97d18848951e73cf1fa0a11324c77750280e474094f7985de66a1b389b1f960b

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

【稳定版】MTK6573一键破解ROOT权限工具PC客户端V1.0/root_tools.exe
Size

2.4MB
MD5

df400c9c4f4c98447b7ea71670c760a4
SHA1

3bdcb4c96126090ea33fce85bf814e089e9132ac
SHA256

8f69d34f401fd0292d14e0b044d1c68f5d065588378b55a206ecc877cfd81995
SHA512

25d5429b6fa997a19d41635423d4e3cb3780ae11f62411d35f5bc56d644b45bbb2d8373b81cf3aa1a19ce127c2554d37d7b46dbda4bb3f8665837a8f986ac194
SSDEEP

49152:B3+pFfdjecsxUbtHe3dcTCyZSvQg3sqfKUfEkmN9jd12Yu:B3EFflsOxe3iTC/pJNEzL4X

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1232-132-0x0000000000400000-0x000000000049E000-memory.dmp	upx
behavioral2/memory/1232-133-0x0000000000400000-0x000000000049E000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1232-133-0x0000000000400000-0x000000000049E000-memory.dmp	autoit_exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adb.exe	root_tools.exe
File opened for modification	C:\Windows\SysWOW64\adb.exe	root_tools.exe
File created	C:\Windows\SysWOW64\AdbWinApi.dll	root_tools.exe
File opened for modification	C:\Windows\SysWOW64\AdbWinApi.dll	root_tools.exe
File created	C:\Windows\SysWOW64\AdbWinUsbApi.dll	root_tools.exe
File opened for modification	C:\Windows\SysWOW64\AdbWinUsbApi.dll	root_tools.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	root_tools.exe

C:\Users\Admin\AppData\Local\Temp\【稳定版】MTK6573一键破解ROOT权限工具PC客户端V1.0\root_tools.exe
"C:\Users\Admin\AppData\Local\Temp\【稳定版】MTK6573一键破解ROOT权限工具PC客户端V1.0\root_tools.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-132-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1232-133-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download