Analysis
-
max time kernel
63s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 09:14
Behavioral task
behavioral1
Sample
bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
Resource
win10v2004-20230220-en
General
-
Target
bingdu/爱比较抬棺_TMDprotected from thrretbook.exe
-
Size
29.0MB
-
MD5
d0cc7d1a14561d9a133ed12d4694fdeb
-
SHA1
470e667842a11a6669ba075052c9c235db3aef2a
-
SHA256
5929bd7cabc52719ff3a5a29ffc338def05771afe085fbf4fda3dacaadfa86cb
-
SHA512
2079fe22587cd3fe626b124a1fe1ed73cee20e1773aee63eb263a8c2eaeb61d610d3a6c366875610cccfabc445d0ca99d4cbecf27d913a53584a22a26787fca5
-
SSDEEP
786432:ahatI81fyQnJnJvvWiSVuKoWvy6UyXlOGFFa8i971/Oh6WHcVXdY:ahv+yQJJv+j7vCWaX7I8JK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "0xffffffff" 爱比较抬棺_TMDprotected from thrretbook.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 爱比较抬棺_TMDprotected from thrretbook.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" 爱比较抬棺_TMDprotected from thrretbook.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 爱比较抬棺_TMDprotected from thrretbook.exe -
Drops file in Drivers directory 6 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process File created C:\Windows\SysWOW64\drivers\zybgd.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\mouclass.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\gpuenergydrv.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\mouhid.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\kbdhid.sys 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\drivers\kbdclass.sys 爱比较抬棺_TMDprotected from thrretbook.exe -
Sets file execution options in registry 2 TTPs 30 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\ 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FileDriver.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\FileDriver.sys" 爱比较抬棺_TMDprotected from thrretbook.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 爱比较抬棺_TMDprotected from thrretbook.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 爱比较抬棺_TMDprotected from thrretbook.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation 爱比较抬棺_TMDprotected from thrretbook.exe -
Loads dropped DLL 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 4944 爱比较抬棺_TMDprotected from thrretbook.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe -
Processes:
resource yara_rule behavioral2/memory/4944-133-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-134-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-135-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-136-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-137-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-138-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-166-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-181-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-182-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-184-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-185-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-186-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-187-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-188-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-189-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-190-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-191-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-192-0x0000000000400000-0x00000000025A9000-memory.dmp themida behavioral2/memory/4944-193-0x0000000000400000-0x00000000025A9000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BeiGuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe -
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 爱比较抬棺_TMDprotected from thrretbook.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process File opened for modification \??\PhysicalDrive0 爱比较抬棺_TMDprotected from thrretbook.exe -
Drops file in System32 directory 5 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process File created C:\Windows\SysWOW64\dead.bat 爱比较抬棺_TMDprotected from thrretbook.exe File created C:\Windows\SysWOW64\oobe\info\backgrounds\backgroundDefault.jpg 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\Recovery\ 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\mmc.exe 爱比较抬棺_TMDprotected from thrretbook.exe File opened for modification C:\Windows\SysWOW64\ 爱比较抬棺_TMDprotected from thrretbook.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 4944 爱比较抬棺_TMDprotected from thrretbook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4144 taskkill.exe -
Modifies registry class 29 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.src\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dll\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "pngfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "mp3file" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.log\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ini\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.html\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.htm\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sys\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msc\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile 爱比较抬棺_TMDprotected from thrretbook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.src 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 爱比较抬棺_TMDprotected from thrretbook.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\regfile 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bingdu\\?????_TMDprotected from thrretbook.exe" 爱比较抬棺_TMDprotected from thrretbook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "jpegfile" 爱比较抬棺_TMDprotected from thrretbook.exe -
Runs net.exe
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 4944 爱比较抬棺_TMDprotected from thrretbook.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 652 652 652 652 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AUDIODG.EXEtaskkill.exedescription pid process Token: 33 464 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 464 AUDIODG.EXE Token: SeDebugPrivilege 4144 taskkill.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.exepid process 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe 4944 爱比较抬棺_TMDprotected from thrretbook.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
