Overview
overview
10Static
static
8MirServer/...er.exe
windows7-x64
1MirServer/...er.exe
windows10-2004-x64
1MirServer/...pk.dll
windows7-x64
8MirServer/...pk.dll
windows10-2004-x64
8MirServer/...er.exe
windows7-x64
1MirServer/...er.exe
windows10-2004-x64
1MirServer/...er.exe
windows7-x64
1MirServer/...er.exe
windows10-2004-x64
1MirServer/...pk.dll
windows7-x64
8MirServer/...pk.dll
windows10-2004-x64
8MirServer/...te.exe
windows7-x64
1MirServer/...te.exe
windows10-2004-x64
1MirServer/...pk.dll
windows7-x64
8MirServer/...pk.dll
windows10-2004-x64
8MirServer/...rv.exe
windows7-x64
1MirServer/...rv.exe
windows10-2004-x64
1MirServer/...pk.dll
windows7-x64
8MirServer/...pk.dll
windows10-2004-x64
8MirServer/...TL.dll
windows7-x64
1MirServer/...TL.dll
windows10-2004-x64
1MirServer/...al.dll
windows7-x64
1MirServer/...al.dll
windows10-2004-x64
1MirServer/...er.exe
windows7-x64
6MirServer/...er.exe
windows10-2004-x64
5MirServer/...xe.lnk
windows7-x64
3MirServer/...xe.lnk
windows10-2004-x64
3MirServer/...pk.dll
windows7-x64
MirServer/...pk.dll
windows10-2004-x64
1MirServer/...��.htm
windows7-x64
10MirServer/...��.htm
windows10-2004-x64
10MirServer/...te.exe
windows7-x64
1MirServer/...te.exe
windows10-2004-x64
3Analysis
-
max time kernel
296s -
max time network
457s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 23:56
Behavioral task
behavioral1
Sample
MirServer/DBServer/DBServer.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
MirServer/DBServer/DBServer.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
MirServer/DBServer/lpk.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
MirServer/DBServer/lpk.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
MirServer/GameCenter.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
MirServer/GameCenter.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
MirServer/LogServer/LogDataServer.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
MirServer/LogServer/LogDataServer.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
MirServer/LogServer/lpk.dll
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
MirServer/LogServer/lpk.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
MirServer/LoginGate/LoginGate.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
MirServer/LoginGate/LoginGate.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
MirServer/LoginGate/lpk.dll
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
MirServer/LoginGate/lpk.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
MirServer/LoginSrv/LoginSrv.exe
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
MirServer/LoginSrv/LoginSrv.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
MirServer/LoginSrv/lpk.dll
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
MirServer/LoginSrv/lpk.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
MirServer/Mir200/Envir/QuestDiary/16sky.com/ţţ/MSCOMCTL.dll
Resource
win7-20220901-en
Behavioral task
behavioral20
Sample
MirServer/Mir200/Envir/QuestDiary/16sky.com/ţţ/MSCOMCTL.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
MirServer/Mir200/IPLocal.dll
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
MirServer/Mir200/IPLocal.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
MirServer/Mir200/M2Server.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
MirServer/Mir200/M2Server.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
MirServer/Mir200/M2Server.exe.lnk
Resource
win7-20220901-en
Behavioral task
behavioral26
Sample
MirServer/Mir200/M2Server.exe.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
MirServer/Mir200/lpk.dll
Resource
win7-20221111-en
Behavioral task
behavioral28
Sample
MirServer/Mir200/lpk.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral29
Sample
MirServer/Readme-˵.htm
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
MirServer/Readme-˵.htm
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
