83ef832f847a3dd1a9d3e48c4d7ac35a34848e63cec9b8bf1b83ca37752ce7a7

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

电脑模拟LED广告牌.exe
Size

355KB
MD5

673f7b18ce4fce1447aa8e0163914d6c
SHA1

3113d9af50e3c8d62157556c11a66c8e9c67f1e6
SHA256

a26418d250d97328472cdc11392c116946e9267355a3e9e73f27eb9f02175234
SHA512

e7048513d9d1e938ab8ab1463959def2922e902b38ebe4ee405d61621aad84230e414c6a79e7fd6269c93ee7dd9316104ce0a96e93a58cb54b3b0dec056e0af7
SSDEEP

6144:TXcPRuF8RWdSwy+KBuy8h+9rsD7+XKgz2Wp4g9DLjJoxGq6IECy6m:TXcPRGyaSwy+KBbKmLz2Wp4AFYGq6Ym

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	LED.exe

Loads dropped DLL 1 IoCs

pid	Process
1004	电脑模拟LED广告牌.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: 33	1004	电脑模拟LED广告牌.exe
Token: SeIncBasePriorityPrivilege	1004	电脑模拟LED广告牌.exe
Token: 33	1004	电脑模拟LED广告牌.exe
Token: SeIncBasePriorityPrivilege	1004	电脑模拟LED广告牌.exe
Token: 33	1004	电脑模拟LED广告牌.exe
Token: SeIncBasePriorityPrivilege	1004	电脑模拟LED广告牌.exe
Token: 33	1004	电脑模拟LED广告牌.exe
Token: SeIncBasePriorityPrivilege	1004	电脑模拟LED广告牌.exe
Token: 33	952	LED.exe
Token: SeIncBasePriorityPrivilege	952	LED.exe
Token: 33	952	LED.exe
Token: SeIncBasePriorityPrivilege	952	LED.exe
Token: 33	952	LED.exe
Token: SeIncBasePriorityPrivilege	952	LED.exe
Token: 33	952	LED.exe
Token: SeIncBasePriorityPrivilege	952	LED.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 952	1004	电脑模拟LED广告牌.exe	28
PID 1004 wrote to memory of 952	1004	电脑模拟LED广告牌.exe	28
PID 1004 wrote to memory of 952	1004	电脑模拟LED广告牌.exe	28
PID 1004 wrote to memory of 952	1004	电脑模拟LED广告牌.exe	28

C:\Users\Admin\AppData\Local\Temp\电脑模拟LED广告牌.exe
"C:\Users\Admin\AppData\Local\Temp\电脑模拟LED广告牌.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\电脑虚拟LED广告牌\1.0.0.0\2013.06.08T03.22\Virtual\STUBEXE\@APPDATALOCAL@\Temp\LED.exe
  "C:\Users\Admin\AppData\Local\Temp\LED.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\电脑虚拟LED广告牌\1.0.0.0\2013.06.08T03.22\Virtual\STUBEXE\@APPDATALOCAL@\Temp\LED.exe

Filesize
17KB

MD5
2dc5901d28a2a5a07fd1bad6223495a9

SHA1
98d5bee6291c558e54b976f08dbdb42dd41958ea

SHA256
d6078adca4893bf57edf3a96e5eb0e450c9b4897f84bdb953e0bbd28e4e2ed91

SHA512
aab782b3149ca80b2fb4dabb533b7d1d2307838029e3ca043fc56054c57b48cdc07e554aa5aa9b31b8dbdde3dbc4b654a77c828cc5d7a7d287cbad87a4dae3c9

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\电脑虚拟LED广告牌\1.0.0.0\2013.06.08T03.22\Virtual\STUBEXE\@APPDATALOCAL@\Temp\LED.exe

Filesize
17KB

MD5
2dc5901d28a2a5a07fd1bad6223495a9

SHA1
98d5bee6291c558e54b976f08dbdb42dd41958ea

SHA256
d6078adca4893bf57edf3a96e5eb0e450c9b4897f84bdb953e0bbd28e4e2ed91

SHA512
aab782b3149ca80b2fb4dabb533b7d1d2307838029e3ca043fc56054c57b48cdc07e554aa5aa9b31b8dbdde3dbc4b654a77c828cc5d7a7d287cbad87a4dae3c9

Download Submit
memory/952-676-0x0000000073470000-0x0000000073A1B000-memory.dmp

Filesize
5.7MB

Download
memory/952-675-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/952-673-0x0000000073470000-0x0000000073A1B000-memory.dmp

Filesize
5.7MB

Download
memory/952-672-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/952-445-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-93-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-103-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-75-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-77-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-79-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-81-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-83-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-71-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-85-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-89-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-91-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-87-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-55-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-95-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-97-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-99-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-101-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-73-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-105-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-107-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-109-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-113-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-111-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-115-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-117-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-304-0x000000000039B000-0x000000000039D000-memory.dmp

Filesize
8KB

Download
memory/1004-67-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-69-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-65-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-63-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-61-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-59-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-674-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-57-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1004-54-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download