Overview

overview

8

Static

static

3

修炼爱�...3).exe

windows7-x64

8

修炼爱�...3).exe

windows10-2004-x64

8

Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2023, 17:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    修炼爱情@3242(20230703).exe

  • Size

    7.4MB

  • MD5

    b021f92833fbdca828de039b66714b73

  • SHA1

    65250efa5df8a8d918e2180b8601902b30137546

  • SHA256

    18e98ce9e4c78cc015ccb5da278ae07e0a61c9f6306b6b1d0d405c7d6fec5e3f

  • SHA512

    83f22b9819f27a79932d392ff4002ad4840340b1dfe17456adc989793e37895298c4f839ae9bc91d0cb93ec427c7714f8fe4891ff2f93f73c8d0a2de14af14d7

  • SSDEEP

    98304:IRJLoezZMrR5raOZ7LuOY1j/J4aXa1NB6kN2J344OiZrq1DfPHNADtV6v+8:arwrWOYd/yaYT6kAI4O7NADtV6v+8

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\修炼爱情@3242(20230703).exe
    "C:\Users\Admin\AppData\Local\Temp\修炼爱情@3242(20230703).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Public\zd.exe
      "C:\Users\Public\zd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4952
    • C:\Users\Public\md.exe
      "C:\Users\Public\md.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4572

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6V1Y4KVO\3242[1].jpg
          Filesize

          2KB

          MD5

          1dbf0ef2693e5f526ba67901ca4ddb57

          SHA1

          83c043da6f34b84914c43d1ff9437c0b67c1e919

          SHA256

          55662d88fdbe36dbae824a50ac377e31133f227cae86c2239f0bf0a5bb147563

          SHA512

          fb54436707a6a452f5a2e99d0b0c64520359f4d62ac29e2b2bfb4aca0d9befe9181c70e1f4f8f9a669ee3dd105a49073e1f7fa2d21ea5385a2e9e98963d757e0

          Download Submit

        • C:\Users\Public\md.exe
          Filesize

          5.6MB

          MD5

          6de8c16361f599f7c384d33c08e74375

          SHA1

          8985e0a025426a1ebd39f79099c243385cae5f5f

          SHA256

          578fda41f49abf9bcfa713d55e02ec71996ef291c9c3a0bf9344862c1e85acf3

          SHA512

          98f10e98bc9ccdbc072a426e8feaf2f4be727df0e99132a1f8bc0e2a8fc596844f5ea3994d9d22aa3f232bbdf4e1be5418e484caf60f2d7fe9fbd00012f05a2c

          Download Submit

        • C:\Users\Public\md.exe
          Filesize

          5.6MB

          MD5

          6de8c16361f599f7c384d33c08e74375

          SHA1

          8985e0a025426a1ebd39f79099c243385cae5f5f

          SHA256

          578fda41f49abf9bcfa713d55e02ec71996ef291c9c3a0bf9344862c1e85acf3

          SHA512

          98f10e98bc9ccdbc072a426e8feaf2f4be727df0e99132a1f8bc0e2a8fc596844f5ea3994d9d22aa3f232bbdf4e1be5418e484caf60f2d7fe9fbd00012f05a2c

          Download Submit

        • C:\Users\Public\md.exe
          Filesize

          5.6MB

          MD5

          6de8c16361f599f7c384d33c08e74375

          SHA1

          8985e0a025426a1ebd39f79099c243385cae5f5f

          SHA256

          578fda41f49abf9bcfa713d55e02ec71996ef291c9c3a0bf9344862c1e85acf3

          SHA512

          98f10e98bc9ccdbc072a426e8feaf2f4be727df0e99132a1f8bc0e2a8fc596844f5ea3994d9d22aa3f232bbdf4e1be5418e484caf60f2d7fe9fbd00012f05a2c

          Download Submit

        • C:\Users\Public\md.jpg
          Filesize

          2KB

          MD5

          1dbf0ef2693e5f526ba67901ca4ddb57

          SHA1

          83c043da6f34b84914c43d1ff9437c0b67c1e919

          SHA256

          55662d88fdbe36dbae824a50ac377e31133f227cae86c2239f0bf0a5bb147563

          SHA512

          fb54436707a6a452f5a2e99d0b0c64520359f4d62ac29e2b2bfb4aca0d9befe9181c70e1f4f8f9a669ee3dd105a49073e1f7fa2d21ea5385a2e9e98963d757e0

