849e4a817090f6336a574b9171e354186e8fa21635dc0a73212db575aa6e27f0

Analysis

max time kernel
116s
max time network
171s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOL老干妈V2.9【无限视距版】/LOL老干妈V2.9【无限视距版】.exe
Size

1.0MB
MD5

0db3e2bb2bdf8fa311cb8c18f30bf199
SHA1

7c81c8e88937ef6f4d106ec25ba2b5848bd7af3e
SHA256

8ed6520499a464776ab21c98452561980e8fb730ac43133af20dc0f84892eae6
SHA512

a1131f8f8c88057e7516cbbe6eaeac202ac83fda86cf4715c27448a1090e0ca2a639fde0a37f01642eaf7d61d788a010404621856d10b910020cb6db9f206ac1
SSDEEP

24576:4BtnIbzLSFiRowjsIpeod6WelgcsB7JRvITJj:4nn0SFiyYsaH0PsBYJj

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1008-57-0x0000000002280000-0x00000000022BE000-memory.dmp	upx
behavioral1/memory/1008-58-0x0000000002280000-0x00000000022BE000-memory.dmp	upx
behavioral1/memory/1008-59-0x0000000002280000-0x00000000022BE000-memory.dmp	upx
behavioral1/memory/1008-61-0x0000000002280000-0x00000000022BE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077876c7e85f3e24b9a02e26fea6087cc0000000002000000000010660000000100002000000079ce85e5408e53f53fb93b36a313b8b750c1bff50828454cb7d43f9503d918e3000000000e800000000200002000000043a3ad4eba64d68f72d4b778167a671b32ee38b389e113521fbbddd1a1c7e1ec20000000b4940b5ebc224e7b64b1365161da1bba8bfe473b50eba75a8f1121801ed6cf2440000000827c8244c849a2d147f39d5a2c8a717b39d89dc79297820c7cf83722194fdcddc574e42e662a9f0daca357c7734f9386254f64baf78e0baaaba4243821eca5f1	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.2345.com/?kfi1997"	LOL老干妈V2.9【无限视距版】.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376358250"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077876c7e85f3e24b9a02e26fea6087cc00000000020000000000106600000001000020000000ef44e6001cb3ae0f2fa2e9f27ef49381ef1ccf15823270ed7481ad71b02e79e7000000000e8000000002000020000000e8f80937589db6aca90d77e83d111e02004718d236b44b1b4bb043da2e3f26b290000000d496515ae16bfba3aac49541d73685219a5fa3de189a6ae062dfb74c94bd7e0ed84ce876c16e53ca214bdebc140f931da1feeaaa0ddd140ce92530205c815e7abfab425b43d7226cff869caf855c224494ab5cd64b9fdc9f588a2e8154b6d396c685a6d8234fd7cb8caf4171c14d8fb940268885b827f52d7387ed73feca8c4d6989f2c952f553d50feb699e954885e1400000006d149c5390a19ea4aca1dd22590f547f6ba3a4cb4e14432019df6dde182a1819860c3b9381fee2c0224c5c19339cc3c84e427f25e89ca8bcfc56f3c169eeaa69	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fb39c2bb02d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEF44041-6EAE-11ED-8D6F-660C31E8D015} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?kfi1997"	LOL老干妈V2.9【无限视距版】.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	LOL老干妈V2.9【无限视距版】.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1008	LOL老干妈V2.9【无限视距版】.exe
1008	LOL老干妈V2.9【无限视距版】.exe
1648	iexplore.exe
1648	iexplore.exe
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1648	1008	LOL老干妈V2.9【无限视距版】.exe	28
PID 1008 wrote to memory of 1648	1008	LOL老干妈V2.9【无限视距版】.exe	28
PID 1008 wrote to memory of 1648	1008	LOL老干妈V2.9【无限视距版】.exe	28
PID 1008 wrote to memory of 1648	1008	LOL老干妈V2.9【无限视距版】.exe	28
PID 1648 wrote to memory of 1032	1648	iexplore.exe	30
PID 1648 wrote to memory of 1032	1648	iexplore.exe	30
PID 1648 wrote to memory of 1032	1648	iexplore.exe	30
PID 1648 wrote to memory of 1032	1648	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\LOL老干妈V2.9【无限视距版】\LOL老干妈V2.9【无限视距版】.exe
"C:\Users\Admin\AppData\Local\Temp\LOL老干妈V2.9【无限视距版】\LOL老干妈V2.9【无限视距版】.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.lollgm.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BYSADWD.txt

Filesize
600B

MD5
072c8663024d9c4250e20a2d48b6d9f5

SHA1
5ab85679ed12e4d6a8553efba0c00c8ece4a12e0

SHA256
96af9371e6e38fc71cff1f828710b7f86ca07426383261ae72e80f7399c947b6

SHA512
aae60bfa03af3eb3ef8ebfa6200318577ff75f070d6877076044b69def1032045b2c6c99ef9ca9c8c37e4879e0e80b8c15089830e664173af1584b188386f4d9

Download Submit
memory/1008-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1008-55-0x0000000000400000-0x00000000006D74E5-memory.dmp

Filesize
2.8MB

Download
memory/1008-56-0x0000000000400000-0x00000000006D74E5-memory.dmp

Filesize
2.8MB

Download
memory/1008-57-0x0000000002280000-0x00000000022BE000-memory.dmp

Filesize
248KB

Download
memory/1008-58-0x0000000002280000-0x00000000022BE000-memory.dmp

Filesize
248KB

Download
memory/1008-59-0x0000000002280000-0x00000000022BE000-memory.dmp

Filesize
248KB

Download
memory/1008-61-0x0000000002280000-0x00000000022BE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads