Overview

overview

8

Static

static

光棍节�...��.exe

windows7-x64

8

光棍节�...��.exe

windows10-2004-x64

8

光棍节�...11.exe

windows7-x64

8

光棍节�...11.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    光棍节快速免费WEB刷花协议/WEB无限刷花协议11.11.exe

  • Size

    1.6MB

  • MD5

    f84e4dd9cddd7925078a10cae8009c31

  • SHA1

    97a94ed43ec689934fe7af84f9570194570fc781

  • SHA256

    54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2

  • SHA512

    3e0d7c91b144ef52ad988e53a80a1b4457d9b77e5350341f4706b2707abc5b416aa761d1c35fdd4c13c5b5bdc935670e2ee957fe62c296c3d6dab8876a2c513b

  • SSDEEP

    24576:HNw52RX3IGgsPJnOK5BF6t1poyRBKx3htCYpJ4+I0z1N2V2:HDBhrFulixtC24+RU2

Score
8/10
aspackv2persistencevmprotect

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\光棍节快速免费WEB刷花协议\WEB无限刷花协议11.11.exe
    "C:\Users\Admin\AppData\Local\Temp\光棍节快速免费WEB刷花协议\WEB无限刷花协议11.11.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\yyberi.exe
      C:\Windows\System32\/yyberi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      PID:1200
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?kduowanyy
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
    Filesize

    1KB

    MD5

    1f3238a51005c8867bad3d22f90b63ac

    SHA1

    4bce3e49e328d7a4a414dfaaaf3b7f9a9266ca74

    SHA256

    49dc4437e1f06ab0d3f22543d9421d1cb67314dba54765943803a1977c869a46

    SHA512

    2009959ffe03fd435e35c3df23cbe4790705a8dfd6f059a4aba3ddba711376a2901ff3d0a6f728bd5498779c2ab9921ab1a0de37d1a4eb89dca4bd431cfdf203

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
    Filesize

    1KB

    MD5

    731b8f0570b938ddfd449cde23f77558

    SHA1

    3edd9f9e4ec3a4a99afe08f071b29f91cfddf9f4

    SHA256

    7d938895d153ec61371388c58a96eedfec9a06050020ce6a46e3da9f0dac0bbb

    SHA512

    857b3c28249de00a5805b462cb4bbf8d6238c9a90ccde7c88462157295a295a22b07c920bb560ef2445fa657a56a077d019861f9f94574025c4c467c0b27731c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
    Filesize

    1KB

    MD5

    690bf80fbd5f91b7d460f329ef0f95a9

    SHA1

    146c87cde2a38b92c7f7ec28a932f67e9d6e11b5

    SHA256

    61a86fd868c69f00eebd6da39640176dd6990d44ae55d621ec52a66b0d25320c

    SHA512

    85f789c39bc9cd97ab07cadf8a714c998c486f40f8ec618992a13727c29998b79ec48fb21d7dc8a0bba00aa03e15f1c88070558431f6ea00d86a7c83d41c3cb9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
    Filesize

    508B

    MD5

    d59df7f8ce140857f3375f1c2dc999c9

    SHA1

    5500ba6f96e4ca3591283d612e2e42ed990dad70

    SHA256

    4d1bca7faaefe8ac7b51b7d491a85f5d389247d129b7bdf9b54c730e3c92c2aa

    SHA512

    b4654aec4ddb8509ffd69a481094392c7490a7a839407c8d9638ea67ede711d6bee4620cb4bf75677ad60eadab899a0547c47686166579455e57d35b0377bbff

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
    Filesize

    532B

    MD5

    2ffe0bd248c8d1b5bb350cee8448df57

    SHA1

    aeb80ec794c4cf0f314fab9331de18e11a541c8b

    SHA256

    78b5041c23a7dad21dc07df261a548ad697b2877a86225cd71a9d92238cb3447

    SHA512

    a19c18a2d3089c7ea3c15e6a4dca08577af12e230795fcac4732ce68a62f103776f2a429ffb2eb8e257c67378d6debcf0809a509aeeb3bf9be41559b00365322

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8f37b6f3d3f7f921fa381efff50349c8

    SHA1

    f1055314dd4a92165f586f30d50434b7d579ab4b

    SHA256

    85ee86e9e97d56a7d417f9b587caac6316332896f20da0c94e978afd64bfd8a4

    SHA512

    ba6cb229e7492f22dcd0709d21973203138057a54ce69511fb2dd94c58378a67ba04302083a71b577c84e24038bc3615626380b25f8a5b28765a6f60bede8362

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    afdf681ec847ebab43acb08d4119bf4b

    SHA1

    24bf7f2e83132f5065ea0dfbdf4eb4bcc1c1a6a2

    SHA256

    5b6b0eda8fe38e2f62fa7d8395ddade8197b2bad4640a4b231a76ad8d8d071b6

    SHA512

    02a25d84d74429810afc970656ebc46199636eb433a243add159d1836a58a6609317d91174f70d4169fb1aa1cf1c17739481ea974b7a39ecc90436a85a9b3995

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
    Filesize

    506B

    MD5

    9df4c248cd1e9115c9e25ad4f413cf27

    SHA1

    856b073f8cc7dc02fcb01ad086fea5b3106bd14a

    SHA256

    f27f9d3b2ae2b566c66699e232b94bd22b57a1aecacc01837dbe083d5be70440

    SHA512

    79c5867e8bf36257f7787a7366e763ec86be9ce3f8cc3f7f2bc4d0e69652de59df36fd87f9e3d5f63e18c7a26155c2a83b718c31d382fcd7b066cb996b453382

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
    Filesize

    4KB

    MD5

    76e544f3800a2f7abb4237b9fef3bffa

    SHA1

    1bee111d0b47645a1e5117b6764ce07e259cc81f

    SHA256

    496f3bc812cac05159308cf41ad5d9560a030fd1cabc326de9b3887685a324fe

    SHA512

    0a5a447dff8e1c5941a5dd3c0ec5c96458442ef4d6a9dec5034ce5889538cdfd73a6d0f6d82b2a618fd79779ed07b6d934ae26bc3ec5128372dea27246011a0a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3UF5B44Y.txt
    Filesize

    608B

    MD5

    d7b15cabfc9fb0e939b2f326eb019b65

    SHA1

    c948f745a5284ec06e1f8ac4ee18d2c707454a20

    SHA256

    fe0b9f71630a914866dc32a0bb4fb7ada6dc02297946fb021f34a3980edf32c0

    SHA512

    9dce8efae31ffa2d48eacbfe08aa5283855d5f39340f6635b3961f4378a08b36a2de3b9ed43d96384f1c47bc31b07e369e043d93b67a5962d84f0568c2bcee92

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J8D331V2.txt
    Filesize

    108B

    MD5

    c52a57c862de0808c75ff347495d9484

    SHA1

    158b6b14af8c94e39266287e5788432d2d0bfc49

    SHA256

    d274253eeb46f27c2e28025498ee90c0a36a5e2345ecea51b8c224ef62850ef3

    SHA512

    fed96b3609cbd2ac2a7745b0fd69405e9ba23e5f93fd5f0696eebe1e01e33f08887c7dab83b6d695a9d5a30082d8a7407e60fba2ea95267da5a3c1697ddad1ca

    Download Submit
  • C:\Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • C:\Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • \Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • \Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • memory/1200-63-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1200-60-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1200-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-79-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1768-62-0x00000000031B0000-0x0000000003357000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1768-78-0x00000000031B0000-0x0000000003357000-memory.dmp
    Filesize

    1.7MB

    Download