Overview

overview

8

Static

static

8

河源下�...om.url

windows7-x64

1

河源下�...om.url

windows10-2004-x64

1

简單挂�...nj.dll

windows7-x64

8

简單挂�...nj.dll

windows10-2004-x64

8

简單挂�...ro.dll

windows7-x64

8

简單挂�...ro.dll

windows10-2004-x64

8

简單挂�...ip.dll

windows7-x64

1

简單挂�...ip.dll

windows10-2004-x64

3

简單挂�....0.exe

windows7-x64

8

简單挂�....0.exe

windows10-2004-x64

8

简單挂�...04.url

windows7-x64

1

简單挂�...04.url

windows10-2004-x64

1

简單挂�...om.url

windows7-x64

1

简單挂�...om.url

windows10-2004-x64

1

简單挂�...�1.exe

windows7-x64

8

简單挂�...�1.exe

windows10-2004-x64

8

简單挂�...��.exe

windows7-x64

7

简單挂�...��.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    191s
  • max time network
    223s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    简單挂免曊版⒔1/简單挂免曊版⒔1.exe

  • Size

    4.3MB

  • MD5

    f7dbf6be3fc951697b713a286f4a6c48

  • SHA1

    5b3eb15fefa4d8b546aa2987bcf36fcab901ae55

  • SHA256

    640ca5066401e717118f19e5e471ba8832d87e900205d8e5d6d10a53da51a913

  • SHA512

    340fde9e9c16eb9fe374930f6f247b4662ff1b2c20b10a03d093fad497b2367512d1908dbab9d790f86b2d4b8904950eef8d8de214626cab467c0c0a66a56477

  • SSDEEP

    49152:PSvd6wMpY+mCvZhCCuLHy44COCVTVvoNVQCOeAYjLpT465SDEk2YBC3iMcoFntAe:+6wMa+5CCOqnDJ1jt86Qn26F+l/vw

Score
8/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\简單挂免曊版⒔1\简單挂免曊版⒔1.exe
    "C:\Users\Admin\AppData\Local\Temp\简單挂免曊版⒔1\简單挂免曊版⒔1.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.jdcqg.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1140-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1140-55-0x00000000000A0000-0x000000000097B000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1140-56-0x00000000000A0000-0x000000000097B000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1140-58-0x00000000000A0000-0x000000000097B000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1140-59-0x00000000000A0000-0x000000000097B000-memory.dmp
    Filesize

    8.9MB

    Download
  • memory/1140-60-0x0000000001030000-0x0000000001040000-memory.dmp
    Filesize

    64KB

    Download