ac50a2f233bed117ea4aab2ec0437e1d04661664f24f1a59cfd29c9fad16f77a

Analysis

max time kernel
151s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mxdbl.pc6.0831/冒险伴侣0831/冒險伴侶.exe
Size

3.8MB
MD5

5ce7b7a93421ccc26bd3324805e2e9db
SHA1

e8e302d73c1df162da2928eb1261e0fdceda53c3
SHA256

0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58
SHA512

804bc74fe9878364a6fbb56492de5478ef4f08eee3e17605826048c1cb688eac855e0474f4dba858769eca68a871e9d3cdadf6208518687583a36a4f4273f42f
SSDEEP

98304:j+pw0mZ2aunm0EIRgaR90tDhOYCnN9/nK5KGs1k:j+8Z2Bm0BPutDZui

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral13/memory/1352-56-0x00000000012A0000-0x0000000001AD7000-memory.dmp	vmprotect
behavioral13/memory/1352-71-0x00000000012A0000-0x0000000001AD7000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

冒險伴侶.exe

pid process

1352 冒險伴侶.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2032 ipconfig.exe
1752 ipconfig.exe

pid	process
2032	ipconfig.exe
1752	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

冒險伴侶.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	冒險伴侶.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

冒險伴侶.exe

pid	process
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe
1352	冒險伴侶.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

冒險伴侶.exe

pid process

1352 冒險伴侶.exe
1352 冒險伴侶.exe
1352 冒險伴侶.exe
1352 冒險伴侶.exe
1352 冒險伴侶.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

冒險伴侶.execmd.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 1096	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 1096	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 1096	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 1096	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 2036	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 2036	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 2036	1352	冒險伴侶.exe	cmd.exe
PID 1352 wrote to memory of 2036	1352	冒險伴侶.exe	cmd.exe
PID 2036 wrote to memory of 1232	2036	cmd.exe	cmd.exe
PID 2036 wrote to memory of 1232	2036	cmd.exe	cmd.exe
PID 2036 wrote to memory of 1232	2036	cmd.exe	cmd.exe
PID 2036 wrote to memory of 1232	2036	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1728	1096	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1728	1096	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1728	1096	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1728	1096	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	cacls.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	cacls.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	cacls.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	cacls.exe
PID 2036 wrote to memory of 1784	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 1784	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 1784	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 1784	2036	cmd.exe	cacls.exe
PID 1096 wrote to memory of 1716	1096	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1716	1096	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1716	1096	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1716	1096	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1408	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1408	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1408	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1408	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 2032	2036	cmd.exe	ipconfig.exe
PID 2036 wrote to memory of 2032	2036	cmd.exe	ipconfig.exe
PID 2036 wrote to memory of 2032	2036	cmd.exe	ipconfig.exe
PID 2036 wrote to memory of 2032	2036	cmd.exe	ipconfig.exe
PID 1096 wrote to memory of 1752	1096	cmd.exe	ipconfig.exe
PID 1096 wrote to memory of 1752	1096	cmd.exe	ipconfig.exe
PID 1096 wrote to memory of 1752	1096	cmd.exe	ipconfig.exe
PID 1096 wrote to memory of 1752	1096	cmd.exe	ipconfig.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1716 attrib.exe
1408 attrib.exe

pid	process
1716	attrib.exe
1408	attrib.exe

C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\冒險伴侶.exe
"C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\冒險伴侶.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO y"
3⤵
PID:1728

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\drivers\etc\hosts /g everyone:f
3⤵
PID:1300

C:\Windows\SysWOW64\attrib.exe
attrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts
3⤵
- Views/modifies file attributes
PID:1716

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO y"
3⤵
PID:1232

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\drivers\etc\hosts /g everyone:f
3⤵
PID:1784

C:\Windows\SysWOW64\attrib.exe
attrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts
3⤵
- Views/modifies file attributes
PID:1408

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\hosts

Filesize
824B

MD5
3688374325b992def12793500307566d

SHA1
4bed0823746a2a8577ab08ac8711b79770e48274

SHA256
2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085

SHA512
59119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508

Download Submit
memory/1096-58-0x0000000000000000-mapping.dmp

Download
memory/1232-60-0x0000000000000000-mapping.dmp

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/1352-56-0x00000000012A0000-0x0000000001AD7000-memory.dmp

Filesize
8.2MB

Download
memory/1352-71-0x00000000012A0000-0x0000000001AD7000-memory.dmp

Filesize
8.2MB

Download
memory/1352-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1408-65-0x0000000000000000-mapping.dmp

Download
memory/1716-64-0x0000000000000000-mapping.dmp

Download
memory/1728-61-0x0000000000000000-mapping.dmp

Download
memory/1752-68-0x0000000000000000-mapping.dmp

Download
memory/1784-63-0x0000000000000000-mapping.dmp

Download
memory/2032-67-0x0000000000000000-mapping.dmp

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download