18e98ce9e4c78cc015ccb5da278ae07e0a61c9f6306b6b1d0d405c7d6fec5e3f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

修炼爱情@3242(20230703).exe
Size

7.4MB
MD5

b021f92833fbdca828de039b66714b73
SHA1

65250efa5df8a8d918e2180b8601902b30137546
SHA256

18e98ce9e4c78cc015ccb5da278ae07e0a61c9f6306b6b1d0d405c7d6fec5e3f
SHA512

83f22b9819f27a79932d392ff4002ad4840340b1dfe17456adc989793e37895298c4f839ae9bc91d0cb93ec427c7714f8fe4891ff2f93f73c8d0a2de14af14d7
SSDEEP

98304:IRJLoezZMrR5raOZ7LuOY1j/J4aXa1NB6kN2J344OiZrq1DfPHNADtV6v+8:arwrWOYd/yaYT6kAI4O7NADtV6v+8

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2612	zd.exe
2840	md.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	修炼爱情@3242(20230703).exe
2824	修炼爱情@3242(20230703).exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	md.exe
File opened (read-only)	\??\Z:	md.exe
File opened (read-only)	\??\K:	md.exe
File opened (read-only)	\??\L:	md.exe
File opened (read-only)	\??\P:	md.exe
File opened (read-only)	\??\S:	md.exe
File opened (read-only)	\??\T:	md.exe
File opened (read-only)	\??\U:	md.exe
File opened (read-only)	\??\F:	md.exe
File opened (read-only)	\??\I:	md.exe
File opened (read-only)	\??\J:	md.exe
File opened (read-only)	\??\M:	md.exe
File opened (read-only)	\??\N:	md.exe
File opened (read-only)	\??\V:	md.exe
File opened (read-only)	\??\X:	md.exe
File opened (read-only)	\??\Y:	md.exe
File opened (read-only)	\??\B:	md.exe
File opened (read-only)	\??\E:	md.exe
File opened (read-only)	\??\G:	md.exe
File opened (read-only)	\??\H:	md.exe
File opened (read-only)	\??\O:	md.exe
File opened (read-only)	\??\R:	md.exe
File opened (read-only)	\??\Q:	md.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	修炼爱情@3242(20230703).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	修炼爱情@3242(20230703).exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe
2840	md.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2824	修炼爱情@3242(20230703).exe
2824	修炼爱情@3242(20230703).exe
2612	zd.exe
2612	zd.exe
2840	md.exe
2840	md.exe
2840	md.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2612	2824	修炼爱情@3242(20230703).exe	28
PID 2824 wrote to memory of 2612	2824	修炼爱情@3242(20230703).exe	28
PID 2824 wrote to memory of 2612	2824	修炼爱情@3242(20230703).exe	28
PID 2824 wrote to memory of 2840	2824	修炼爱情@3242(20230703).exe	29
PID 2824 wrote to memory of 2840	2824	修炼爱情@3242(20230703).exe	29
PID 2824 wrote to memory of 2840	2824	修炼爱情@3242(20230703).exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\修炼爱情@3242(20230703).exe
"C:\Users\Admin\AppData\Local\Temp\修炼爱情@3242(20230703).exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Public\zd.exe
  "C:\Users\Public\zd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Users\Public\md.exe
  "C:\Users\Public\md.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\md.jpg

Filesize
2KB

MD5
1dbf0ef2693e5f526ba67901ca4ddb57

SHA1
83c043da6f34b84914c43d1ff9437c0b67c1e919

SHA256
55662d88fdbe36dbae824a50ac377e31133f227cae86c2239f0bf0a5bb147563

SHA512
fb54436707a6a452f5a2e99d0b0c64520359f4d62ac29e2b2bfb4aca0d9befe9181c70e1f4f8f9a669ee3dd105a49073e1f7fa2d21ea5385a2e9e98963d757e0

Download Submit
C:\Users\Public\md.exe

Filesize
5.6MB

MD5
6de8c16361f599f7c384d33c08e74375

SHA1
8985e0a025426a1ebd39f79099c243385cae5f5f

SHA256
578fda41f49abf9bcfa713d55e02ec71996ef291c9c3a0bf9344862c1e85acf3

SHA512
98f10e98bc9ccdbc072a426e8feaf2f4be727df0e99132a1f8bc0e2a8fc596844f5ea3994d9d22aa3f232bbdf4e1be5418e484caf60f2d7fe9fbd00012f05a2c

Download Submit
C:\Users\Public\md.exe

Filesize
5.6MB

MD5
6de8c16361f599f7c384d33c08e74375

SHA1
8985e0a025426a1ebd39f79099c243385cae5f5f

SHA256
578fda41f49abf9bcfa713d55e02ec71996ef291c9c3a0bf9344862c1e85acf3

SHA512
98f10e98bc9ccdbc072a426e8feaf2f4be727df0e99132a1f8bc0e2a8fc596844f5ea3994d9d22aa3f232bbdf4e1be5418e484caf60f2d7fe9fbd00012f05a2c

Download Submit
C:\Users\Public\md.jpg

Filesize
2KB

MD5
1dbf0ef2693e5f526ba67901ca4ddb57

SHA1
83c043da6f34b84914c43d1ff9437c0b67c1e919

SHA256
55662d88fdbe36dbae824a50ac377e31133f227cae86c2239f0bf0a5bb147563

SHA512
fb54436707a6a452f5a2e99d0b0c64520359f4d62ac29e2b2bfb4aca0d9befe9181c70e1f4f8f9a669ee3dd105a49073e1f7fa2d21ea5385a2e9e98963d757e0

