Analysis
-
max time kernel
96s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 09:14
Behavioral task
behavioral1
Sample
bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
Resource
win10v2004-20230220-en
General
-
Target
bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
-
Size
29.0MB
-
MD5
d0cc7d1a14561d9a133ed12d4694fdeb
-
SHA1
470e667842a11a6669ba075052c9c235db3aef2a
-
SHA256
5929bd7cabc52719ff3a5a29ffc338def05771afe085fbf4fda3dacaadfa86cb
-
SHA512
2079fe22587cd3fe626b124a1fe1ed73cee20e1773aee63eb263a8c2eaeb61d610d3a6c366875610cccfabc445d0ca99d4cbecf27d913a53584a22a26787fca5
-
SSDEEP
786432:ahatI81fyQnJnJvvWiSVuKoWvy6UyXlOGFFa8i971/Oh6WHcVXdY:ahv+yQJJv+j7vCWaX7I8JK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "0xffffffff" 爱比较抬棺_TMDprotected from thrretbook.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 爱比较抬棺_TMDprotected from thrretbook.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" 爱比较抬棺_TMDprotected from thrretbook.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 爱比较抬棺_TMDprotected from thrretbook.exe -
Drops file in Drivers directory 6 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process File created C:\Windows\SysWOW64\drivers\zybgd.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\mouclass.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\gpuenergydrv.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\mouhid.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\kbdhid.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\kbdclass.sys 爱比较抬棺_TMDprotected from thrretbook.exe -
Sets file execution options in registry 2 TTPs 30 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FileDriver.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\FileDriver.sys" 爱比较抬棺_TMDprotected from thrretbook.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 爱比较抬棺_TMDprotected from thrretbook.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 爱比较抬棺_TMDprotected from thrretbook.exe -
Loads dropped DLL 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 904 爱比较抬棺_TMDprotected from thrretbook.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe -
Processes:
resource yara_rule behavioral1/memory/904-54-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-55-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-56-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-57-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-58-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-149-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-150-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-151-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-152-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-153-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-155-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-156-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-157-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-158-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-159-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-160-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-161-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-162-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral1/memory/904-163-0x0000000000400000-0x00000000025A9000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BeiGuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe -
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 爱比较抬棺_TMDprotected from thrretbook.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process File opened for modification \??\PhysicalDrive0 爱比较抬棺_TMDprotected from thrretbook.exe -
Drops file in System32 directory 5 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process File created C:\Windows\SysWOW64\dead.bat 爱比较抬棺_TMDprotected from thrretbook.exe File created C:\Windows\SysWOW64\oobe\info\backgrounds\backgroundDefault.jpg 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\Recovery\ 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\mmc.exe 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\ 爱比较抬棺_TMDprotected from thrretbook.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 904 爱比较抬棺_TMDprotected from thrretbook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1040 taskkill.exe -
Modifies registry class 29 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msc\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.src\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sys\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "mp3file" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.src 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\regfile 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.log\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "pngfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ini\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe -
Runs net.exe
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 904 爱比较抬棺_TMDprotected from thrretbook.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 464 464 464 464 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXEtaskkill.exedescription pid process Token: 33 1288 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1288 AUDIODG.EXE Token: 33 1288 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1288 AUDIODG.EXE Token: SeDebugPrivilege 1040 taskkill.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe 904 爱比较抬棺_TMDprotected from thrretbook.