Overview
overview
10Static
static
32024po.exe
windows7-x64
42024po.exe
windows10-2004-x64
4Timo.exe
windows7-x64
1Timo.exe
windows10-2004-x64
10[D]2024年...��.exe
windows7-x64
1[D]2024年...��.exe
windows10-2004-x64
1点击此�...��.exe
windows7-x64
8点击此�...��.exe
windows10-2004-x64
7票9254523...��.exe
windows7-x64
1票9254523...��.exe
windows10-2004-x64
1考勤异�...��.exe
windows7-x64
1考勤异�...��.exe
windows10-2004-x64
1Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
2024po.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024po.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Timo.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Timo.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
[D]2024年移动合作方人员出入管理门禁安装程序.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
[D]2024年移动合作方人员出入管理门禁安装程序.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
点击此处安装语言包.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
点击此处安装语言包.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
票925452362131助手.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
票925452362131助手.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
考勤异常信息统计结果查询工具.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
考勤异常信息统计结果查询工具.exe
Resource
win10v2004-20240611-en
General
-
Target
点击此处安装语言包.exe
-
Size
10.8MB
-
MD5
44ce97dc5b3054dfb4999933219887b7
-
SHA1
23cedb5e66fbc1cf3c86a8812d6189ed3dd88b17
-
SHA256
af884204ca0845632eb01c3a37a9d5609f2b7065b884500658da60080eaab617
-
SHA512
e602db55a559e6c8f96d8dc222af5debc0025675d6fcf8e98e89d4efbd65811819d1e6c8c3467576b850ceb25e0891edb1b648e130caf66046fbc643a584ae04
-
SSDEEP
196608:PB/vhOCUMgKCZFB4IS+9G0eBF/6FLOyomFHKnPdfxxEBB2XCQkfLoaxA4JN1cdDD:PdJOCdgxZFBVeBUFqJbnf
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
75zdeFQ06.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 75zdeFQ06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\75zdeFQ06 = "C:\\ProgramData\\deepscan\\I57P9vIG0_ecCW213G\\75zdeFQ06.exe" 75zdeFQ06.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dll acprotect \ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
75zdeFQ06.exepid process 2500 75zdeFQ06.exe -
Loads dropped DLL 7 IoCs
Processes:
点击此处安装语言包.exe75zdeFQ06.exepid process 3020 点击此处安装语言包.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe -
Processes:
resource yara_rule behavioral7/memory/2500-24-0x0000000074590000-0x000000007461D000-memory.dmp upx \ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dll upx \ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dll upx behavioral7/memory/2500-27-0x0000000073B40000-0x0000000073BDF000-memory.dmp upx behavioral7/memory/2500-42-0x0000000074590000-0x000000007461D000-memory.dmp upx behavioral7/memory/2500-43-0x0000000073B40000-0x0000000073BDF000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
75zdeFQ06.exepid process 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
75zdeFQ06.exedescription pid process Token: SeDebugPrivilege 2500 75zdeFQ06.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
75zdeFQ06.exepid process 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe 2500 75zdeFQ06.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
点击此处安装语言包.exe点击此处安装语言包.exedescription pid process target process PID 3008 wrote to memory of 3020 3008 点击此处安装语言包.exe 点击此处安装语言包.exe PID 3008 wrote to memory of 3020 3008 点击此处安装语言包.exe 点击此处安装语言包.exe PID 3008 wrote to memory of 3020 3008 点击此处安装语言包.exe 点击此处安装语言包.exe PID 3008 wrote to memory of 3020 3008 点击此处安装语言包.exe 点击此处安装语言包.exe PID 3020 wrote to memory of 2500 3020 点击此处安装语言包.exe 75zdeFQ06.exe PID 3020 wrote to memory of 2500 3020 点击此处安装语言包.exe 75zdeFQ06.exe PID 3020 wrote to memory of 2500 3020 点击此处安装语言包.exe 75zdeFQ06.exe PID 3020 wrote to memory of 2500 3020 点击此处安装语言包.exe 75zdeFQ06.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe"C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exeC:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe 47043E045804540476046B0463047604650469044004650470046504580460046104610474047704670465046A0458044D043104330454043D0472044D04430434045B04610467044704530436043504370443045804330431047E04600461044204550434043204--aa`2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.exe"C:\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.txtFilesize
