Analysis
-
max time kernel
37s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23-11-2022 17:04
General
-
Target
四季专用加速器.exe
-
Size
724KB
-
MD5
b2f073dfef7228c39c6616828bfecc96
-
SHA1
43b4a0025e4fadbc14889f195c6dde13d497cb2c
-
SHA256
59928ad4a8cd81943f03aa368f6a9cecd797b672726dfa9dd99efeaa251756b1
-
SHA512
eddb98c9ffec2163ecf4521f209aabee742d419a22e8ec8af502d5f64ecba215632960528d556597ea6a5bf5c207fb41e4d716d58927f6da994cc78d4704c17a
-
SSDEEP
12288:OT5864aY0sHGff7WE86sfaCtwlL0PCfR8+tiOtN/4PYY/UxtiT5K5gibV5f6U5Xk:OTwgk8SE86siCtwlL0PCp8yiOtN/AvUt
Score
8/10
Malware Config
Signatures
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 9 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\四季专用加速器.exe"C:\Users\Admin\AppData\Local\Temp\四季专用加速器.exe"1⤵
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_22⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_2.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_1.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Tencentdl.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TXPlatform.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im DNFchina.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Tencentdl.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/700-69-0x0000000000000000-mapping.dmp
-
memory/904-68-0x0000000000000000-mapping.dmp
-
memory/944-65-0x0000000000000000-mapping.dmp
-
memory/1020-67-0x0000000000000000-mapping.dmp
-
memory/1060-64-0x0000000000000000-mapping.dmp
-
memory/1104-62-0x0000000000000000-mapping.dmp
-
memory/1148-58-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/1148-60-0x0000000000380000-0x00000000003F2000-memory.dmpFilesize
456KB
-
memory/1148-59-0x0000000000380000-0x00000000003F2000-memory.dmpFilesize
456KB
-
memory/1148-55-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/1148-70-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/1148-71-0x0000000000380000-0x00000000003F2000-memory.dmpFilesize
456KB
-
memory/1256-61-0x0000000000000000-mapping.dmp
-
memory/1288-63-0x0000000000000000-mapping.dmp
-
memory/2044-66-0x0000000000000000-mapping.dmp