爱比较抬棺_TMDprotected from thrretbook.execmd.exenet.exenet.exenet.exedescription pid process target process PID 4944 wrote to memory of 4212 4944 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 4944 wrote to memory of 4212 4944 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 4944 wrote to memory of 4212 4944 爱比较抬棺_TMDprotected from thrretbook.exe cmd.exe PID 4212 wrote to memory of 2084 4212 cmd.exe cacls.exe PID 4212 wrote to memory of 2084 4212 cmd.exe cacls.exe PID 4212 wrote to memory of 2084 4212 cmd.exe cacls.exe PID 4944 wrote to memory of 1916 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 1916 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 1916 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4536 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4536 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4536 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4348 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4348 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4348 4944 爱比较抬棺_TMDprotected from thrretbook.exe net.exe PID 4944 wrote to memory of 4144 4944 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 4944 wrote to memory of 4144 4944 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 4944 wrote to memory of 4144 4944 爱比较抬棺_TMDprotected from thrretbook.exe taskkill.exe PID 1916 wrote to memory of 1372 1916 net.exe net1.exe PID 1916 wrote to memory of 1372 1916 net.exe net1.exe PID 1916 wrote to memory of 1372 1916 net.exe net1.exe PID 4348 wrote to memory of 1732 4348 net.exe net1.exe PID 4348 wrote to memory of 1732 4348 net.exe net1.exe PID 4348 wrote to memory of 1732 4348 net.exe net1.exe PID 4536 wrote to memory of 4300 4536 net.exe net1.exe PID 4536 wrote to memory of 4300 4536 net.exe net1.exe PID 4536 wrote to memory of 4300 4536 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bingdu\爱比较抬棺_TMDprotected from thrretbook.exe"C:\Users\Admin\AppData\Local\Temp\bingdu\爱比较抬棺_TMDprotected from thrretbook.exe"1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Sets service image path in registry
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\dead.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet localgroup administrator User is locked /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrator User is locked /add3⤵
-
C:\Windows\SysWOW64\net.exenet user User is locked locked /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user User is locked locked /add3⤵
-
C:\Windows\SysWOW64\net.exenet user Administrator locked2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Administrator locked3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a4 0x4201⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bingdu\1.mp4Filesize
1.0MB
MD5890b16ca3279ef45465a0b562947b76d
SHA1168c0541f03c97af6bcf909f80cd8d2b3e42b4b9
SHA256b285ea52d9650084f18469a3c7c292ea2fdd0cd46143719f092a434967954c5c
SHA5126b3f6601d55db6dc05a400cccb9c5ebebc0c03cf04744b3beae3e525a214b95c4443dc5525c27aa8c1e3787f23c13268e4e8cbcfd95281edc0cdbe07d7ab316b
-
C:\Users\Admin\AppData\Local\Temp\bingdu\WinIo32.dllFilesize
48KB
MD592cd248684fdd7704f4e2ac6f9f719f7
SHA14648dc4db472f89071ba104de2e785d791bb04d9
SHA2560ef0ed91aa7c95a9589b552b4ca4773ab03232a75cbbef4451e409c002538958
SHA5121cf9e18fdf002046c8c1d0dda77874829c8dd65ebaca698570fc98d47565dfb54b29bac6a27557a4a1cd4f181c8cfa331f18f980d6ade0b92f8608867a1f8f04
-
C:\Users\Admin\AppData\Local\Temp\bingdu\WinIo32.dllFilesize
48KB
MD592cd248684fdd7704f4e2ac6f9f719f7
SHA14648dc4db472f89071ba104de2e785d791bb04d9
SHA2560ef0ed91aa7c95a9589b552b4ca4773ab03232a75cbbef4451e409c002538958
SHA5121cf9e18fdf002046c8c1d0dda77874829c8dd65ebaca698570fc98d47565dfb54b29bac6a27557a4a1cd4f181c8cfa331f18f980d6ade0b92f8608867a1f8f04
-
C:\Users\Admin\AppData\Local\Temp\bingdu\amp1Filesize
45B
MD5789b92cf7ab3c0c416215a4432b708ad
SHA1731c68459386b0274ddbe79d881ceec58c4206be
SHA2568b7797d2630384c33fc034588eb6fd514a40c74cbfc5b83d83e0cdd7631cca7d
SHA512a2253186cb64a07dcde42d34152dda1f5054eae6495c01558bfa6470a556966cd6fc5e7f1873891563b9f8d6303d9a9bfc53e0d4d25a917b5a17742fe9e7c093
-
C:\Users\Admin\AppData\Local\Temp\getadmin.vbsFilesize
116B
MD5fcd771586cbdd090dbfb8ea2dbd6db3e
SHA136936229aa2bd6ffc3147a6e5fc1eca92f5fc129
SHA256bbb1e16b5329bd29698b9ec131390cf36ac4303e629d9818e5b3f529b6531938
SHA512f7505cd247712b7032cb22576cebe4dc12ad1c3af682d45ebec4bc2882460db2250617ee3a227ed51fad9187a6f498eca3bbe1dfa878a28842f81d404e5ee34a
-
C:\Windows\SysWOW64\dead.batFilesize
845B
MD527e6650cad8a0237ff689dbe13aeb782
SHA1945c85a4c471a37e499778206c894bc3ab8f0107
SHA2561ef5a6326c53a33a6cc715e9cba70be1f645ad2d0e712969ef3cd2ce5a058dcf
SHA512ebefba8979dc9bcfb24ac2814e234d4e7bf3061a1f1c89a61e4f79ef919f100384f7c3d3aeca3b27cfed10852e421e43a7e46961945b292df70ff3e4f79fefe9
-
memory/4944-182-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-184-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-134-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-136-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-166-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-138-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-133-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-181-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-137-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-135-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-185-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-186-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-187-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-188-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-189-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-190-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-191-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-192-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB
-
memory/4944-193-0x0000000000400000-0x00000000025A9000-memory.dmpFilesize
33.7MB