35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6

Analysis

max time kernel
124s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2022, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
Size

1.5MB
MD5

7bfc91346aac6bbc82801815555af950
SHA1

c385fb6af8d21c914937814188f8bf2152f562ea
SHA256

35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6
SHA512

14ef1b44e8fdf96929e3a26e27265f7c473b8cfa91fcfd839320792cc151383d71afaeb2f852351c245255b34383353286458dd41bd2ba72579f94c48aa4cd3f
SSDEEP

49152:UZYvs+6VtRr0mcwJxFy6mqMkfyWmgwZJwp:A+6V7r0mcwJx4YMkfRDwjwp

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e66-135.dat	acprotect
behavioral2/files/0x0006000000022e66-136.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4632	system.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e66-135.dat	upx
behavioral2/files/0x0006000000022e66-136.dat	upx
behavioral2/memory/4632-138-0x0000000002090000-0x00000000020A2000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe

Loads dropped DLL 2 IoCs

pid	Process
4632	system.exe
4632	system.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\热血嘉年华试用一年版\Client.dll	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1301.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\1701.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\2201.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\403.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\++-¬++-O+¬-+++-+-O¦µ\Map	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\2001.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\2101.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\501.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\601.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\sound.wav	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\++-¬++-O+¬-+++-+-O¦µ\-++¦¦n	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\嘉年华.EXE	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\挂机日志.log	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\system.exe	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Config\Save.ini	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\301.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\403.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\502.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\STDLL.DLL	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\1801.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\RxTools.ini	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Runs.dll	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\1201.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1601.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1901.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\301.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\501.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\701.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\嘉年华.EXE	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\挂机日志.log	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\101.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\2101.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\503.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\701.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\windows.dll	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\++-¬++-O+¬-+++-+-O¦µ\Config	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Config\Save.ini	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\system.exe	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\5001.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Runs.dll	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\1001.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\401.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\402.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\5001.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\sound.wav	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Config\回城脚本.jns	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1201.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\1301.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\1401.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1501.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\STDLL.DLL	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\windows.dll	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\路径包	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1001.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\101.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Map\1801.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\2201.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\RxTools.ini	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File opened for modification	C:\Windows\热血嘉年华试用一年版\Ver.ini	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\503.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Map\901.jpg	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
File created	C:\Windows\热血嘉年华试用一年版\Client.dll	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4632	system.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 4632	3060	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe	78
PID 3060 wrote to memory of 4632	3060	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe	78
PID 3060 wrote to memory of 4632	3060	35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe	78

C:\Users\Admin\AppData\Local\Temp\35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe
"C:\Users\Admin\AppData\Local\Temp\35d66676d4b85d25d33a87bd3de673c09d32ca99d71f811f81d075203b9276d6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system.exe
  "C:\Windows\system.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\systemhj.dll

Filesize
20KB

MD5
3195cab2f3b84e90f69def433db0b9a6

SHA1
9dc5c1ef16eade9cddfe7752c5b6409f77cf3cb1

SHA256
2550bf88947a3ef12688d50680233d471f4f259a15955671df1f96e3504f5e07

SHA512
e30c06d776a8ed75c1fb159ada4e6ac3edecea05e3c0c8926debb6e95310c6d8ca976d673a01cf634d20646986d9d9ee4c92f37de0a24305321b54d7d135365e

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemhj.dll

Filesize
20KB

MD5
3195cab2f3b84e90f69def433db0b9a6

SHA1
9dc5c1ef16eade9cddfe7752c5b6409f77cf3cb1

SHA256
2550bf88947a3ef12688d50680233d471f4f259a15955671df1f96e3504f5e07

SHA512
e30c06d776a8ed75c1fb159ada4e6ac3edecea05e3c0c8926debb6e95310c6d8ca976d673a01cf634d20646986d9d9ee4c92f37de0a24305321b54d7d135365e

Download Submit
C:\Windows\system.exe

Filesize
22KB

MD5
83d7c7361e09b56788b7f7c8b225341d

SHA1
51c45d6a229142af3d835f0359e68e5c5a6e02d2

SHA256
c60e70f2306b2428e4433528625e2832916b005c53b51bed74d802f31fe7c795

SHA512
1945fdb8d7a16fea46fffa43fad145dab900770c783257fe07a9d7f208ffbae44c50f5ff35ea9e9af1e80c4f51b321486ecae2a528bb9191a1e1d3a964c95c1e

Download Submit
C:\Windows\system.exe

Filesize
22KB

MD5
83d7c7361e09b56788b7f7c8b225341d

SHA1
51c45d6a229142af3d835f0359e68e5c5a6e02d2

SHA256
c60e70f2306b2428e4433528625e2832916b005c53b51bed74d802f31fe7c795

SHA512
1945fdb8d7a16fea46fffa43fad145dab900770c783257fe07a9d7f208ffbae44c50f5ff35ea9e9af1e80c4f51b321486ecae2a528bb9191a1e1d3a964c95c1e

Download Submit
memory/4632-138-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/4632-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download