          Download Submit

        • C:\Users\Public\zd.exe
          Filesize

          4.3MB

          MD5

          1221d5b0b59fdd3746f0cdf8b2ff922d

          SHA1

          a2ebb8c1cfe08ecf850234bfd084f020cf90b69b

          SHA256

          2eddf8f298fba10de9a20b175f2eefe3a613c715f7b69ac4deab87df72d2b15d

          SHA512

          e555b3432e416b83cc456444293f7b6e673e13768bbde390bc8fc4d666a718137dc57848aaaa94b7b5a52a5682d30ec52ffcddb876b022a72a3a1feca1255734

          Download Submit

        • C:\Users\Public\zd.exe
          Filesize

          4.3MB

          MD5

          1221d5b0b59fdd3746f0cdf8b2ff922d

          SHA1

          a2ebb8c1cfe08ecf850234bfd084f020cf90b69b

          SHA256

          2eddf8f298fba10de9a20b175f2eefe3a613c715f7b69ac4deab87df72d2b15d

          SHA512

          e555b3432e416b83cc456444293f7b6e673e13768bbde390bc8fc4d666a718137dc57848aaaa94b7b5a52a5682d30ec52ffcddb876b022a72a3a1feca1255734

          Download Submit

        • C:\Users\Public\zd.exe
          Filesize

          4.3MB

          MD5

          1221d5b0b59fdd3746f0cdf8b2ff922d

          SHA1

          a2ebb8c1cfe08ecf850234bfd084f020cf90b69b

          SHA256

          2eddf8f298fba10de9a20b175f2eefe3a613c715f7b69ac4deab87df72d2b15d

          SHA512

          e555b3432e416b83cc456444293f7b6e673e13768bbde390bc8fc4d666a718137dc57848aaaa94b7b5a52a5682d30ec52ffcddb876b022a72a3a1feca1255734

          Download Submit

        • C:\Users\Public\zd.jpg
          Filesize

          2KB

          MD5

          7c4e2ed20f9be4b00c984507aa92dd16

          SHA1

          dae599890a22dc8dd2630bf151de2384db301d14

          SHA256

          faaef69cfcfe3ab80e39ad77dc9f48bbc1c526f1f8d0c410ec22590ad038e4d6

          SHA512

          ca936149987c8bbed744c71388792e5745d4de47763206abb4a70069567ed397d09ff817411fe12370953772806b7592cc82665c5fb6997c7d8e617fccef8fbb

          Download Submit

        • memory/1200-167-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-168-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-170-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-171-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-162-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-143-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-161-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-152-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-151-0x00000248AE100000-0x00000248AE449000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1200-150-0x0000000180000000-0x000000018034E000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4572-196-0x00007FF63FE40000-0x00007FF640B13000-memory.dmp

          Filesize

          12.8MB

          Download

        • memory/4572-209-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4572-199-0x00007FFA75C10000-0x00007FFA75C11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4572-194-0x00007FF63FE40000-0x00007FF640B13000-memory.dmp

          Filesize

          12.8MB

          Download

        • memory/4572-201-0x0000000004920000-0x0000000004921000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4572-202-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4572-203-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4572-205-0x0000000004950000-0x00000000049D1000-memory.dmp

          Filesize

          516KB

          Download

        • memory/4572-204-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4572-207-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4572-208-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4572-222-0x00000000051E0000-0x0000000005222000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4572-210-0x00000000051E0000-0x0000000005222000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4572-211-0x00000000049E0000-0x0000000004A07000-memory.dmp

          Filesize

          156KB

          Download

        • memory/4572-212-0x0000000004E70000-0x0000000004EAB000-memory.dmp

          Filesize

          236KB

          Download

        • memory/4572-213-0x00000000051E0000-0x0000000005222000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4572-214-0x00000000051E0000-0x0000000005222000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4572-215-0x00000000051E0000-0x0000000005222000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4572-216-0x00000000051E0000-0x0000000005222000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4572-217-0x00007FF63FE40000-0x00007FF640B13000-memory.dmp

          Filesize

          12.8MB

          Download

        • memory/4572-218-0x0000000004A10000-0x0000000004A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4952-195-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

          Filesize

          4KB

          Download