Overview

overview

9

Static

static

9

RrPrivateA...um.exe

windows7-x64

9

RrPrivateA...um.exe

windows10-2004-x64

9

RrPrivateA...��.exe

windows7-x64

9

RrPrivateA...��.exe

windows10-2004-x64

9

RrPrivateA...e.html

windows7-x64

1

RrPrivateA...e.html

windows10-2004-x64

1

rrprivatea...10.dll

windows7-x64

1

rrprivatea...10.dll

windows10-2004-x64

1

使用必读.url

windows7-x64

1

使用必读.url

windows10-2004-x64

1

华彩软件站.url

windows7-x64

1

华彩软件站.url

windows10-2004-x64

1

Analysis

  • max time kernel
    249s
  • max time network
    335s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RrPrivateAlbum/补丁.exe

  • Size

    481KB

  • MD5

    709d802d7c22098de139072fcbdec43d

  • SHA1

    f19a320ed081ded88c9b151e73dcac113bd22802

  • SHA256

    c1d1c73ccbdd2734f497f75e6de06074cad53a28d7a9bd5e9c99480c9d7517e5

  • SHA512

    cc6ea816125742f6e08239b0949c7e59bfeba42055905da4ac1147fa2f8ec843786f846b86714f26fd58572372605e369e290bbc23ccbe456923d74b22bea213

  • SSDEEP

    12288:mx6jZWFpuVa0AfRAqNH+K/lGRgOUqmq9kR6lhKXYOI1CASk:mEsRbp+K/cRgOnmq9g6RCg

Score
9/10
evasionupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RrPrivateAlbum\补丁.exe
    "C:\Users\Admin\AppData\Local\Temp\RrPrivateAlbum\补丁.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Local\Temp\RrPrivateAlbum\RrPrivateAlbum.exe
      "RrPrivateAlbum.exe"
      2⤵
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\RrPrivateAlbum\SkinH.dll
    Filesize

    84KB

    MD5

    a00c474dc4ced90b8f5a692108c45dce

    SHA1

    e02722d30a6218523e9ddef287817788a4a9b9fc

    SHA256

    6504e515cbcf89cb98fd9f1a310125bfdf93e1f6a6bf0c64c0229e5670cac9b1

    SHA512

    e81b001379f94fabb71f1d6a019b81202e00da7338048b77d1728b40427689a32801419377d3e86c51c5e418cc3ccc328ee00adc69eaa575267bcaac8f477abd

    Download Submit

  • memory/868-59-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/868-86-0x0000000003110000-0x000000000314E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/868-57-0x0000000003110000-0x000000000314E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/868-64-0x0000000003F00000-0x000000000411C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/868-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/868-60-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/868-61-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/868-55-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/868-56-0x0000000000280000-0x00000000002E0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/868-63-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/868-58-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/868-66-0x0000000000401000-0x0000000000403000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1472-65-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1472-87-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1472-89-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1472-90-0x0000000010000000-0x000000001003C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1472-91-0x0000000000400000-0x000000000061C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1472-92-0x0000000010000000-0x000000001003C000-memory.dmp

    Filesize

    240KB

    Download