Analysis
-
max time kernel
148s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 21:10
General
-
Target
mxdbl.pc6.0831/冒险伴侣0831/冒險伴侶.exe
-
Size
3.8MB
-
MD5
5ce7b7a93421ccc26bd3324805e2e9db
-
SHA1
e8e302d73c1df162da2928eb1261e0fdceda53c3
-
SHA256
0a1367e9e81349bee726eef5801af5ffcd7f10525694fc9fdae6388385a8ae58
-
SHA512
804bc74fe9878364a6fbb56492de5478ef4f08eee3e17605826048c1cb688eac855e0474f4dba858769eca68a871e9d3cdadf6208518687583a36a4f4273f42f
-
SSDEEP
98304:j+pw0mZ2aunm0EIRgaR90tDhOYCnN9/nK5KGs1k:j+8Z2Bm0BPutDZui
Malware Config
Signatures
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\冒險伴侶.exe"C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\冒險伴侶.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\drivers\etc\hosts /g everyone:f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO y|cacls %windir%\System32\drivers\etc\hosts /g everyone:f & attrib /s /d -s -h %windir%\System32\drivers\etc\hosts & move hosts %windir%\System32\drivers\etc\ & ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\drivers\etc\hosts /g everyone:f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib /s /d -s -h C:\Windows\System32\drivers\etc\hosts3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mxdbl.pc6.0831\冒险伴侣0831\hostsFilesize
824B
MD53688374325b992def12793500307566d
SHA14bed0823746a2a8577ab08ac8711b79770e48274
SHA2562d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085
SHA51259119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508
-
memory/1104-146-0x0000000000000000-mapping.dmp
-
memory/1404-132-0x0000000000A30000-0x0000000001267000-memory.dmpFilesize
8.2MB
-
memory/1404-134-0x0000000000A30000-0x0000000001267000-memory.dmpFilesize
8.2MB
-
memory/1404-148-0x0000000000A30000-0x0000000001267000-memory.dmpFilesize
8.2MB
-
memory/1404-147-0x0000000000A30000-0x0000000001267000-memory.dmpFilesize
8.2MB
-
memory/2196-142-0x0000000000000000-mapping.dmp
-
memory/2620-136-0x0000000000000000-mapping.dmp
-
memory/3140-140-0x0000000000000000-mapping.dmp
-
memory/3424-143-0x0000000000000000-mapping.dmp
-
memory/4360-145-0x0000000000000000-mapping.dmp
-
memory/4408-139-0x0000000000000000-mapping.dmp
-
memory/4448-141-0x0000000000000000-mapping.dmp
-
memory/4768-138-0x0000000000000000-mapping.dmp
-
memory/4988-137-0x0000000000000000-mapping.dmp