245B
MD583653858b21fb0c5759557da1d4bef6a
SHA1e2b74867e669f0f5e84f4fb398ee8bdcc76d45f2
SHA256ec02e0a0cdf6446da1a73267f8f7d5c544750fe96d01a97eb765e9187ed2eb72
SHA512960b8ae0adefad0a155dd5f90c04f132877e26238aeaf9e6076608c50a4f5b584e5b3a1ef9eb1cfa363aef8e4eac80f43149f22d4e82a4c1bb16745b9bf31e2f
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\75zdeFQ06.exeFilesize
2.4MB
MD57721777df2350ff195203cc7d7fe12c5
SHA1a434eee80a389fef7f4d9886ec23bc7c8fcb2e64
SHA256af3f9d480936286ce799ed5422222d3feabbc2325cb8242c2d09937964e73916
SHA512e94d1dc08cc7dbf98e50f933adc94b37e96ae4738eaff4c62c4901e9a38e67bbaa316e8ee770497b44257c7bfeca6a5924294f980b54a9da049d074fa63c4d41
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\mfc120.dllFilesize
4.2MB
MD5e1629a36f15824346bb54a9ebe9b622f
SHA1ee5d55315ffb351e24b7c918c82e6ce4ec17a645
SHA25668df186e26151313a0df2adb0ef5f3a45ebba3cb02229bd8723a29dee60e278d
SHA5120301ed7ad473015478f32afd3e41dafd045eab26ad42080bad6030324564a7ed09a7516b8d362b5cb2201d087eb25f2bb7ac5fc809a387f49f893ac3df8814bb
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\msvcp120.dllFilesize
444KB
MD5fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\msvcr120.dllFilesize
948KB
MD5034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yGraphHlp180.dllFilesize
186KB
MD5feec59aca478ffd02bf81ec4a02768f1
SHA10a68219e91fd2f7a413b974a9ea22253ba9a6376
SHA256c7d5fb1cdc4a2f6321c6e74538092a9ec6f2038d48c18132f77162b0064cd922
SHA51223411c62d93b6107c1b3df2ee0ea7bfe62325483ecbc2653c17a66f6f5d4a1f2818b6be109f35b309d26d5733c379efbd2879d853e2c3f78b1ad4fc697c5a605
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\yclienti.dllFilesize
255KB
MD5fa9d7d6498f69a3f129555856b8e57d6
SHA1ded693730bd80767884d78c522c9d8d0061958db
SHA2563ab66b2fd3173e71318175f19908331d7e3b442b14d3e39f0f10014f64f716ad
SHA512235bf1dfd22c6a30e8df6737218c7968901192907db2846a43684d006f4159e0b16a4ecb0a3e67217c33778924bb6e05b8a963fc148df33190e4ba41b119dd8c
-
\ProgramData\deepscan\I57P9vIG0_ecCW213G\ygraph180.dllFilesize
2.1MB
MD5138e8d93a64d965565c7a521bfb4b83f
SHA17e9a41dcc64a50a8987c553212cf150b6f2a3bcb
SHA256974e2266fe114abbc09e551ba230b10d25bdf5d5d1359f0814261ea48426f030
SHA51206932c0813d102db66970c8794c6bd87bbb7b9627b650112f27545c3aba7fc481d0e4316293e126be6528d7f4a051f1ab6ea804bfcbfc60d61a8ef49361a1fa5
-
memory/2500-36-0x0000000010000000-0x0000000010374000-memory.dmpFilesize
3.5MB
-
memory/2500-38-0x0000000002A30000-0x0000000002B17000-memory.dmpFilesize
924KB
-
memory/2500-34-0x0000000075100000-0x0000000075101000-memory.dmpFilesize
4KB
-
memory/2500-30-0x00000000770A0000-0x00000000770A1000-memory.dmpFilesize
4KB
-
memory/2500-21-0x0000000010000000-0x0000000010374000-memory.dmpFilesize
3.5MB
-
memory/2500-28-0x00000000770A0000-0x00000000770A1000-memory.dmpFilesize
4KB
-
memory/2500-39-0x00000000004C0000-0x0000000000543000-memory.dmpFilesize
524KB
-
memory/2500-27-0x0000000073B40000-0x0000000073BDF000-memory.dmpFilesize
636KB
-
memory/2500-24-0x0000000074590000-0x000000007461D000-memory.dmpFilesize
564KB
-
memory/2500-41-0x0000000002A30000-0x0000000002B17000-memory.dmpFilesize
924KB
-
memory/2500-42-0x0000000074590000-0x000000007461D000-memory.dmpFilesize
564KB
-
memory/2500-43-0x0000000073B40000-0x0000000073BDF000-memory.dmpFilesize
636KB
-
memory/2500-47-0x0000000004440000-0x000000000452B000-memory.dmpFilesize
940KB
-
memory/2500-50-0x0000000004C20000-0x0000000004D95000-memory.dmpFilesize
1.5MB
-
memory/2500-52-0x0000000004220000-0x0000000004431000-memory.dmpFilesize
2.1MB
-
memory/2500-53-0x0000000010000000-0x0000000010374000-memory.dmpFilesize
3.5MB