40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca

General

Target

40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
Size

11.7MB
MD5

f55b732994f3d3ed802b9d324475ac22
SHA1

f048a6c0f7827efcd4978bacda0b683ebcc3a7a6
SHA256

40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca
SHA512

dd7e09fdcd032b3f93a383e5f1f93789516b3db5720926719684207f6fedc54bc9ac395ec7a5f17cb2dc0461af105cb47e952aa89ae1dcd1001267f254f27433
SSDEEP

196608:AqnkQ4DCXjHvNLwHsHxHtUtJGizLmZsp7Ii9XUH2/5alJKN8sdDLseY9zIl:FtpL2sRN6SCpHZUWI9sdLsN9

Score

7^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00060000000231f3-24.dat	aspack_v212_v242
behavioral2/files/0x00060000000231f3-25.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1764	mY5MjMcKh7bJGgu.exe
1952	新版-西瓜套（嗨）.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1952-238-0x0000000002420000-0x0000000002778000-memory.dmp	vmprotect
behavioral2/memory/1952-242-0x0000000002420000-0x0000000002778000-memory.dmp	vmprotect
behavioral2/memory/1952-245-0x0000000002420000-0x0000000002778000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1952	新版-西瓜套（嗨）.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
1952	新版-西瓜套（嗨）.exe
1952	新版-西瓜套（嗨）.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1764	4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	82
PID 4744 wrote to memory of 1764	4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	82
PID 4744 wrote to memory of 1764	4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	82
PID 4744 wrote to memory of 1952	4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	84
PID 4744 wrote to memory of 1952	4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	84
PID 4744 wrote to memory of 1952	4744	40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe	84

C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe
"C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe
  "C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe" "C:\Users\Admin\AppData\Local\Temp\40c05f1ca05c8662afc6eb24a51210a828d8e3729a01c88ec90188c4318851ca.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe
  "C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
439B

MD5
6be5afdae17e3f33b104ad8336e64225

SHA1
bee7be7223af3e095122124652312abb4cdc1b5f

SHA256
5a371e196c9ba07a360cb8a0a755eaf634e33dadfb51cbe5ac3e30775204a903

SHA512
80e612400c9e69997d49c9e3f13526e2b0aa4539a89ed0c6b5c5bdb00445b81bb73aa9860bf680467f798357ec04870e6a4341aeced34402d0c9dd0f4244e102

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
14KB

MD5
e5a185563d19bea3be03ebd859c999ac

SHA1
61340d5108704ad185cbc98e9f4fb3ff7fd56426

SHA256
3e0705413307b4c101a1b00090c7fa7f73cd4e65ad91381446dbc840c13eddfa

SHA512
aa864824eb88e0d4ea2c6f2a0732502a729230d0f8d089e7bd2ffcb4981268fd869ec1b3d65673d41cccd64318465472adc424ceaac82b284233f89f4e765faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe

Filesize
5.2MB

MD5
2278a3e6213e5d929f65103da7d445f4

SHA1
4511a1505a89511ccfec84ea47485e1dcc2c70d6

SHA256
fe4bacb5f228fe45bba5ae47a4538fe9a0f7199effdf1e473d8258d25c4ecdcf

SHA512
e37b25442ff82aa4e6056fefc563cf42c06ef7dbfaa77c06fe17aa59934f90d2a5f4ef5db3888fc111a5f496b4dbf91650c56684fa938f21b3c578c12d302e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\mY5MjMcKh7bJGgu.exe

Filesize
5.2MB

MD5
2278a3e6213e5d929f65103da7d445f4

SHA1
4511a1505a89511ccfec84ea47485e1dcc2c70d6

SHA256
fe4bacb5f228fe45bba5ae47a4538fe9a0f7199effdf1e473d8258d25c4ecdcf

SHA512
e37b25442ff82aa4e6056fefc563cf42c06ef7dbfaa77c06fe17aa59934f90d2a5f4ef5db3888fc111a5f496b4dbf91650c56684fa938f21b3c578c12d302e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe

Filesize
2.2MB

MD5
52d5bcbb2626ab84d35742307b107652

SHA1
cc127920c4fbe7b87ee5e838fd7ca7d81bdf727c

SHA256
df601b30ddffb6fdb9998db02a164612109f4c45286027c8c7a6f86c98a0b370

SHA512
d7cf08cc1ebd6db6f162399d39764ba92c62456ec5e2598270d77a7e18cc61d98f982d7684e68912cda646824abdd1fecf633cbc778e3f981ae69d15c23ff579

Download Submit
C:\Users\Admin\AppData\Local\Temp\新版-西瓜套（嗨）.exe

Filesize
2.2MB

MD5
52d5bcbb2626ab84d35742307b107652

SHA1
cc127920c4fbe7b87ee5e838fd7ca7d81bdf727c

SHA256
df601b30ddffb6fdb9998db02a164612109f4c45286027c8c7a6f86c98a0b370

SHA512
d7cf08cc1ebd6db6f162399d39764ba92c62456ec5e2598270d77a7e18cc61d98f982d7684e68912cda646824abdd1fecf633cbc778e3f981ae69d15c23ff579

Download Submit
memory/1952-26-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/1952-236-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/1952-165-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download
memory/1952-238-0x0000000002420000-0x0000000002778000-memory.dmp

Filesize
3.3MB

Download
memory/1952-240-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1952-242-0x0000000002420000-0x0000000002778000-memory.dmp

Filesize
3.3MB

Download
memory/1952-241-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1952-245-0x0000000002420000-0x0000000002778000-memory.dmp

Filesize
3.3MB

Download
memory/1952-246-0x0000000000400000-0x000000000076F000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing