Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 17:04
General
-
Target
四季专用加速器.exe
-
Size
724KB
-
MD5
b2f073dfef7228c39c6616828bfecc96
-
SHA1
43b4a0025e4fadbc14889f195c6dde13d497cb2c
-
SHA256
59928ad4a8cd81943f03aa368f6a9cecd797b672726dfa9dd99efeaa251756b1
-
SHA512
eddb98c9ffec2163ecf4521f209aabee742d419a22e8ec8af502d5f64ecba215632960528d556597ea6a5bf5c207fb41e4d716d58927f6da994cc78d4704c17a
-
SSDEEP
12288:OT5864aY0sHGff7WE86sfaCtwlL0PCfR8+tiOtN/4PYY/UxtiT5K5gibV5f6U5Xk:OTwgk8SE86siCtwlL0PCp8yiOtN/AvUt
Score
8/10
Malware Config
Signatures
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 9 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\四季专用加速器.exe"C:\Users\Admin\AppData\Local\Temp\四季专用加速器.exe"1⤵
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_22⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_1.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe_2.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TXPlatform.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Tencentdl.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im TenSafe.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im DNFchina.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Tencentdl.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/988-141-0x0000000000000000-mapping.dmp
-
memory/1108-142-0x0000000000000000-mapping.dmp
-
memory/1204-143-0x0000000000000000-mapping.dmp
-
memory/1660-146-0x0000000000000000-mapping.dmp
-
memory/2288-140-0x0000000000000000-mapping.dmp
-
memory/2516-139-0x0000000000000000-mapping.dmp
-
memory/3532-145-0x0000000000000000-mapping.dmp
-
memory/4088-144-0x0000000000000000-mapping.dmp
-
memory/4620-147-0x0000000000000000-mapping.dmp
-
memory/4632-132-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/4632-138-0x0000000002520000-0x0000000002592000-memory.dmpFilesize
456KB
-
memory/4632-137-0x0000000002520000-0x0000000002592000-memory.dmpFilesize
456KB
-
memory/4632-136-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/4632-133-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/4632-148-0x0000000002520000-0x0000000002592000-memory.dmpFilesize
456KB