Overview

overview

8

Static

static

ppaa1101sp...om.url

windows7-x64

1

ppaa1101sp...om.url

windows10-2004-x64

1

ppaa1101sp...p1.exe

windows7-x64

8

ppaa1101sp...p1.exe

windows10-2004-x64

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ppaa1101sp1/跑跑艾艾1101sp1.exe

  • Size

    2.4MB

  • MD5

    998f77aeeafe948afd2332dc3813b0d0

  • SHA1

    873ca6cb898f720a41315f42c359a5b3755116c5

  • SHA256

    ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2

  • SHA512

    12fae2c27b87d4e22b965fac8bd75b425fc2d0c803dfd2f006957a30ddb4e20edd6fc5024269cbe076005497e307cc8f7a1a60d0e2a76fc3341db94277c61ec0

  • SSDEEP

    24576:lMOO6fBzJuMiuaU6hhkX54k5nvVeBeCQiqElvMQKVNsDr+ClG82Zkw3BOTvEeEZx:Cn6xnvVeBKSMnVNqlG6VTceWrQA

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 20 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ppaa1101sp1\跑跑艾艾1101sp1.exe
    "C:\Users\Admin\AppData\Local\Temp\ppaa1101sp1\跑跑艾艾1101sp1.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\empty.exe
      C:\Windows\empty.exe 2016
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:612
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x448
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\empty.exe
    Filesize

    9KB

    MD5

    523d5c39f9d8d2375c3df68251fa2249

    SHA1

    d4ed365c44bec9246fc1a65a32a7791792647a10

    SHA256

    20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

    SHA512

    526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

    Download Submit
  • memory/612-57-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp
    Filesize

    8KB

    Download