9705b92cacffa01e2d883105e9f187ddc1249c27067834fbbb7c3687f3adcd8c

Analysis

max time kernel
63s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
Size

29.0MB
MD5

d0cc7d1a14561d9a133ed12d4694fdeb
SHA1

470e667842a11a6669ba075052c9c235db3aef2a
SHA256

5929bd7cabc52719ff3a5a29ffc338def05771afe085fbf4fda3dacaadfa86cb
SHA512

2079fe22587cd3fe626b124a1fe1ed73cee20e1773aee63eb263a8c2eaeb61d610d3a6c366875610cccfabc445d0ca99d4cbecf27d913a53584a22a26787fca5
SSDEEP

786432:ahatI81fyQnJnJvvWiSVuKoWvy6UyXlOGFFa8i971/Oh6WHcVXdY:ahv+yQJJv+j7vCWaX7I8JK

Score

10^/10

bootkit evasion persistence themida trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "0xffffffff"	爱比较抬棺_TMDprotected from thrretbook.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	爱比较抬棺_TMDprotected from thrretbook.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	爱比较抬棺_TMDprotected from thrretbook.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	爱比较抬棺_TMDprotected from thrretbook.exe

Drops file in Drivers directory 6 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\zybgd.sys	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mouclass.sys	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gpuenergydrv.sys	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mouhid.sys	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\drivers\kbdhid.sys	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\drivers\kbdclass.sys	爱比较抬棺_TMDprotected from thrretbook.exe

Sets file execution options in registry 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FileDriver.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\FileDriver.sys"	爱比较抬棺_TMDprotected from thrretbook.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	爱比较抬棺_TMDprotected from thrretbook.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	爱比较抬棺_TMDprotected from thrretbook.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	爱比较抬棺_TMDprotected from thrretbook.exe

Loads dropped DLL 1 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

pid process

4944 爱比较抬棺_TMDprotected from thrretbook.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4944-133-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-134-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-135-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-136-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-137-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-138-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-166-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-181-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-182-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-184-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-185-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-186-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-187-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-188-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-189-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-190-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-191-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-192-0x0000000000400000-0x00000000025A9000-memory.dmp	themida
behavioral2/memory/4944-193-0x0000000000400000-0x00000000025A9000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BeiGuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	爱比较抬棺_TMDprotected from thrretbook.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description ioc process

File opened for modification \??\PhysicalDrive0 爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	爱比较抬棺_TMDprotected from thrretbook.exe

Drops file in System32 directory 5 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dead.bat	爱比较抬棺_TMDprotected from thrretbook.exe
File created	C:\Windows\SysWOW64\oobe\info\backgrounds\backgroundDefault.jpg	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	爱比较抬棺_TMDprotected from thrretbook.exe
File opened for modification	C:\Windows\SysWOW64\	爱比较抬棺_TMDprotected from thrretbook.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

pid process

4944 爱比较抬棺_TMDprotected from thrretbook.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4144 taskkill.exe

pid	process
4144	taskkill.exe

Modifies registry class 29 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.src\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "pngfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "mp3file"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.log\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ini\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.html\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.htm\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sys\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msc\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	爱比较抬棺_TMDprotected from thrretbook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.src	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	爱比较抬棺_TMDprotected from thrretbook.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe"	爱比较抬棺_TMDprotected from thrretbook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "jpegfile"	爱比较抬棺_TMDprotected from thrretbook.exe

Runs net.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

pid process

4944 爱比较抬棺_TMDprotected from thrretbook.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

652
652
652
652
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEtaskkill.exe

description pid process

Token: 33 464 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 464 AUDIODG.EXE
Token: SeDebugPrivilege 4144 taskkill.exe

pid	process
652
652
652
652

description	pid	process
Token: 33	464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	464	AUDIODG.EXE
Token: SeDebugPrivilege	4144	taskkill.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.exe

pid	process
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe
4944	爱比较抬棺_TMDprotected from thrretbook.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

爱比较抬棺_TMDprotected from thrretbook.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4944 wrote to memory of 4212	4944	爱比较抬棺_TMDprotected from thrretbook.exe	cmd.exe
PID 4944 wrote to memory of 4212	4944	爱比较抬棺_TMDprotected from thrretbook.exe	cmd.exe
PID 4944 wrote to memory of 4212	4944	爱比较抬棺_TMDprotected from thrretbook.exe	cmd.exe
PID 4212 wrote to memory of 2084	4212	cmd.exe	cacls.exe
PID 4212 wrote to memory of 2084	4212	cmd.exe	cacls.exe
PID 4212 wrote to memory of 2084	4212	cmd.exe	cacls.exe
PID 4944 wrote to memory of 1916	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 1916	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 1916	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4536	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4536	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4536	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4348	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4348	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4348	4944	爱比较抬棺_TMDprotected from thrretbook.exe	net.exe
PID 4944 wrote to memory of 4144	4944	爱比较抬棺_TMDprotected from thrretbook.exe	taskkill.exe
PID 4944 wrote to memory of 4144	4944	爱比较抬棺_TMDprotected from thrretbook.exe	taskkill.exe
PID 4944 wrote to memory of 4144	4944	爱比较抬棺_TMDprotected from thrretbook.exe	taskkill.exe
PID 1916 wrote to memory of 1372	1916	net.exe	net1.exe
PID 1916 wrote to memory of 1372	1916	net.exe	net1.exe
PID 1916 wrote to memory of 1372	1916	net.exe	net1.exe
PID 4348 wrote to memory of 1732	4348	net.exe	net1.exe
PID 4348 wrote to memory of 1732	4348	net.exe	net1.exe
PID 4348 wrote to memory of 1732	4348	net.exe	net1.exe
PID 4536 wrote to memory of 4300	4536	net.exe	net1.exe
PID 4536 wrote to memory of 4300	4536	net.exe	net1.exe
PID 4536 wrote to memory of 4300	4536	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\bingdu\爱比较抬棺_TMDprotected from thrretbook.exe
"C:\Users\Admin\AppData\Local\Temp\bingdu\爱比较抬棺_TMDprotected from thrretbook.exe"
1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Sets service image path in registry
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\dead.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:2084