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.execmd.exenet.exenet.exenet.exedescription pid process target process PID 904 wrote to memory of 680 904 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 904 wrote to memory of 680 904 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 904 wrote to memory of 680 904 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 904 wrote to memory of 680 904 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 680 wrote to memory of 1732 680 cmd.exe cacls.exe PID 680 wrote to memory of 1732 680 cmd.exe cacls.exe PID 680 wrote to memory of 1732 680 cmd.exe cacls.exe PID 680 wrote to memory of 1732 680 cmd.exe cacls.exe PID 904 wrote to memory of 952 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 952 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 952 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 952 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 812 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 812 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 812 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 812 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 1792 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 1792 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 1792 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 1792 904 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 904 wrote to memory of 1040 904 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 904 wrote to memory of 1040 904 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 904 wrote to memory of 1040 904 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 904 wrote to memory of 1040 904 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 952 wrote to memory of 1996 952 net.exe net1.exe PID 952 wrote to memory of 1996 952 net.exe net1.exe PID 952 wrote to memory of 1996 952 net.exe net1.exe PID 952 wrote to memory of 1996 952 net.exe net1.exe PID 1792 wrote to memory of 1536 1792 net.exe net1.exe PID 1792 wrote to memory of 1536 1792 net.exe net1.exe PID 1792 wrote to memory of 1536 1792 net.exe net1.exe PID 1792 wrote to memory of 1536 1792 net.exe net1.exe PID 812 wrote to memory of 932 812 net.exe net1.exe PID 812 wrote to memory of 932 812 net.exe net1.exe PID 812 wrote to memory of 932 812 net.exe net1.exe PID 812 wrote to memory of 932 812 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bingdu\爱比较抬棺_TMDprotected from thrretbook.exe"C:\Users\Admin\AppData\Local\Temp\bingdu\爱比较抬棺_TMDprotected from thrretbook.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Sets service image path in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\System32\dead.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administrator User is locked /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrator User is locked /add3⤵
-
C:\Windows\SysWOW64\net.exenet user User is locked locked /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user User is locked locked /add3⤵
-
C:\Windows\SysWOW64\net.exenet user Administrator locked2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Administrator locked3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bingdu\1.mp4Filesize
1.0MB
MD5890b16ca3279ef45465a0b562947b76d
SHA1168c0541f03c97af6bcf909f80cd8d2b3e42b4b9
SHA256b285ea52d9650084f18469a3c7c292ea2fdd0cd46143719f092a434967954c5c
SHA5126b3f6601d55db6dc05a400cccb9c5ebebc0c03cf04744b3beae3e525a214b95c4443dc5525c27aa8c1e3787f23c13268e4e8cbcfd95281edc0cdbe07d7ab316b
-
C:\Users\Admin\AppData\Local\Temp\bingdu\WinIo32.dllFilesize
48KB
MD592cd248684fdd7704f4e2ac6f9f719f7
SHA14648dc4db472f89071ba104de2e785d791bb04d9
SHA2560ef0ed91aa7c95a9589b552b4ca4773ab03232a75cbbef4451e409c002538958
SHA5121cf9e18fdf002046c8c1d0dda77874829c8dd65ebaca698570fc98d47565dfb54b29bac6a27557a4a1cd4f181c8cfa331f18f980d6ade0b92f8608867a1f8f04
-
C:\Users\Admin\AppData\Local\Temp\bingdu\amp1Filesize
45B
MD5789b92cf7ab3c0c416215a4432b708ad
SHA1731c68459386b0274ddbe79d881ceec58c4206be
SHA2568b7797d2630384c33fc034588eb6fd514a40c74cbfc5b83d83e0cdd7631cca7d
SHA512a2253186cb64a07dcde42d34152dda1f5054eae6495c01558bfa6470a556966cd6fc5e7f1873891563b9f8d6303d9a9bfc53e0d4d25a917b5a17742fe9e7c093
-
C:\Users\Admin\AppData\Local\Temp\getadmin.vbsFilesize
116B
MD5fcd771586cbdd090dbfb8ea2dbd6db3e
SHA136936229aa2bd6ffc3147a6e5fc1eca92f5fc129
SHA256bbb1e16b5329bd29698b9ec131390cf36ac4303e629d9818e5b3f529b6531938
SHA512f7505cd247712b7032cb22576cebe4dc12ad1c3af682d45ebec4bc2882460db2250617ee3a227ed51fad9187a6f498eca3bbe1dfa878a28842f81d404e5ee34a
-
C:\Windows\SysWOW64\dead.batFilesize
845B
MD527e6650cad8a0237ff689dbe13aeb782
SHA1945c85a4c471a37e499778206c894bc3ab8f0107
SHA2561ef5a6326c53a33a6cc715e9cba70be1f645ad2d0e712969ef3cd2ce5a058dcf
SHA512ebefba8979dc9bcfb24ac2814e234d4e7bf3061a1f1c89a61e4f79ef919f100384f7c3d3aeca3b27cfed10852e421e43a7e46961945b292df70ff3e4f79fefe9
-
C:\Windows\SysWOW64\dead.batFilesize
845B
MD527e6650cad8a0237ff689dbe13aeb782
SHA1945c85a4c471a37e499778206c894bc3ab8f0107
SHA2561ef5a6326c53a33a6cc715e9cba70be1f645ad2d0e712969ef3cd2ce5a058dcf
SHA512ebefba8979dc9bcfb24ac2814e234d4e7bf3061a1f1c89a61e4f79ef919f100384f7c3d3aeca3b27cfed10852e421e43a7e46961945b292df70ff3e4f79fefe9
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\bingdu\WinIo32.dllFilesize
48KB
MD592cd248684fdd7704f4e2ac6f9f719f7
SHA14648dc4db472f89071ba104de2e785d791bb04d9
SHA2560ef0ed91aa7c95a9589b552b4ca4773ab03232a75cbbef4451e409c002538958
SHA5121cf9e18fdf002046c8c1d0dda77874829c8dd65ebaca698570fc98d47565dfb54b29bac6a27557a4a1cd4f181c8cfa331f18f980d6ade0b92f8608867a1f8f04
-
memory/680-138-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/904-149-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-153-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-57-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-56-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-55-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-54-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-150-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-151-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-152-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-58-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-155-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-156-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-157-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-158-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-159-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-160-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-161-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-162-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/904-163-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB