0ec8dc6e155e2a91bb4b99476efaae06c330fe6270c9d34b30e67c2841145bfe

General

Target

傲世中变.exe
Size

3.2MB
MD5

a87419a7b8cd42c04abc321896475347
SHA1

6849c85576f911e7b4db746ceefa74845f4d7bdc
SHA256

761c471e80d3c44febc76a8f7108744fd1aa07b646d5f37c7608714c1a8c42d6
SHA512

47082bc2fe9aacb2dcce925c775a939c6f57cdba202dd07d7a160e5401d42e650e46c3d46d0d85aceb05d6249f1f652b16d2cd06fbfaba9eb7343676cecb1a8a
SSDEEP

98304:Gc//////ArnXSjOFrpgpu4iBM2YlLatY3gb4qXzDuxTyqm:WrnXSSFrpgc41Jlmt8/qXuxT8

Score

8^/10

aspackv2 persistence vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

815.exe°ÁÊÀÖÐ±ä.exe

pid process

4944 815.exe
1956 °ÁÊÀÖÐ±ä.exe

pid	process
4944	815.exe
1956	°ÁÊÀÖÐ±ä.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

815.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	815.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\815.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\815.exe	vmprotect
behavioral2/memory/4944-138-0x0000000000200000-0x000000000023E000-memory.dmp	vmprotect
C:\Windows\IPv6NetBrowsSvc.dll	vmprotect
\??\c:\windows\ipv6netbrowssvc.dll	vmprotect
behavioral2/memory/4856-145-0x0000000075130000-0x000000007516E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

815.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 815.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4856 svchost.exe
Drops file in Windows directory 2 IoCs

Processes:

815.exe

description ioc process

File created C:\Windows\IPv6NetBrowsSvc.dll 815.exe
File opened for modification C:\Windows\IPv6NetBrowsSvc.dll 815.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

°ÁÊÀÖÐ±ä.exe

pid process

1956 °ÁÊÀÖÐ±ä.exe
1956 °ÁÊÀÖÐ±ä.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	815.exe

pid	process
4856	svchost.exe

description	ioc	process
File created	C:\Windows\IPv6NetBrowsSvc.dll	815.exe
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	815.exe

pid	process
1956	°ÁÊÀÖÐ±ä.exe
1956	°ÁÊÀÖÐ±ä.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

傲世中变.execmd.execmd.exe815.exe

description	pid	process	target process
PID 2060 wrote to memory of 4084	2060	傲世中变.exe	cmd.exe
PID 2060 wrote to memory of 4084	2060	傲世中变.exe	cmd.exe
PID 2060 wrote to memory of 4084	2060	傲世中变.exe	cmd.exe
PID 2060 wrote to memory of 396	2060	傲世中变.exe	cmd.exe
PID 2060 wrote to memory of 396	2060	傲世中变.exe	cmd.exe
PID 2060 wrote to memory of 396	2060	傲世中变.exe	cmd.exe
PID 4084 wrote to memory of 4944	4084	cmd.exe	815.exe
PID 4084 wrote to memory of 4944	4084	cmd.exe	815.exe
PID 4084 wrote to memory of 4944	4084	cmd.exe	815.exe
PID 396 wrote to memory of 1956	396	cmd.exe	°ÁÊÀÖÐ±ä.exe
PID 396 wrote to memory of 1956	396	cmd.exe	°ÁÊÀÖÐ±ä.exe
PID 396 wrote to memory of 1956	396	cmd.exe	°ÁÊÀÖÐ±ä.exe
PID 4944 wrote to memory of 2180	4944	815.exe	cmd.exe
PID 4944 wrote to memory of 2180	4944	815.exe	cmd.exe
PID 4944 wrote to memory of 2180	4944	815.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\傲世中变.exe
"C:\Users\Admin\AppData\Local\Temp\傲世中变.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\815.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\815.exe
C:\Users\Admin\AppData\Local\Temp\815.exe
3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240580687.bat" "
4⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc
1⤵
- Loads dropped DLL
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240580687.bat
Filesize
117B

MD5
ae099850d161ead2ae911c37205d8b3d

SHA1
36f6664acb63693a6cd00e066f7935b529c6c2f6

SHA256
45ba8fd3a804bef3a20c5e380775c432b36c51d221ab9f220ae44025b246e32d

SHA512
d8f3433e3b2a019591a2e3f46112a5fc09f76621a79690db19a99408cf5d35a04ac82066533f34da5de6ee4522b2fbaa691de209f2f370a7fb56af26ca742124

Download Submit
C:\Users\Admin\AppData\Local\Temp\815.exe
Filesize
122KB

MD5
90f14c2282b3fb8b818fde041f4904e3

SHA1
202e348b1e11f5b16a291de3e2b0681c58560d99

SHA256
38b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665

SHA512
ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245

Download Submit
C:\Users\Admin\AppData\Local\Temp\815.exe
Filesize
122KB

MD5
90f14c2282b3fb8b818fde041f4904e3

SHA1
202e348b1e11f5b16a291de3e2b0681c58560d99

SHA256
38b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665

SHA512
ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245

Download Submit
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe
Filesize
3.0MB

MD5
bbcccdbb736c5a8ebe506d9cead4a073

SHA1
ee0b2a95e162d2b927150d8640ae137a5252357d

SHA256
f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f

SHA512
929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖÐ±ä.exe
Filesize
3.0MB

MD5
bbcccdbb736c5a8ebe506d9cead4a073

SHA1
ee0b2a95e162d2b927150d8640ae137a5252357d

SHA256
f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f

SHA512
929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll
Filesize
122KB

MD5
24eed50175fc5d55463e4f1ba09dfa58

SHA1
920102ebf53647b8043d554a431db96bf53200fb

SHA256
53037c3e50d0b29b6a53accb0bf871dc0221fc857b2ff829039518cd86381a86

SHA512
6106c4ffb374c4c3efa2197ca6b7943b8b73d69aaf4c5cc9030846008d8223e76b7b7609b048557a9cb82479b65448f262129ef96e0869b19b0afdbfb6349d37

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll
Filesize
122KB

MD5
24eed50175fc5d55463e4f1ba09dfa58

SHA1
920102ebf53647b8043d554a431db96bf53200fb

SHA256
53037c3e50d0b29b6a53accb0bf871dc0221fc857b2ff829039518cd86381a86

SHA512
6106c4ffb374c4c3efa2197ca6b7943b8b73d69aaf4c5cc9030846008d8223e76b7b7609b048557a9cb82479b65448f262129ef96e0869b19b0afdbfb6349d37

Download Submit
memory/396-133-0x0000000000000000-mapping.dmp

Download
memory/1956-146-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/1956-139-0x0000000000000000-mapping.dmp

Download
memory/1956-149-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/2180-147-0x0000000000000000-mapping.dmp

Download
memory/4084-132-0x0000000000000000-mapping.dmp

Download
memory/4856-144-0x0000000075131000-0x0000000075134000-memory.dmp

Filesize
12KB

Download
memory/4856-145-0x0000000075130000-0x000000007516E000-memory.dmp

Filesize
248KB

Download
memory/4944-134-0x0000000000000000-mapping.dmp

Download
memory/4944-137-0x0000000000201000-0x0000000000204000-memory.dmp

Filesize
12KB

Download
memory/4944-138-0x0000000000200000-0x000000000023E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads