ac50a2f233bed117ea4aab2ec0437e1d04661664f24f1a59cfd29c9fad16f77a

Analysis

max time kernel
148s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mxdbl.pc6.0831/冒险伴侣0831/冒險伴侶.exe
Size

3.8MB
MD5

5ce7b7a93421ccc26bd3324805e2e9db
SHA1

e8e302d73c1df162da2928eb1261e0fdceda53c3
SHA256

0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58
SHA512

804bc74fe9878364a6fbb56492de5478ef4f08eee3e17605826048c1cb688eac855e0474f4dba858769eca68a871e9d3cdadf6208518687583a36a4f4273f42f
SSDEEP

98304:j+pw0mZ2aunm0EIRgaR90tDhOYCnN9/nK5KGs1k:j+8Z2Bm0BPutDZui

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral14/memory/1404-132-0x0000000000A30000-0x0000000001267000-memory.dmp	vmprotect
behavioral14/memory/1404-134-0x0000000000A30000-0x0000000001267000-memory.dmp	vmprotect
behavioral14/memory/1404-147-0x0000000000A30000-0x0000000001267000-memory.dmp	vmprotect
behavioral14/memory/1404-148-0x0000000000A30000-0x0000000001267000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

冒險伴侶.exe

pid process

1404 冒險伴侶.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4360 ipconfig.exe
1104 ipconfig.exe

pid	process
4360	ipconfig.exe
1104	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

冒險伴侶.exe

pid	process
1404	冒險伴侶.exe
1404	冒險伴侶.exe
1404	冒險伴侶.exe
1404	冒險伴侶.exe
1404	冒險伴侶.exe
1404	冒險伴侶.exe
1404	冒險伴侶.exe
1404	冒險伴侶.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

冒險伴侶.exe

pid process

1404 冒險伴侶.exe
1404 冒險伴侶.exe
1404 冒險伴侶.exe
1404 冒險伴侶.exe
1404 冒險伴侶.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

冒險伴侶.execmd.execmd.exe

description	pid	process	target process
PID 1404 wrote to memory of 2620	1404	冒險伴侶.exe	cmd.exe
PID 1404 wrote to memory of 2620	1404	冒險伴侶.exe	cmd.exe
PID 1404 wrote to memory of 2620	1404	冒險伴侶.exe	cmd.exe
PID 1404 wrote to memory of 4988	1404	冒險伴侶.exe	cmd.exe
PID 1404 wrote to memory of 4988	1404	冒險伴侶.exe	cmd.exe
PID 1404 wrote to memory of 4988	1404	冒險伴侶.exe	cmd.exe
PID 2620 wrote to memory of 4768	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 4768	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 4768	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 4408	2620	cmd.exe	cacls.exe
PID 2620 wrote to memory of 4408	2620	cmd.exe	cacls.exe
PID 2620 wrote to memory of 4408	2620	cmd.exe	cacls.exe
PID 4988 wrote to memory of 3140	4988	cmd.exe	cmd.exe
PID 4988 wrote to memory of 3140	4988	cmd.exe	cmd.exe
PID 4988 wrote to memory of 3140	4988	cmd.exe	cmd.exe
PID 4988 wrote to memory of 4448	4988	cmd.exe	cacls.exe
PID 4988 wrote to memory of 4448	4988	cmd.exe	cacls.exe
PID 4988 wrote to memory of 4448	4988	cmd.exe	cacls.exe
PID 2620 wrote to memory of 2196	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2196	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2196	2620	cmd.exe	attrib.exe
PID 4988 wrote to memory of 3424	4988	cmd.exe	attrib.exe
PID 4988 wrote to memory of 3424	4988	cmd.exe	attrib.exe
PID 4988 wrote to memory of 3424	4988	cmd.exe	attrib.exe
PID 4988 wrote to memory of 4360	4988	cmd.exe	ipconfig.exe
PID 4988 wrote to memory of 4360	4988	cmd.exe	ipconfig.exe
PID 4988 wrote to memory of 4360	4988	cmd.exe	ipconfig.exe
PID 2620 wrote to memory of 1104	2620	cmd.exe	ipconfig.exe
PID 2620 wrote to memory of 1104	2620	cmd.exe	ipconfig.exe
PID 2620 wrote to memory of 1104	2620	cmd.exe	ipconfig.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2196 attrib.exe
3424 attrib.exe

pid	process
2196	attrib.exe
3424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\冒險伴侶.exe
"C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\冒險伴侶.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO y"
3⤵
PID:4768

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\drivers\etc\hosts /g everyone:f
3⤵
PID:4408

C:\Windows\SysWOW64\attrib.exe
attrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts
3⤵
- Views/modifies file attributes
PID:2196

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO y"
3⤵
PID:3140

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\drivers\etc\hosts /g everyone:f
3⤵
PID:4448

C:\Windows\SysWOW64\attrib.exe
attrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts
3⤵
- Views/modifies file attributes
PID:3424

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\hosts

Filesize
824B

MD5
3688374325b992def12793500307566d

SHA1
4bed0823746a2a8577ab08ac8711b79770e48274

SHA256
2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085

SHA512
59119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508

Download Submit
memory/1104-146-0x0000000000000000-mapping.dmp

Download
memory/1404-132-0x0000000000A30000-0x0000000001267000-memory.dmp

Filesize
8.2MB

Download
memory/1404-134-0x0000000000A30000-0x0000000001267000-memory.dmp

Filesize
8.2MB

Download
memory/1404-148-0x0000000000A30000-0x0000000001267000-memory.dmp

Filesize
8.2MB

Download
memory/1404-147-0x0000000000A30000-0x0000000001267000-memory.dmp

Filesize
8.2MB

Download
memory/2196-142-0x0000000000000000-mapping.dmp

Download
memory/2620-136-0x0000000000000000-mapping.dmp

Download
memory/3140-140-0x0000000000000000-mapping.dmp

Download
memory/3424-143-0x0000000000000000-mapping.dmp

Download
memory/4360-145-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x0000000000000000-mapping.dmp

Download
memory/4448-141-0x0000000000000000-mapping.dmp

Download
memory/4768-138-0x0000000000000000-mapping.dmp

Download
memory/4988-137-0x0000000000000000-mapping.dmp

Download