MirServer/RunGate/RunGate.exe
Resource
win7-20220901-en
Behavioral task
behavioral32
Sample
MirServer/RunGate/RunGate.exe
Resource
win10v2004-20221111-en
General
-
Target
MirServer/LogServer/lpk.dll
-
Size
42KB
-
MD5
4d691ae646b320e04bc2f5db3c245eb4
-
SHA1
e55533b8f117ed5cf0248f633c0e7f69d5226df6
-
SHA256
ddf7073e755dd661565e8eb7b892372dc48a55fde09b1f07cda6e47ce7f8d650
-
SHA512
39f83db56c34c7a7f6d8dab0d2b073447276cb94dfd52c678fbd7a858c33de490fb1249d8d8c55114494fd1f01d07ca43defa210cc6926159c3a51e0f6992699
-
SSDEEP
768:ZojY9PqwzZNfYoMQxcttCIl1GRPKjECdVojY9P9:smlXPgtZTxECdAmF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hrl5480.tmpvahxaq.exepid process 4048 hrl5480.tmp 2740 vahxaq.exe -
Loads dropped DLL 1 IoCs
Processes:
vahxaq.exepid process 2740 vahxaq.exe -
Drops file in System32 directory 3 IoCs
Processes:
hrl5480.tmpvahxaq.exedescription ioc process File created C:\Windows\SysWOW64\vahxaq.exe hrl5480.tmp File opened for modification C:\Windows\SysWOW64\vahxaq.exe hrl5480.tmp File created C:\Windows\SysWOW64\hra33.dll vahxaq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hrl5480.tmpdescription pid process Token: SeIncBasePriorityPrivilege 4048 hrl5480.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exehrl5480.tmpdescription pid process target process PID 4788 wrote to memory of 2420 4788 rundll32.exe rundll32.exe PID 4788 wrote to memory of 2420 4788 rundll32.exe rundll32.exe PID 4788 wrote to memory of 2420 4788 rundll32.exe rundll32.exe PID 2420 wrote to memory of 4048 2420 rundll32.exe hrl5480.tmp PID 2420 wrote to memory of 4048 2420 rundll32.exe hrl5480.tmp PID 2420 wrote to memory of 4048 2420 rundll32.exe hrl5480.tmp PID 4048 wrote to memory of 1680 4048 hrl5480.tmp cmd.exe PID 4048 wrote to memory of 1680 4048 hrl5480.tmp cmd.exe PID 4048 wrote to memory of 1680 4048 hrl5480.tmp cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\MirServer\LogServer\lpk.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\MirServer\LogServer\lpk.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\hrl5480.tmpC:\Users\Admin\AppData\Local\Temp\hrl5480.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\hrl5480.tmp > nul4⤵PID:1680
-
-
-
-
C:\Windows\SysWOW64\vahxaq.exeC:\Windows\SysWOW64\vahxaq.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2740
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD52d53ee91ed80e8a5a0134a7b7bc8097c
SHA1a8df996004f0bae739b8d1a15a8fcc1d868d34e2
SHA25688127c1ca940b5e087cb124f942761bffdefe2c73e4574570f1f914224083cf2
SHA512ca70ee3311bd3b20f15776390fd3c5f0e438bba65669caf56e95cc94ed6ae17d4d7a9866908bfa5aa1732cd5fd56d269c4836b1754fdf718e3d6d8ea5a9e4e14
-
Filesize
34KB
MD52d53ee91ed80e8a5a0134a7b7bc8097c
SHA1a8df996004f0bae739b8d1a15a8fcc1d868d34e2
SHA25688127c1ca940b5e087cb124f942761bffdefe2c73e4574570f1f914224083cf2
SHA512ca70ee3311bd3b20f15776390fd3c5f0e438bba65669caf56e95cc94ed6ae17d4d7a9866908bfa5aa1732cd5fd56d269c4836b1754fdf718e3d6d8ea5a9e4e14
-
Filesize
42KB
MD54d691ae646b320e04bc2f5db3c245eb4
SHA1e55533b8f117ed5cf0248f633c0e7f69d5226df6
SHA256ddf7073e755dd661565e8eb7b892372dc48a55fde09b1f07cda6e47ce7f8d650
SHA51239f83db56c34c7a7f6d8dab0d2b073447276cb94dfd52c678fbd7a858c33de490fb1249d8d8c55114494fd1f01d07ca43defa210cc6926159c3a51e0f6992699
-
Filesize
34KB
MD52d53ee91ed80e8a5a0134a7b7bc8097c
SHA1a8df996004f0bae739b8d1a15a8fcc1d868d34e2
SHA25688127c1ca940b5e087cb124f942761bffdefe2c73e4574570f1f914224083cf2
SHA512ca70ee3311bd3b20f15776390fd3c5f0e438bba65669caf56e95cc94ed6ae17d4d7a9866908bfa5aa1732cd5fd56d269c4836b1754fdf718e3d6d8ea5a9e4e14
-
Filesize
34KB
MD52d53ee91ed80e8a5a0134a7b7bc8097c
SHA1a8df996004f0bae739b8d1a15a8fcc1d868d34e2
SHA25688127c1ca940b5e087cb124f942761bffdefe2c73e4574570f1f914224083cf2
SHA512ca70ee3311bd3b20f15776390fd3c5f0e438bba65669caf56e95cc94ed6ae17d4d7a9866908bfa5aa1732cd5fd56d269c4836b1754fdf718e3d6d8ea5a9e4e14