Analysis
-
max time kernel
4265058s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 15:35
Static task
static1
Behavioral task
behavioral1
Sample
固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe
Resource
win7-en-20211208
General
-
Target
固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe
-
Size
3.9MB
-
MD5
3ca0a601129170828f89a70f63dec5b8
-
SHA1
8e1f1ac711133e37026468c75f554c56d8441531
-
SHA256
bb831434dada721f000a29589a4a2354e15b4c1c73191c8bac8638d91481dc8b
-
SHA512
7958d5da3964f53a18e1c0c13ecf309384cd88441a611f69a378dd478fcd48107847b62e6b8947a8544920c6d9e58e2a3bd01ea0ffc7f62165a9f25297033849
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe -
Processes:
resource yara_rule behavioral2/memory/2788-130-0x0000000000400000-0x0000000000D07000-memory.dmp themida behavioral2/memory/2788-131-0x0000000000400000-0x0000000000D07000-memory.dmp themida behavioral2/memory/2788-132-0x0000000000400000-0x0000000000D07000-memory.dmp themida behavioral2/memory/2788-133-0x0000000000400000-0x0000000000D07000-memory.dmp themida -
Processes:
固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exepid process 2788 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2644 2788 WerFault.exe 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid process Token: SeShutdownPrivilege 1528 MusNotification.exe Token: SeCreatePagefilePrivilege 1528 MusNotification.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exepid process 2788 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe 2788 固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe"C:\Users\Admin\AppData\Local\Temp\固定用户é”V2(去除è“å±å…³æœºä¹‹ç±»çš„所有暗装).exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 10762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2788 -ip 27881⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2788-130-0x0000000000400000-0x0000000000D07000-memory.dmpFilesize
9.0MB
-
memory/2788-131-0x0000000000400000-0x0000000000D07000-memory.dmpFilesize
9.0MB
-
memory/2788-132-0x0000000000400000-0x0000000000D07000-memory.dmpFilesize
9.0MB
-
memory/2788-133-0x0000000000400000-0x0000000000D07000-memory.dmpFilesize
9.0MB