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\MiniUI.dll

Filesize
899KB

MD5
5123c3b8adeb6192d5a6b9dc50c867b1

SHA1
6d142074a21aa50c240ce57ca19a61e104bbdf41

SHA256
273ce954c8d33abaac3a0fd8546719f09718c1d91317ecf5b99181dffa3fe26a

SHA512
067305a8f09c480fe4a4c8609638c9a490c4ebe2782bd13c10b380df14f76d4748eb785f44e7bcb86514718f99d07c3c6a4b43928a294b18020cb0fa589ee2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Utils\360ExamineUIEx.dll

Filesize
558KB

MD5
018bca37cf7a85e6a96a27fe3681773d

SHA1
ebe05c63cf9c295b60a2496063c16d7905a3d72e

SHA256
1cd8e830cd115c90070833f9cb29c9332fa6e04f6a7d5761a86aaee6776a04ee

SHA512
d91d399ec76a0dc744184d7f7277da0c60a4d6a59fa7e1e642cafab004531873ceea12becca0a1eaabf6b468aca9c728b157fc050fb5b826e356517ebb12093d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\Utils\SiteUIProxy.dll

Filesize
342KB

MD5
8ecba3fac9d426bddc352de1538ad5e6

SHA1
1e403d45dc9990d22821e49fed58379adb931946

SHA256
6119fb80a1c838d5e7abb57c8df219a18666065701b884c5a39ae6817fa1c443

SHA512
b077bd0476083744cc4b065a631daf9151c75bcc4c3634a44c3df36f92a99e5d3b696674b0640be0069173e7d924cf02d6f15a2575854aeb1120f56934793c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6844832696559539610\sites.dll

Filesize
1.4MB

MD5
3f03f2c6000d713bf0c2824eb6021fe7

SHA1
b03401b07bc2eda58c4749e8a5ee14ab5cd056d4

SHA256
43923dd9f19e5089947f8376be5e59a9683c4c9b566ce6feb46a02d8a6e12c28

SHA512
cafdda7e6d67e3906e8dabecec018dc45cda69e505d074cf93dd3cb1a4e967263d8486a788ea97809e633036e06ced1257bbd96d23b441242e7b8abc05948b37

Download Submit
\??\c:\users\admin\appdata\local\temp\~6844832696559539610\config\newui\themes\default\theme.xml

Filesize
103KB

MD5
d797bc1acb5313349e1a538e0cbce673

SHA1
08d0e7ccd15fb43ef4be39291f15beadfa9cdfb7

SHA256
1008f8aa48fc3d9de5bf6d09998c156d8c9d1241924603445d486979d895c5e2

SHA512
12d463ee053342ab016ab51f57d122401d21e00499652c9de180dbb4adb4182560ea9bf502b8430718226fafeada3121aa3ab5bbe12500445fe9cb1f5de1e27c

Download Submit
memory/628-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/628-458-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads