Analysis
-
max time kernel
179s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
26-11-2022 22:41
General
-
Target
hxjydazhuzai/火线精英大主宰自动开枪脚本多分辨率支持V1.2/火线精英大主宰自�.exe
-
Size
9.5MB
-
MD5
0daf49a958b5c4439f19f523cac7bdfd
-
SHA1
8b25d655d491765aad34f39f3fed9383111f3e5c
-
SHA256
73330c8974eb98a387b05e2176f76ae8f768436501a6c162fd6c09492c7df370
-
SHA512
ed060246dfaa16a8951a62e6afe5395ddfe03a81a6d8b36a7bee0fe4de8fb151051ed0703638a28a1d2932cd1f36b144fc869a07c3a24600b6f023ad456eb8c6
-
SSDEEP
196608:UJ4D0KPNxhpZ9dmB33Zfn4Rei56tqP5sdMEVgFqjcD/UKFR+:e4D0KVxhpLdmBHx4D6tndMWgFqQTUc
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 47 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hxjydazhuzai\火线精英大主宰自动开枪脚本多分辨率支持V1.2\火线精英大主宰自�.exe"C:\Users\Admin\AppData\Local\Temp\hxjydazhuzai\火线精英大主宰自动开枪脚本多分辨率支持V1.2\火线精英大主宰自�.exe"1⤵
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\zz.exeC:\zz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\2345Explorer\2345Explorer.exe"C:\Program Files (x86)\2345Explorer\2345Explorer.exe" --update=install3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\z1.exeC:\z1.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\z1.exe"C:\z1.exe" install_admin3⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qingqingwg.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qingqingwg.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\2345Explorer\2345Explorer.exeFilesize
185KB
MD5c3e3249c7e5cb23603c0ae7c4554ea6c
SHA1178e724b24bd2010c6c59ab562166d06bda9bcf4
SHA25677b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748
SHA512bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64
-
C:\Program Files (x86)\2345Explorer\2345Explorer.exeFilesize
185KB
MD5c3e3249c7e5cb23603c0ae7c4554ea6c
SHA1178e724b24bd2010c6c59ab562166d06bda9bcf4
SHA25677b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748
SHA512bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64
-
C:\Program Files (x86)\2345Explorer\CoralApp.dllFilesize
223KB
MD55b21753f92218a3d7cb78003185aa589
SHA1f6883b985ca7a5ab635afac2dc38625deae850aa
SHA256fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316
SHA512822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584
-
C:\Program Files (x86)\2345Explorer\CoralDb.dllFilesize
1.6MB
MD5dd5adc0ac08ffc46207882c34fe2feec
SHA10a8fd57c7440100f55c348a532f6327ba38259bc
SHA256efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba
SHA512749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d
-
C:\Program Files (x86)\2345Explorer\CoralUpdate.dllFilesize
417KB
MD544f919b683088036aacf6ba474d46665
SHA1b6aaa8a3a47b1b7ddf70391009f6c601104dff54
SHA256314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6
SHA512164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da
-
C:\Users\Admin\AppData\Roaming\2345.com\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\z1.exeFilesize
7.2MB
MD503b4983dda409e2148e6f4488bf2a880
SHA1c45f3caaf42b72ed35b0b4cbaff82162fdbed8e8
SHA256dd306934ef41394b9eee7892e014a47a5bbfae9a554799ccda00ede4945aa40f
SHA51269ec946e94c1e2960eab9a817251e96ecc6bcf89a00c632bffe9cd3d36817fb357e0781a6cc3489c7efc927776a3e615a46c99c575d5747704b3c9779802108a
-
C:\zz.exeFilesize
7.5MB
MD5dff8feaeb72beb9dc2ba899a8d6d06ed
SHA198bef8147c8cf2ef4936183d2155e3a808a443c3
SHA2561fe5f239b412085a6453657269f94ed3b9061ecc302ce49d4215235674ee20f8
SHA5122ba451c355b853d6919ef47256919295e80310f36eabc4c4d8576da2d0b16ede3182aa4f5c451799db60aeada0de2760ece09fcf32aee97e3bc4aadd17a9056a
-
C:\zz.exeFilesize
7.5MB