Download Submit
C:\Users\Public\zd.exe

Filesize
4.3MB

MD5
1221d5b0b59fdd3746f0cdf8b2ff922d

SHA1
a2ebb8c1cfe08ecf850234bfd084f020cf90b69b

SHA256
2eddf8f298fba10de9a20b175f2eefe3a613c715f7b69ac4deab87df72d2b15d

SHA512
e555b3432e416b83cc456444293f7b6e673e13768bbde390bc8fc4d666a718137dc57848aaaa94b7b5a52a5682d30ec52ffcddb876b022a72a3a1feca1255734

Download Submit
C:\Users\Public\zd.exe

Filesize
4.3MB

MD5
1221d5b0b59fdd3746f0cdf8b2ff922d

SHA1
a2ebb8c1cfe08ecf850234bfd084f020cf90b69b

SHA256
2eddf8f298fba10de9a20b175f2eefe3a613c715f7b69ac4deab87df72d2b15d

SHA512
e555b3432e416b83cc456444293f7b6e673e13768bbde390bc8fc4d666a718137dc57848aaaa94b7b5a52a5682d30ec52ffcddb876b022a72a3a1feca1255734

Download Submit
C:\Users\Public\zd.jpg

Filesize
2KB

MD5
7c4e2ed20f9be4b00c984507aa92dd16

SHA1
dae599890a22dc8dd2630bf151de2384db301d14

SHA256
faaef69cfcfe3ab80e39ad77dc9f48bbc1c526f1f8d0c410ec22590ad038e4d6

SHA512
ca936149987c8bbed744c71388792e5745d4de47763206abb4a70069567ed397d09ff817411fe12370953772806b7592cc82665c5fb6997c7d8e617fccef8fbb

Download Submit
\Users\Public\md.exe

Filesize
5.6MB

MD5
6de8c16361f599f7c384d33c08e74375

SHA1
8985e0a025426a1ebd39f79099c243385cae5f5f

SHA256
578fda41f49abf9bcfa713d55e02ec71996ef291c9c3a0bf9344862c1e85acf3

SHA512
98f10e98bc9ccdbc072a426e8feaf2f4be727df0e99132a1f8bc0e2a8fc596844f5ea3994d9d22aa3f232bbdf4e1be5418e484caf60f2d7fe9fbd00012f05a2c

Download Submit
\Users\Public\zd.exe

Filesize
4.3MB

MD5
1221d5b0b59fdd3746f0cdf8b2ff922d

SHA1
a2ebb8c1cfe08ecf850234bfd084f020cf90b69b

SHA256
2eddf8f298fba10de9a20b175f2eefe3a613c715f7b69ac4deab87df72d2b15d

SHA512
e555b3432e416b83cc456444293f7b6e673e13768bbde390bc8fc4d666a718137dc57848aaaa94b7b5a52a5682d30ec52ffcddb876b022a72a3a1feca1255734

Download Submit
memory/2612-122-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2824-76-0x0000000004A30000-0x0000000004D79000-memory.dmp

Filesize
3.3MB

Download
memory/2824-93-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-92-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-87-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-75-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-68-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-86-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-108-0x0000000004F60000-0x0000000005C33000-memory.dmp

Filesize
12.8MB

Download
memory/2824-96-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-77-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2824-95-0x0000000180000000-0x000000018034E000-memory.dmp

Filesize
3.3MB

Download
memory/2840-115-0x000007FEFD830000-0x000007FEFD831000-memory.dmp

Filesize
4KB

Download
memory/2840-128-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-114-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/2840-112-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/2840-116-0x000007FEFD830000-0x000007FEFD831000-memory.dmp

Filesize
4KB

Download
memory/2840-117-0x000007FEFD830000-0x000007FEFD831000-memory.dmp

Filesize
4KB

Download
memory/2840-118-0x000007FEFD830000-0x000007FEFD831000-memory.dmp

Filesize
4KB

Download
memory/2840-110-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/2840-123-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/2840-111-0x000000013F760000-0x0000000140433000-memory.dmp

Filesize
12.8MB

Download
memory/2840-125-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2840-127-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-126-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-113-0x0000000077B10000-0x0000000077B11000-memory.dmp

Filesize
4KB

Download
memory/2840-130-0x0000000002140000-0x00000000021C1000-memory.dmp

Filesize
516KB

Download
memory/2840-131-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-132-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-133-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-134-0x0000000003130000-0x0000000003172000-memory.dmp

Filesize
264KB

Download
memory/2840-135-0x00000000030F0000-0x000000000312B000-memory.dmp

Filesize
236KB

Download
memory/2840-136-0x0000000003130000-0x0000000003172000-memory.dmp

Filesize
264KB

Download
memory/2840-137-0x0000000003130000-0x0000000003172000-memory.dmp

Filesize
264KB

Download
memory/2840-138-0x0000000003130000-0x0000000003172000-memory.dmp

Filesize
264KB

Download
memory/2840-139-0x0000000003130000-0x0000000003172000-memory.dmp

Filesize
264KB

Download
memory/2840-140-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-141-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/2840-142-0x000000013F760000-0x0000000140433000-memory.dmp

Filesize
12.8MB

Download
memory/2840-144-0x0000000003130000-0x0000000003172000-memory.dmp

Filesize
264KB

Download