3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2

General

Target

3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe
Size

12.2MB
MD5

ee7bc5e3ce6b6542e086c35b8e4f327c
SHA1

7745dda2c333ed29b92ba1630828deb6a5374b71
SHA256

3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2
SHA512

be658b4e9e77633adfe250df475bdb18bf69468e1d29f092cff05e4ec7755c52ef20d5da955d6b91f8d245da4ce8d780c4b8eed2a2a6b8c7728075c82f080fbd
SSDEEP

196608:9GW7q8424qJ0b/o16NTMEdLQR/dpHCKtmCY9BqzWnzlvENqDcifG3Q+WBmYicd0:v284EJ0bjawQR/Hw3pcQG37cG

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
4608	授权-20221001.exe
3372	GProtector.lib

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\我的程序\is-0A01J.tmp	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File created	C:\Program Files (x86)\我的程序\is-JH4LM.tmp	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File opened for modification	C:\Program Files (x86)\我的程序\unins000.dat	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File opened for modification	C:\Program Files (x86)\我的程序\授权-20221001.exe	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File created	C:\Program Files (x86)\我的程序\unins000.dat	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File created	C:\Program Files (x86)\我的程序\is-0A01J.tmp	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
3372	GProtector.lib
3372	GProtector.lib

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	GProtector.lib

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 3584	524	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	85
PID 524 wrote to memory of 3584	524	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	85
PID 524 wrote to memory of 3584	524	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	85
PID 3584 wrote to memory of 4608	3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	86
PID 3584 wrote to memory of 4608	3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	86
PID 3584 wrote to memory of 4608	3584	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	86
PID 4608 wrote to memory of 3372	4608	授权-20221001.exe	87
PID 4608 wrote to memory of 3372	4608	授权-20221001.exe	87

C:\Users\Admin\AppData\Local\Temp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe
"C:\Users\Admin\AppData\Local\Temp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\is-GVAPT.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GVAPT.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp" /SL5="$1D01DC,12091770,718848,C:\Users\Admin\AppData\Local\Temp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Program Files (x86)\我的程序\授权-20221001.exe
    "C:\Program Files (x86)\我的程序\授权-20221001.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\GProtector\GProtector.lib
      C:\GProtector\GProtector.lib
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GProtector\GProtector.lib

Filesize
1.8MB

MD5
6674d5000f63d4d22851daa40e5d8621

SHA1
8ddd2682a604d238e0549e00750fe45b82c1d222

SHA256
3a6e4927ccbb671373cd758c572b592a358ee5dfd97d50e2eece02abd626e3f1

SHA512
83922a4aef59813dbe1edd36c86c82ca24132cc943bef3563e4048e4f3d25e0a097ee0bc122113843ecb997af43d4f38e84dff31284cc7af1b26aa442f7d55f5

Download Submit
C:\GProtector\GProtector.lib

Filesize
1.8MB

MD5
6674d5000f63d4d22851daa40e5d8621

SHA1
8ddd2682a604d238e0549e00750fe45b82c1d222

SHA256
3a6e4927ccbb671373cd758c572b592a358ee5dfd97d50e2eece02abd626e3f1

SHA512
83922a4aef59813dbe1edd36c86c82ca24132cc943bef3563e4048e4f3d25e0a097ee0bc122113843ecb997af43d4f38e84dff31284cc7af1b26aa442f7d55f5

Download Submit
C:\Program Files (x86)\我的程序\授权-20221001.exe

Filesize
18.3MB

MD5
dd61179ce217d0ea35b68b4c41e3f8d1

SHA1
0fbbbc129329376d90982b344bf93cfdad4949fa

SHA256
62de854303da3cce18ff0023233fbc4013ac9e0df1ef564fdc3649978b9c0c2f

SHA512
5a58fde474d1c105125988053d9b5bcae106b6a72a7f714ea553863f9c5542fd10ef793158ef08f7f3467a863d69c2fb08866e63d5eb15fe567df8b7ab4a1b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GVAPT.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Filesize
2.4MB

MD5
afcb0ce52f3275932bbe693168cbec61

SHA1
aaaaa41948d3984112f6e488c3be447069dc516d

SHA256
09e32653389d6b965db754a9edd5f45e782fdb4f19e25a23209e5aac71598e68

SHA512
a10416d6825f8a5db60cccc04cfa3de08f64e309d25078a4ec3c42a626d6b1575666cf965f1cc40a645f332d00bbafff522dcbea1851d09aea444f6ca60d0416

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GVAPT.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Filesize
2.4MB

MD5
afcb0ce52f3275932bbe693168cbec61

SHA1
aaaaa41948d3984112f6e488c3be447069dc516d

SHA256
09e32653389d6b965db754a9edd5f45e782fdb4f19e25a23209e5aac71598e68

SHA512
a10416d6825f8a5db60cccc04cfa3de08f64e309d25078a4ec3c42a626d6b1575666cf965f1cc40a645f332d00bbafff522dcbea1851d09aea444f6ca60d0416

Download Submit
memory/524-132-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/524-134-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/524-143-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4608-140-0x0000000003640000-0x00000000036CB000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing