Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
傲世中变.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
傲世中变.exe
Resource
win10v2004-20220812-en
General
-
Target
傲世中变.exe
-
Size
3.2MB
-
MD5
a87419a7b8cd42c04abc321896475347
-
SHA1
6849c85576f911e7b4db746ceefa74845f4d7bdc
-
SHA256
761c471e80d3c44febc76a8f7108744fd1aa07b646d5f37c7608714c1a8c42d6
-
SHA512
47082bc2fe9aacb2dcce925c775a939c6f57cdba202dd07d7a160e5401d42e650e46c3d46d0d85aceb05d6249f1f652b16d2cd06fbfaba9eb7343676cecb1a8a
-
SSDEEP
98304:Gc//////ArnXSjOFrpgpu4iBM2YlLatY3gb4qXzDuxTyqm:WrnXSSFrpgc41Jlmt8/qXuxT8
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
815.exe°ÁÊÀÖбä.exepid process 948 815.exe 1088 °ÁÊÀÖбä.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
815.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll" 815.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\815.exe vmprotect C:\Users\Admin\AppData\Local\Temp\815.exe vmprotect C:\Users\Admin\AppData\Local\Temp\815.exe vmprotect behavioral1/memory/948-67-0x00000000003B0000-0x00000000003EE000-memory.dmp vmprotect \??\c:\windows\ipv6netbrowssvc.dll vmprotect behavioral1/memory/1760-76-0x00000000754F0000-0x000000007552E000-memory.dmp vmprotect -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 1168 cmd.exe 1932 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
815.exedescription ioc process File created C:\Windows\IPv6NetBrowsSvc.dll 815.exe File opened for modification C:\Windows\IPv6NetBrowsSvc.dll 815.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
°ÁÊÀÖбä.exepid process 1088 °ÁÊÀÖбä.exe 1088 °ÁÊÀÖбä.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
傲世中变.execmd.execmd.exe815.exedescription pid process target process PID 1832 wrote to memory of 1168 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1168 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1168 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1168 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1932 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1932 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1932 1832 傲世中变.exe cmd.exe PID 1832 wrote to memory of 1932 1832 傲世中变.exe cmd.exe PID 1168 wrote to memory of 948 1168 cmd.exe 815.exe PID 1168 wrote to memory of 948 1168 cmd.exe 815.exe PID 1168 wrote to memory of 948 1168 cmd.exe 815.exe PID 1168 wrote to memory of 948 1168 cmd.exe 815.exe PID 1932 wrote to memory of 1088 1932 cmd.exe °ÁÊÀÖбä.exe PID 1932 wrote to memory of 1088 1932 cmd.exe °ÁÊÀÖбä.exe PID 1932 wrote to memory of 1088 1932 cmd.exe °ÁÊÀÖбä.exe PID 1932 wrote to memory of 1088 1932 cmd.exe °ÁÊÀÖбä.exe PID 948 wrote to memory of 828 948 815.exe cmd.exe PID 948 wrote to memory of 828 948 815.exe cmd.exe PID 948 wrote to memory of 828 948 815.exe cmd.exe PID 948 wrote to memory of 828 948 815.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\傲世中变.exe"C:\Users\Admin\AppData\Local\Temp\傲世中变.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\815.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\815.exeC:\Users\Admin\AppData\Local\Temp\815.exe3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7119402.bat" "4⤵PID:828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeC:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ipv6srvs1⤵PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7119402.batFilesize
117B
MD5ae099850d161ead2ae911c37205d8b3d
SHA136f6664acb63693a6cd00e066f7935b529c6c2f6
SHA25645ba8fd3a804bef3a20c5e380775c432b36c51d221ab9f220ae44025b246e32d
SHA512d8f3433e3b2a019591a2e3f46112a5fc09f76621a79690db19a99408cf5d35a04ac82066533f34da5de6ee4522b2fbaa691de209f2f370a7fb56af26ca742124
-
C:\Users\Admin\AppData\Local\Temp\815.exeFilesize
122KB
MD590f14c2282b3fb8b818fde041f4904e3
SHA1202e348b1e11f5b16a291de3e2b0681c58560d99
SHA25638b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665
SHA512ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245
-
C:\Users\Admin\AppData\Local\Temp\815.exeFilesize
122KB
MD590f14c2282b3fb8b818fde041f4904e3
SHA1202e348b1e11f5b16a291de3e2b0681c58560d99
SHA25638b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665
SHA512ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245
-
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeFilesize
3.0MB
MD5bbcccdbb736c5a8ebe506d9cead4a073
SHA1ee0b2a95e162d2b927150d8640ae137a5252357d
SHA256f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f
SHA512929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf
-
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeFilesize
3.0MB
MD5bbcccdbb736c5a8ebe506d9cead4a073
SHA1ee0b2a95e162d2b927150d8640ae137a5252357d
SHA256f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f
SHA512929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf
-
\??\c:\windows\ipv6netbrowssvc.dllFilesize
122KB
MD524eed50175fc5d55463e4f1ba09dfa58
SHA1920102ebf53647b8043d554a431db96bf53200fb
SHA25653037c3e50d0b29b6a53accb0bf871dc0221fc857b2ff829039518cd86381a86
SHA5126106c4ffb374c4c3efa2197ca6b7943b8b73d69aaf4c5cc9030846008d8223e76b7b7609b048557a9cb82479b65448f262129ef96e0869b19b0afdbfb6349d37
-
\Users\Admin\AppData\Local\Temp\815.exeFilesize
122KB
MD590f14c2282b3fb8b818fde041f4904e3
SHA1202e348b1e11f5b16a291de3e2b0681c58560d99
SHA25638b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665
SHA512ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245
-
\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeFilesize
3.0MB
MD5bbcccdbb736c5a8ebe506d9cead4a073
SHA1ee0b2a95e162d2b927150d8640ae137a5252357d
SHA256f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f
SHA512929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf
-
memory/828-74-0x0000000000000000-mapping.dmp
-
memory/948-67-0x00000000003B0000-0x00000000003EE000-memory.dmpFilesize
248KB
-
memory/948-58-0x0000000000000000-mapping.dmp
-
memory/948-62-0x00000000003B1000-0x00000000003B4000-memory.dmpFilesize
12KB
-
memory/1088-65-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1088-69-0x0000000000400000-0x000000000080E000-memory.dmpFilesize
4.1MB
-
memory/1088-70-0x0000000000400000-0x000000000080E000-memory.dmpFilesize
4.1MB
-
memory/1088-63-0x0000000000000000-mapping.dmp
-
memory/1168-54-0x0000000000000000-mapping.dmp
-
memory/1168-66-0x00000000003B0000-0x00000000003EE000-memory.dmpFilesize
248KB
-
memory/1760-72-0x00000000754F1000-0x00000000754F4000-memory.dmpFilesize
12KB
-
memory/1760-76-0x00000000754F0000-0x000000007552E000-memory.dmpFilesize
248KB
-
memory/1932-68-0x0000000002090000-0x000000000249E000-memory.dmpFilesize
4.1MB
-
memory/1932-55-0x0000000000000000-mapping.dmp