Overview

overview

10

Static

static

7

HoYoKProtect.dll

windows10-2004-x64

9

injector.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    76s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2023 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injector.exe

  • Size

    895KB

  • MD5

    625cccce906ba1efeb397aa4cfb29fb1

  • SHA1

    63428046620eb25022f0dd049a9c425ae6aaad0c

  • SHA256

    c6d4ca13c529a0b7a808f46c35543d63518f8edf27e308fecbf142057437076c

  • SHA512

    89e0c78b1c68725496ad88b2f2bd4387dd2a9246c689702669ea32072494333553271db05958e534f8001c50eb58f9d81d1a5262b1023bb4caf156c834fbad9a

  • SSDEEP

    12288:qDdBrBoEvs6TnSEl1yt6zzng0Lw5sK9k5gfwhbAwJSPFHPx3Z9HZCDQM:0PdoGtRnK9k5gfwhbXJSPFvhZ95CDN

Score
10/10
evasionthemida

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\injector.exe
        "C:\Users\Admin\AppData\Local\Temp\injector.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5048
      • C:\Users\Admin\Desktop\GenshinImpact.exe
        "C:\Users\Admin\Desktop\GenshinImpact.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3300
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3300 -s 456
          3⤵
          • Program crash
          PID:4860
      • C:\Users\Admin\Desktop\GenshinImpact.exe
        "C:\Users\Admin\Desktop\GenshinImpact.exe"
        2⤵
          PID:1612
        • C:\Users\Admin\Desktop\GenshinImpact.exe
          "C:\Users\Admin\Desktop\GenshinImpact.exe"
          2⤵
            PID:3956
          • C:\Users\Admin\Desktop\GenshinImpact.exe
            "C:\Users\Admin\Desktop\GenshinImpact.exe"
            2⤵
              PID:2088
            • C:\Users\Admin\Desktop\GenshinImpact.exe
              "C:\Users\Admin\Desktop\GenshinImpact.exe"
              2⤵
                PID:3928
              • C:\Users\Admin\Desktop\GenshinImpact.exe
                "C:\Users\Admin\Desktop\GenshinImpact.exe"
                2⤵
                  PID:2108
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 476 -p 4820 -ip 4820
                1⤵
                  PID:4516
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 4820 -s 1752
                  1⤵
                  • Program crash
                  PID:3480
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:996
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -pss -s 488 -p 3300 -ip 3300
                    1⤵
                      PID:4576

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\cfg.ini
                      Filesize

                      114B

                      MD5

                      4168b7fb1245a796014490e08a0056e7

                      SHA1

                      90e1a1fc1f8170fe6fd580dabaa82b9b11dbc9dc

                      SHA256

                      c6b78e44b74442294133195e786c26c015ab008952e67fbbd508d387dc575b49

                      SHA512

                      a93230a90fd07d8ccc718c941d4a31af17a3eefe76713b037411d3ec2c32bddb0d383e78aca6930c410418e8315e0ce16845b44a3086fb5fe5e6cd726edbdb4f

                      Download Submit

                    • memory/3300-135-0x00007FFFAA3D0000-0x00007FFFACC9E000-memory.dmp

                      Filesize

                      40.8MB

                      Download

                    • memory/3300-140-0x00007FFFAA3D0000-0x00007FFFACC9E000-memory.dmp

                      Filesize

                      40.8MB

                      Download