d51c9b494373e2ad487e2157a6116c1713c60af41b60b3e6d8aeb6e2d4b269e8

General

Target

蓝梦穿越火线CDK生成器.exe
Size

2.1MB
MD5

a3d4bb44d098194b155791a4a14699ba
SHA1

3537714b4efb98c3e6bbefc4f879f534b8aff7e3
SHA256

6b8ae82a19b3daf9fa725660f86c64832003c507e79a714ee3051e8628dd74a6
SHA512

77c602df63e519911b09462131ec2a27ec7434098157907df7f8ed53cd7dc81341cf1c4ddca8459eb6a788eefaf0bd1b58a78efdd9ef6f2aae465ed1665a102e
SSDEEP

49152:HG5L4MC1RK/BdzTZaqdwk0c05HGiFbjXliJaEuQ1q:0LfC1RKPzYqdwkLcHHNXcJB

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll	upx
behavioral2/memory/3620-133-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

蓝梦穿越火线CDK生成器.exe

pid process

3620 蓝梦穿越火线CDK生成器.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

蓝梦穿越火线CDK生成器.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k729599963"	蓝梦穿越火线CDK生成器.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

2460 msedge.exe
2460 msedge.exe
2408 msedge.exe
2408 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2408 msedge.exe
2408 msedge.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msedge.exe

pid process

2408 msedge.exe

pid	process
2460	msedge.exe
2460	msedge.exe
2408	msedge.exe
2408	msedge.exe

pid	process
2408	msedge.exe
2408	msedge.exe

pid	process
2408	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

蓝梦穿越火线CDK生成器.exe

pid	process
3620	蓝梦穿越火线CDK生成器.exe
3620	蓝梦穿越火线CDK生成器.exe
3620	蓝梦穿越火线CDK生成器.exe
3620	蓝梦穿越火线CDK生成器.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

蓝梦穿越火线CDK生成器.exemsedge.exe

description	pid	process	target process
PID 3620 wrote to memory of 2408	3620	蓝梦穿越火线CDK生成器.exe	msedge.exe
PID 3620 wrote to memory of 2408	3620	蓝梦穿越火线CDK生成器.exe	msedge.exe
PID 2408 wrote to memory of 5040	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 5040	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1296	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 2460	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 2460	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 1268	2408	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\蓝梦穿越火线CDK生成器.exe
"C:\Users\Admin\AppData\Local\Temp\蓝梦穿越火线CDK生成器.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.2345.com/?k729599963
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa621846f8,0x7ffa62184708,0x7ffa62184718
3⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:8
3⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
3⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15069774674305763893,7481533239907922210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
3⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll
Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
\??\pipe\LOCAL\crashpad_2408_CLIKVJIQDVAMBRCS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1268-141-0x0000000000000000-mapping.dmp

Download
memory/1296-137-0x0000000000000000-mapping.dmp

Download
memory/2408-134-0x0000000000000000-mapping.dmp

Download
memory/2460-138-0x0000000000000000-mapping.dmp

Download
memory/3620-133-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4128-143-0x0000000000000000-mapping.dmp

Download
memory/4484-145-0x0000000000000000-mapping.dmp

Download
memory/5040-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads