40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca

General

Target

40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
Size

11.7MB
MD5

f55b732994f3d3ed802b9d324475ac22
SHA1

f048a6c0f7827efcd4978bacda0b683ebcc3a7a6
SHA256

40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca
SHA512

dd7e09fdcd032b3f93a383e5f1f93789516b3db5720926719684207f6fedc54bc9ac395ec7a5f17cb2dc0461af105cb47e952aa89ae1dcd1001267f254f27433
SSDEEP

196608:AqnkQ4DCXjHvNLwHsHxHtUtJGizLmZsp7Ii9XUH2/5alJKN8sdDLseY9zIl:FtpL2sRN6SCpHZUWI9sdLsN9

Score

7^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001b000000015dad-236.dat	aspack_v212_v242
behavioral1/files/0x001b000000015dad-235.dat	aspack_v212_v242
behavioral1/files/0x001b000000015dad-233.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2644	mY5MjMcKh7bJGgu.exe
2900	新版-西瓜套（嗨）.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2900-241-0x00000000023A0000-0x00000000026F8000-memory.dmp	vmprotect
behavioral1/memory/2900-244-0x00000000023A0000-0x00000000026F8000-memory.dmp	vmprotect
behavioral1/memory/2900-257-0x00000000023A0000-0x00000000026F8000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2900	新版-西瓜套（嗨）.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
2900	新版-西瓜套（嗨）.exe
2644	mY5MjMcKh7bJGgu.exe
2644	mY5MjMcKh7bJGgu.exe
2644	mY5MjMcKh7bJGgu.exe
2644	mY5MjMcKh7bJGgu.exe
2644	mY5MjMcKh7bJGgu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2644	mY5MjMcKh7bJGgu.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2644	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	28
PID 2512 wrote to memory of 2644	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	28
PID 2512 wrote to memory of 2644	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	28
PID 2512 wrote to memory of 2644	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	28
PID 2512 wrote to memory of 2900	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	29
PID 2512 wrote to memory of 2900	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	29
PID 2512 wrote to memory of 2900	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	29
PID 2512 wrote to memory of 2900	2512	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	29

C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
"C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe
  "C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe" "C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe
  "C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
3KB

MD5
85574445c293cadafa1a2aa08223f5b7

SHA1
daf8d7a5eee07eb7e06349c3819bdb5b2b63d687

SHA256
ecc24c389d63dc06f88b2f7f2b6ef31d48404d0ae1133f0b4aea6ea8a0df4e07

SHA512
e48da297980af5c76b6ffb55ba52dbcc2d5e4cef6c21f72416aecd891543fa6b87bc8f0d0adb971944f99571d940c4a1014b9adf6c182c089aad8ea1dd18be47

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
5KB

MD5
97e364e6fc778b5475e4595396f0e59f

SHA1
094a6422b76a4e431579f231ed30b4ae7903c307

SHA256
0842957fdbeea1eeb2f70ba60744599baae0c62198c55f77fdfca878f810b9b3

SHA512
19e35b4ac0dc7e9199459239593eef951812baccd03a7fd8f7841c139d600cb7211ed4ee4949eb6370d903f92beeba95e29cc28aeddf08d08f09354d82d146fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe

Filesize
5.2MB

MD5
2278a3e6213e5d929f65103da7d445f4

SHA1
4511a1505a89511ccfec84ea47485e1dcc2c70d6

SHA256
fe4bacb5f228fe45bba5ae47a4538fe9a0f7199effdf1e473d8258d25c4ecdcf

SHA512
e37b25442ff82aa4e6056fefc563cf42c06ef7dbfaa77c06fe17aa59934f90d2a5f4ef5db3888fc111a5f496b4dbf91650c56684fa938f21b3c578c12d302e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe

Filesize
5.2MB

MD5
2278a3e6213e5d929f65103da7d445f4

SHA1
4511a1505a89511ccfec84ea47485e1dcc2c70d6

SHA256
fe4bacb5f228fe45bba5ae47a4538fe9a0f7199effdf1e473d8258d25c4ecdcf

SHA512
e37b25442ff82aa4e6056fefc563cf42c06ef7dbfaa77c06fe17aa59934f90d2a5f4ef5db3888fc111a5f496b4dbf91650c56684fa938f21b3c578c12d302e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe

Filesize
2.2MB

MD5
52d5bcbb2626ab84d35742307b107652

SHA1
cc127920c4fbe7b87ee5e838fd7ca7d81bdf727c

SHA256
df601b30ddffb6fdb9998db02a164612109f4c45286027c8c7a6f86c98a0b370

SHA512
d7cf08cc1ebd6db6f162399d39764ba92c62456ec5e2598270d77a7e18cc61d98f982d7684e68912cda646824abdd1fecf633cbc778e3f981ae69d15c23ff579

Download Submit
C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe

Filesize
2.2MB

MD5
52d5bcbb2626ab84d35742307b107652

SHA1
cc127920c4fbe7b87ee5e838fd7ca7d81bdf727c

SHA256
df601b30ddffb6fdb9998db02a164612109f4c45286027c8c7a6f86c98a0b370

SHA512
d7cf08cc1ebd6db6f162399d39764ba92c62456ec5e2598270d77a7e18cc61d98f982d7684e68912cda646824abdd1fecf633cbc778e3f981ae69d15c23ff579

Download Submit
\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe

Filesize
5.2MB

MD5
2278a3e6213e5d929f65103da7d445f4

SHA1
4511a1505a89511ccfec84ea47485e1dcc2c70d6

SHA256
fe4bacb5f228fe45bba5ae47a4538fe9a0f7199effdf1e473d8258d25c4ecdcf

SHA512
e37b25442ff82aa4e6056fefc563cf42c06ef7dbfaa77c06fe17aa59934f90d2a5f4ef5db3888fc111a5f496b4dbf91650c56684fa938f21b3c578c12d302e7c

Download Submit
\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe

Filesize
2.2MB

MD5
52d5bcbb2626ab84d35742307b107652

SHA1
cc127920c4fbe7b87ee5e838fd7ca7d81bdf727c

SHA256
df601b30ddffb6fdb9998db02a164612109f4c45286027c8c7a6f86c98a0b370

SHA512
d7cf08cc1ebd6db6f162399d39764ba92c62456ec5e2598270d77a7e18cc61d98f982d7684e68912cda646824abdd1fecf633cbc778e3f981ae69d15c23ff579

Download Submit
memory/2900-237-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/2900-248-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2900-238-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/2900-241-0x00000000023A0000-0x00000000026F8000-memory.dmp

Filesize
3.3MB

Download
memory/2900-243-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2900-246-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2900-244-0x00000000023A0000-0x00000000026F8000-memory.dmp

Filesize
3.3MB

Download
memory/2900-239-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/2900-249-0x0000000077970000-0x0000000077971000-memory.dmp

Filesize
4KB

Download
memory/2900-250-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2900-252-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2900-254-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2900-257-0x00000000023A0000-0x00000000026F8000-memory.dmp

Filesize
3.3MB

Download
memory/2900-258-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing