230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0

General

Target

230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
Size

11.7MB
MD5

fd9e7ea6f74e21c9e6cf676dd9160770
SHA1

615377808bcb6679f1f71b024986e881cbf0cf1a
SHA256

230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0
SHA512

d8a2eaf89e2ff13c5c19afaa94ce29c825ab9d4faf25a633720326b9ae107d4615f659f94cf8f5b13994aa784e0eb73ef3f9eb9cacfa51024b5cddae3a237421
SSDEEP

196608:MqnkQ4DCXjHvNLwHsHxHt3k+B8DM5N8I6cu8U+Ii9XUH2/5alJKN8sdDLsAY9zc2:RtpL2sRN3GDsN8IRu0ZUWI9sdLsT9

Score

7^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0035000000018ead-18.dat	aspack_v212_v242
behavioral1/files/0x0035000000018ead-20.dat	aspack_v212_v242
behavioral1/files/0x0035000000018ead-21.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2556	4pkUWZ5a6VZW98o.exe
2836	王者荣耀-品牌.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2836-91-0x0000000002510000-0x0000000002869000-memory.dmp	vmprotect
behavioral1/memory/2836-94-0x0000000002510000-0x0000000002869000-memory.dmp	vmprotect
behavioral1/memory/2836-107-0x0000000002510000-0x0000000002869000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2836	王者荣耀-品牌.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
2836	王者荣耀-品牌.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	4pkUWZ5a6VZW98o.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2556	4pkUWZ5a6VZW98o.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2556	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	28
PID 1760 wrote to memory of 2556	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	28
PID 1760 wrote to memory of 2556	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	28
PID 1760 wrote to memory of 2556	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	28
PID 1760 wrote to memory of 2836	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	29
PID 1760 wrote to memory of 2836	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	29
PID 1760 wrote to memory of 2836	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	29
PID 1760 wrote to memory of 2836	1760	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	29

C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
"C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe
  "C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe" "C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe
  "C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
335B

MD5
8dd6a97e754ad84c532ae195d70396c5

SHA1
7b655dd0c46ba6238eacb5f06103f60fcac6db45

SHA256
60f50ca4b7f6a9fdf62b84f556414e123baec21a912e06224922a8c99bddd625

SHA512
889253fb3b80359a14f4db8db819eb0c9bcdf1471c43206cc4034c2388111c4f2918dd4acc90d14e9beb67ba6b0d2a02ef58e50c18056126b8f661307fb42d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
633B

MD5
67ca024fbfbd6bddd31434e170ac4117

SHA1
8a078a910892f829426ef560e9704985b0ee28bf

SHA256
86fd9610c44452fed771139e74953d0609e6d07ec4971768fbb965ac6b6f1de2

SHA512
bc9677a7d4e62471802d5073c43cf9c81136368e2457d1573df05d3802caf4250faa66f88cd5b8d7006c2952bcf4b61b1727d8fe56b68958a966a23cf06017fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
81818b0d23c1a40d7db684c71366c1bf

SHA1
e63d8e91f30172d5eb830aa904660ec9a045407f

SHA256
173a2f701b5e439735123eaff00e44eb7846dec4fa5977624e1d10b5ee56a71e

SHA512
8afb7179c6698c3fa4389e198ed3236ecb029fd6e156309c6bdc29ff15f72eb27052ccc122af7cea3a57e86ed6fb660c1d3625d6b0c55775f13e0158139b6398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe

Filesize
5.2MB

MD5
ffc9503cf5d4a6e5c513aff68a9adf6f

SHA1
ef78068718d75d231e3b1a3cf24d441aac39bd92

SHA256
f8b96b2a7891264be9526c73a4d4bb3e91e79246c92cdab7bea2a8b5a316bee1

SHA512
67f9abc7351a25df6f64357e38d567d197ff9c9b3c39d341339ac0f3042affb27447a2d7fafb8330cd589777eebc094d3b1d7569685e12754702e89a672e35f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe

Filesize
2.2MB

MD5
a102d21244a3bf2c643c86ab29b05c28

SHA1
dee2ab47f19ddd9090a5550f635981ad3878e70f

SHA256
ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032

SHA512
404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe

Filesize
2.2MB

MD5
a102d21244a3bf2c643c86ab29b05c28

SHA1
dee2ab47f19ddd9090a5550f635981ad3878e70f

SHA256
ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032

SHA512
404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d

Download Submit
\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe

Filesize
5.2MB

MD5
ffc9503cf5d4a6e5c513aff68a9adf6f

SHA1
ef78068718d75d231e3b1a3cf24d441aac39bd92

SHA256
f8b96b2a7891264be9526c73a4d4bb3e91e79246c92cdab7bea2a8b5a316bee1

SHA512
67f9abc7351a25df6f64357e38d567d197ff9c9b3c39d341339ac0f3042affb27447a2d7fafb8330cd589777eebc094d3b1d7569685e12754702e89a672e35f0

Download Submit
\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe

Filesize
2.2MB

MD5
a102d21244a3bf2c643c86ab29b05c28

SHA1
dee2ab47f19ddd9090a5550f635981ad3878e70f

SHA256
ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032

SHA512
404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d

Download Submit
memory/1760-22-0x00000000031B0000-0x0000000003520000-memory.dmp

Filesize
3.4MB

Download
memory/2836-88-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download
memory/2836-98-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2836-89-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download
memory/2836-91-0x0000000002510000-0x0000000002869000-memory.dmp

Filesize
3.3MB

Download
memory/2836-94-0x0000000002510000-0x0000000002869000-memory.dmp

Filesize
3.3MB

Download
memory/2836-93-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2836-96-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2836-29-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download
memory/2836-100-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2836-99-0x0000000077D60000-0x0000000077D61000-memory.dmp

Filesize
4KB

Download
memory/2836-102-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2836-104-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2836-107-0x0000000002510000-0x0000000002869000-memory.dmp

Filesize
3.3MB

Download
memory/2836-108-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing