Analysis

  • max time kernel
    109s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 00:33

General

  • Target

    mwbqyxfz/魔王辅助[爆枪英雄].exe

  • Size

    1.8MB

  • MD5

    37ce26d6b4d4f4e73b705a7b5586d0f2

  • SHA1

    0b32f91a59413b0f3606ad189f0ae2f70143a4cb

  • SHA256

    755816f16d2afad3a7d1d84df8a129435ebedb2f6369a8362f82e1b01db8e73f

  • SHA512

    743094be2a454ec701bd6139a0ea2a228d457f873b5092a6664fda64bbc52d004d325a77ce3fb3d10ed82a5c19713609a65287a2c222556fb46a98f530672722

  • SSDEEP

    49152:P1qYWKqdj6QoKh+s8KuqGaX0ToIBAUZLYcX:E5KqoQoFJBAUZLVX

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mwbqyxfz\魔王辅助[爆枪英雄].exe
    "C:\Users\Admin\AppData\Local\Temp\mwbqyxfz\魔王辅助[爆枪英雄].exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.400gb.com/u/2316042
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:616
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:616 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1516

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    401fdbd9628974a1557dfebdce0527c0

    SHA1

    2c900fc14eeec14cdff41a4711e2da5125907d16

    SHA256

    3a32bb41cde4fb18be572bfd3f162d0c39dad5b4df4dbaa45829e1be52564baf

    SHA512

    9b4bafdf816afa2a11cc911edbb2c7ca489f537895b019939b9774ebf313e156046ed8742ba0b72bc3748b1e45120127c6ae494118a8ce15e547632fe3c6c846

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H27UZ4U2.txt

    Filesize

    606B

    MD5

    54d6b2aba74ee6a4e8420edfd5f09c50

    SHA1

    8ef381098f4968c02e936204fa06c7fe67de7f5c

    SHA256

    40c149c08122402844a90da46a5b46b11eacbbe65d71e69d253080273e39dda0

    SHA512

    9afda9c3573caf8a09ce8e8be4f78efda5631d54ccbadbf9ffb641caa11318856173fcc332ac438d497225133ac7ded6e019cc9c70142d0eaa8c7b596673d11c

  • memory/1512-77-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-85-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-63-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-61-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-65-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-69-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-67-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-71-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-73-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-75-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-79-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

    Filesize

    8KB

  • memory/1512-81-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-56-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-83-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-87-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-91-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-89-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-93-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-97-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-95-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-98-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-100-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-59-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-57-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/1512-55-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB