ac50a2f233bed117ea4aab2ec0437e1d04661664f24f1a59cfd29c9fad16f77a | Triage

Sharing

General

Target

ac50a2f233bed117ea4aab2ec0437e1d04661664f24f1a59cfd29c9fad16f77a
Size

9.2MB
Sample

221125-z1fmesab8s
MD5

cdddbf0f10471979020add99af6129e0
SHA1

5ef2a6ddc735a5138118f58d68b4f4da11e2c5a8
SHA256

ac50a2f233bed117ea4aab2ec0437e1d04661664f24f1a59cfd29c9fad16f77a
SHA512

9a3a3ece0be8b0d7952efe7a0dc41d9afe7f67d11a5c01ec29a98153de1058e563ffee78521d3d0662c26c3604a1f392ef1b27ca1d978ddadee214e22907de87
SSDEEP

196608:N7Vzxmxq5RGJm5a7ZYKV6swx9WhVBb2HUkBSWmgnvgAvtiiDAk9dQY:NP8q5RRa7ZDVbi9uByHvS8YzWpQY

Score

8^/10

bootkit persistence vmprotect

Malware Config

Targets

- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/Baidu_Com_90000168.exe
- Size
  
  1.4MB
- MD5
  
  d49e4198096aa6f7af3787ba230198c2
- SHA1
  
  e7a3c4feb071ec294ce14d74f6e0fa603740f1af
- SHA256
  
  2343e15558bba1e08369527cebd7082495c4fb5f1f859f1806f4ac0b464cd304
- SHA512
  
  a36ba06bdf98783b33d30b3f87854387493de077a679105ebb4af9e29df809e623738fab5014109e44d5965e8c07173e9f57c92fb1e02dc6b57b03095988dfa1
- SSDEEP
  
  24576:eCNjeWLiBF5Addz/++bJnksHBmNqvdOg5m8y01HHiaqulkrpsEG3eX:DjNLsFybzhkaBmNWdN5HyLHekeEG3+
Score

7^/10

bootkit persistence
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2
- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/HYDati.dll
- Size
  
  267KB
- MD5
  
  f3c7ff06d8e30f813a87f9b3daec4342
- SHA1
  
  818150218210639f6ae975b9cd7dcf5fd6f2d23d
- SHA256
  
  11d3f2f2ff92d4b90c4b81f07c9dd80a738beb8d187f1126a40c47d68d1c23bb
- SHA512
  
  53f7e5c08c75bc5c10d0fb8369ba4405f402d6ddd8abbd665d2d2c0b619a27d5fc03295a47185738b26c3d84a52adb0804889571d02ed5ddd7347ff4bc5b3715
- SSDEEP
  
  6144:2z239PKc+Ei8vee1IHYt5WyG86xPO7dlng/2B:DPDtOu5WyG8yPKlJB
Score

1^/10
behavioral3 behavioral4
- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/PC6下载.url
- Size
  
  108B
- MD5
  
  9a3427f2b5d327e004e68379049168ec
- SHA1
  
  b7e47c3a4a8777dc9f56d03ce351309b880789e6
- SHA256
  
  c5c7327a0829c196ed997090e5e859d3ef91c9b48372a521aeeb3fcbd17e9a50
- SHA512
  
  62b93af0eea8dbf5e02f080b8375acc2eb855c5fb881eb61980979d1c863a233dc8cf9047ce32741a81cd9d7a414ddc70548fa6d7b1e52fc1614c55f14d740bb
Score

1^/10
behavioral5 behavioral6
- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/Partner.dll
- Size
  
  1000KB
- MD5
  
  759d7f9a47b9f458e19b93eed4ce0ba6
- SHA1
  
  e31e73b0aca7d80301ad61f65330b3ffd88cc88e
- SHA256
  
  24198c3ead664d7688a4d05d1356ae4774f15a79bea809558c73599bd9ee18c1
- SHA512
  
  eee70fd006710f80f2caa89ca7715377df80daaeabe2197768979e7f7742c9d997538f73a434268b014cb4acc17b36bd803c145f26aaf47dfb1ecb66b59e10ec
- SSDEEP
  
  24576:sojABVSSdYxUNvUJP4rmBNDm+QtgAQtTJDnwfyACmlvUyeugfaLQPfNcj:1jsHYOJrmXDmCAQB9wJCe8pm8Pm
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/bldllw32.dll
- Size
  
  650KB
- MD5
  
  cf7c6b37887a7fae3f46860579ad7b0b
- SHA1
  
  9f45a4d9cb15df425a950ca202824dbeb4b724d5
- SHA256
  
  35d44ee1cac624e139bb7998e40cef0e489a33879f21ae793144b0acec470010
- SHA512
  
  53b8a8a0d1fbb2187e05e90f8bae204a0a50e42088447cfdf08d146f41054e003f55e592853a8fccf8001cde248043878c39b99b5eb951bba17629c36d76795f
- SSDEEP
  
  12288:zx3pZ7zW9bajGmYnj3vTWLOG1MED4Pftt1iTC6Fi:zx3pZ7uOGVnzBOlD43NOC
Score

1^/10
behavioral10 behavioral9
- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/冒险伴侣说明新手必看.chm
- Size
  
  2.5MB
- MD5
  
  d6bffc68b6e7b0e0a746e8fe0a6c17da
- SHA1
  
  1cea1c667572713868b85792d3da084b6b9562c3
- SHA256
  
  1c7408e08e35f9b26a53f4bef40984418d26422b4356ced8c44c6478dffac5fc
- SHA512
  
  0c74cece5c788fb339f86f16377fa63229271186f77143b5466395e0ce6eb13c50c71655e423c0cf437e31a5a0489e7f8a5b4d76e0eabd45f3f66f97ad507500
- SSDEEP
  
  49152:TivJqJqjq6E+bsjmQCPEZ0EHUKh4kssS5Yg1dHVPXnveDWy07+BpocRJpN1lX:qK+pzsjBbFSLn5ZAX070pjR5X
Score

1^/10
behavioral11 behavioral12
- Target
  
  mxdbl.pc6.0831/冒险伴侣0831/冒險伴侶.exe
- Size
  
  3.8MB
- MD5
  
  5ce7b7a93421ccc26bd3324805e2e9db
- SHA1
  
  e8e302d73c1df162da2928eb1261e0fdceda53c3
- SHA256
  
  0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58
- SHA512
  
  804bc74fe9878364a6fbb56492de5478ef4f08eee3e17605826048c1cb688eac855e0474f4dba858769eca68a871e9d3cdadf6208518687583a36a4f4273f42f
- SSDEEP
  
  98304:j+pw0mZ2aunm0EIRgaR90tDhOYCnN9/nK5KGs1k:j+8Z2Bm0BPutDZui
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Bootkit

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14