Analysis
-
max time kernel
209s -
max time network
247s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
蓝梦穿越火线CDK生成器.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
蓝梦穿越火线CDK生成器.exe
Resource
win10v2004-20221111-en
General
-
Target
蓝梦穿越火线CDK生成器.exe
-
Size
2.1MB
-
MD5
a3d4bb44d098194b155791a4a14699ba
-
SHA1
3537714b4efb98c3e6bbefc4f879f534b8aff7e3
-
SHA256
6b8ae82a19b3daf9fa725660f86c64832003c507e79a714ee3051e8628dd74a6
-
SHA512
77c602df63e519911b09462131ec2a27ec7434098157907df7f8ed53cd7dc81341cf1c4ddca8459eb6a788eefaf0bd1b58a78efdd9ef6f2aae465ed1665a102e
-
SSDEEP
49152:HG5L4MC1RK/BdzTZaqdwk0c05HGiFbjXliJaEuQ1q:0LfC1RKPzYqdwkLcHHNXcJB
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll acprotect -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll upx behavioral2/memory/3620-133-0x0000000010000000-0x000000001003D000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
蓝梦穿越火线CDK生成器.exepid process 3620 蓝梦穿越火线CDK生成器.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
蓝梦穿越火线CDK生成器.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k729599963" 蓝梦穿越火线CDK生成器.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 2460 msedge.exe 2460 msedge.exe 2408 msedge.exe 2408 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 2408 msedge.exe 2408 msedge.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msedge.exepid process 2408 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
蓝梦穿越火线CDK生成器.exepid process 3620 蓝梦穿越火线CDK生成器.exe 3620 蓝梦穿越火线CDK生成器.exe 3620 蓝梦穿越火线CDK生成器.exe 3620 蓝梦穿越火线CDK生成器.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
蓝梦穿越火线CDK生成器.exemsedge.exedescription pid process target process PID 3620 wrote to memory of 2408 3620 蓝梦穿越火线CDK生成器.exe msedge.exe PID 3620 wrote to memory of 2408 3620 蓝梦穿越火线CDK生成器.exe msedge.exe PID 2408 wrote to memory of 5040 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 5040 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1296 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 2460 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 2460 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1268 2408 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\蓝梦穿越火线CDK生成器.exe"C:\Users\Admin\AppData\Local\Temp\蓝梦穿越火线CDK生成器.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.2345.com/?k7295999632⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa621846f8,0x7ffa62184708,0x7ffa621847183⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵PID:1296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:83⤵PID:1268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:4484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dllFilesize
86KB
MD5147127382e001f495d1842ee7a9e7912
SHA192d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA51297f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d
-
\??\pipe\LOCAL\crashpad_2408_CLIKVJIQDVAMBRCSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1268-141-0x0000000000000000-mapping.dmp
-
memory/1296-137-0x0000000000000000-mapping.dmp
-
memory/2408-134-0x0000000000000000-mapping.dmp
-
memory/2460-138-0x0000000000000000-mapping.dmp
-
memory/3620-133-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/4128-143-0x0000000000000000-mapping.dmp
-
memory/4484-145-0x0000000000000000-mapping.dmp
-
memory/5040-135-0x0000000000000000-mapping.dmp