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\net.exe
net localgroup administrator User is locked /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrator User is locked /add
3⤵
PID:1732

C:\Windows\SysWOW64\net.exe
net user User is locked locked /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user User is locked locked /add
3⤵
PID:4300

C:\Windows\SysWOW64\net.exe
net user Administrator locked
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Administrator locked
3⤵
PID:1372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x420
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Change Default File Association

T1042

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bingdu\1.mp4
Filesize
1.0MB

MD5
890b16ca3279ef45465a0b562947b76d

SHA1
168c0541f03c97af6bcf909f80cd8d2b3e42b4b9

SHA256
b285ea52d9650084f18469a3c7c292ea2fdd0cd46143719f092a434967954c5c

SHA512
6b3f6601d55db6dc05a400cccb9c5ebebc0c03cf04744b3beae3e525a214b95c4443dc5525c27aa8c1e3787f23c13268e4e8cbcfd95281edc0cdbe07d7ab316b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bingdu\WinIo32.dll
Filesize
48KB

MD5
92cd248684fdd7704f4e2ac6f9f719f7

SHA1
4648dc4db472f89071ba104de2e785d791bb04d9

SHA256
0ef0ed91aa7c95a9589b552b4ca4773ab03232a75cbbef4451e409c002538958

SHA512
1cf9e18fdf002046c8c1d0dda77874829c8dd65ebaca698570fc98d47565dfb54b29bac6a27557a4a1cd4f181c8cfa331f18f980d6ade0b92f8608867a1f8f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\bingdu\WinIo32.dll
Filesize
48KB

MD5
92cd248684fdd7704f4e2ac6f9f719f7

SHA1
4648dc4db472f89071ba104de2e785d791bb04d9

SHA256
0ef0ed91aa7c95a9589b552b4ca4773ab03232a75cbbef4451e409c002538958

SHA512
1cf9e18fdf002046c8c1d0dda77874829c8dd65ebaca698570fc98d47565dfb54b29bac6a27557a4a1cd4f181c8cfa331f18f980d6ade0b92f8608867a1f8f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\bingdu\amp1
Filesize
45B

MD5
789b92cf7ab3c0c416215a4432b708ad

SHA1
731c68459386b0274ddbe79d881ceec58c4206be

SHA256
8b7797d2630384c33fc034588eb6fd514a40c74cbfc5b83d83e0cdd7631cca7d

SHA512
a2253186cb64a07dcde42d34152dda1f5054eae6495c01558bfa6470a556966cd6fc5e7f1873891563b9f8d6303d9a9bfc53e0d4d25a917b5a17742fe9e7c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\getadmin.vbs
Filesize
116B

MD5
fcd771586cbdd090dbfb8ea2dbd6db3e

SHA1
36936229aa2bd6ffc3147a6e5fc1eca92f5fc129

SHA256
bbb1e16b5329bd29698b9ec131390cf36ac4303e629d9818e5b3f529b6531938

SHA512
f7505cd247712b7032cb22576cebe4dc12ad1c3af682d45ebec4bc2882460db2250617ee3a227ed51fad9187a6f498eca3bbe1dfa878a28842f81d404e5ee34a

Download Submit
C:\Windows\SysWOW64\dead.bat
Filesize
845B

MD5
27e6650cad8a0237ff689dbe13aeb782

SHA1
945c85a4c471a37e499778206c894bc3ab8f0107

SHA256
1ef5a6326c53a33a6cc715e9cba70be1f645ad2d0e712969ef3cd2ce5a058dcf

SHA512
ebefba8979dc9bcfb24ac2814e234d4e7bf3061a1f1c89a61e4f79ef919f100384f7c3d3aeca3b27cfed10852e421e43a7e46961945b292df70ff3e4f79fefe9

Download Submit
memory/4944-182-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-184-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-134-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-136-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-166-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-138-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-133-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-181-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-137-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-135-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-185-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-186-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-187-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-188-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-189-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-190-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-191-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-192-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download
memory/4944-193-0x0000000000400000-0x00000000025A9000-memory.dmp

Filesize
33.7MB

Download