MD5dff8feaeb72beb9dc2ba899a8d6d06ed
SHA198bef8147c8cf2ef4936183d2155e3a808a443c3
SHA2561fe5f239b412085a6453657269f94ed3b9061ecc302ce49d4215235674ee20f8
SHA5122ba451c355b853d6919ef47256919295e80310f36eabc4c4d8576da2d0b16ede3182aa4f5c451799db60aeada0de2760ece09fcf32aee97e3bc4aadd17a9056a
-
\Program Files (x86)\2345Explorer\2345Explorer.exeFilesize
185KB
MD5c3e3249c7e5cb23603c0ae7c4554ea6c
SHA1178e724b24bd2010c6c59ab562166d06bda9bcf4
SHA25677b3a1a599580eca47fc8d5a150c9a21776602e61dece956423db5de09ab9748
SHA512bdfe495b32d1ab44ef8630b578a70f55516fffe6de3a2432ea5b736f30b41ca730fa03a2a83cbab89654d8483d6b3fc2b38854475b90a9c6e49123fb68546d64
-
\Program Files (x86)\2345Explorer\CoralApp.dllFilesize
223KB
MD55b21753f92218a3d7cb78003185aa589
SHA1f6883b985ca7a5ab635afac2dc38625deae850aa
SHA256fd72f69e7cd8c5224342d339e45006a9dd1c96e7ea8718ce5480580b93bd4316
SHA512822c6f0a422e6e701e4e32249c7a47296e4f62ecd8bb4b3c8f0642894a435e736528b143b6b47a6b110e9f816738581938a984090418d3bef5a02453a19aa584
-
\Program Files (x86)\2345Explorer\CoralDb.dllFilesize
1.6MB
MD5dd5adc0ac08ffc46207882c34fe2feec
SHA10a8fd57c7440100f55c348a532f6327ba38259bc
SHA256efd2497ad59b0ad4b1ead6ec8a1b952ba16e89fded884f3c590a8eba92e5cfba
SHA512749fb99c0150d662de4c159ea54d792e68e5c1914544650deb432ee0b4324031077e15c9c1ba04bff642c83a9b8a4ff045e62f0489e4c8d8b8789161c8348a3d
-
\Program Files (x86)\2345Explorer\CoralUpdate.dllFilesize
417KB
MD544f919b683088036aacf6ba474d46665
SHA1b6aaa8a3a47b1b7ddf70391009f6c601104dff54
SHA256314b3c91ecc8e1a697612d315a921a7d9e750bd2b7c88c2d6cdb0d0d1e871ab6
SHA512164da63adeb7d7e08ad5502acefd89ddf77b792549f6caed29084bd3d32b895c4afd09fb830020aa353c7ee4c4fec72e9e4e2ebbc069a7b4fda842d63bb076da
-
\Users\Admin\AppData\Local\Temp\nsoB80C.tmp\FileInfo.dllFilesize
98KB
MD5d062c6eab9f32074e09a7ffdc614a545
SHA1d76f8d98dd0cf968cabc852e98aaaaf930f38ac2
SHA256bd57ae6c723b3df90b388c830b6bc6c3eb69fc32825593e98fcbbdad1fa98394
SHA51260e807e31c84cb827185a270251de33dc329585b889bdd8a9aa88aac3d1561e834c3011114052877fbc35d32c39859bcaff2dabe395cc2f8439552146467b6c7
-
\Users\Admin\AppData\Local\Temp\nsoB80C.tmp\RCPicPlugin.dllFilesize
964KB
MD56c300d543082a57bf2c3b2288020ab6d
SHA14cba3f4f8065f5fb57fc8cdf0a6425eb544b6051
SHA256aa3e4c13fac3f06def7c54e3b8c886bcda50205c501cbc6a4e33fa0c8072b929
SHA512cf8b600712c735a5110560840a655a83629aec16f316b82401a52428e7575e733817ca54737fa771add0699254022af66599c8179cef18c1df5fc0364015a960
-
\Users\Admin\AppData\Local\Temp\nsoB80C.tmp\System.dllFilesize
11KB
MD54cf3a81ab4579b30117c8a39a489d51d
SHA161af475e11e4e79e6a11e761fcb540d9c5eec0e9
SHA25629f4a1c87161643e0ed5c46b46786d9a48437ec5dc6b99f4ff14037429e6e20a
SHA512885d131304afbe92b9b0a16830b6b34c6b78e44f972c20aad63cf3695a400f2d82cf217753da2a2e5e399fdd5dd3306a257e9501a86884cad853e01ee125a664
-
memory/972-56-0x0000000000000000-mapping.dmp
-
memory/1056-64-0x0000000000000000-mapping.dmp
-
memory/1400-68-0x0000000000000000-mapping.dmp
-
memory/1856-73-0x0000000000000000-mapping.dmp
-
memory/1856-81-0x0000000002C00000-0x0000000002DA3000-memory.dmpFilesize
1.6MB
-
memory/1856-85-0x0000000002B70000-0x0000000002BDA000-memory.dmpFilesize
424KB
-
memory/2024-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2024-61-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2024-55-0x0000000000400000-0x0000000001410000-memory.dmpFilesize
16.1MB
-
memory/2024-87-0x0000000000400000-0x0000000001410000-memory.dmpFilesize
16.1MB
-
memory/2024-88-0x0000000000400000-0x0000000001410000-memory.dmpFilesize
16.1MB