230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0

General

Target

230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
Size

11.7MB
MD5

fd9e7ea6f74e21c9e6cf676dd9160770
SHA1

615377808bcb6679f1f71b024986e881cbf0cf1a
SHA256

230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0
SHA512

d8a2eaf89e2ff13c5c19afaa94ce29c825ab9d4faf25a633720326b9ae107d4615f659f94cf8f5b13994aa784e0eb73ef3f9eb9cacfa51024b5cddae3a237421
SSDEEP

196608:MqnkQ4DCXjHvNLwHsHxHt3k+B8DM5N8I6cu8U+Ii9XUH2/5alJKN8sdDLsAY9zc2:RtpL2sRN3GDsN8IRu0ZUWI9sdLsT9

Score

7^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022fec-82.dat	aspack_v212_v242
behavioral2/files/0x0006000000022fec-83.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4684	4pkUWZ5a6VZW98o.exe
4260	王者荣耀-品牌.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4260-87-0x0000000002530000-0x0000000002889000-memory.dmp	vmprotect
behavioral2/memory/4260-90-0x0000000002530000-0x0000000002889000-memory.dmp	vmprotect
behavioral2/memory/4260-96-0x0000000002530000-0x0000000002889000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4260	王者荣耀-品牌.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
4260	王者荣耀-品牌.exe
4260	王者荣耀-品牌.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4684	4pkUWZ5a6VZW98o.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4684	4pkUWZ5a6VZW98o.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4684	3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	85
PID 3712 wrote to memory of 4684	3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	85
PID 3712 wrote to memory of 4684	3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	85
PID 3712 wrote to memory of 4260	3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	87
PID 3712 wrote to memory of 4260	3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	87
PID 3712 wrote to memory of 4260	3712	230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe	87

C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe
"C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe
  "C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe" "C:\Users\Admin\AppData\Local\Temp\230f4524e601e90aa5b7ffa0a45058c7121721127b37d31eacfc9da9a3e220f0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe
  "C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
439B

MD5
41407233c8233dd556927cde31145e38

SHA1
893e76901234b5683a0f7eb028dbe652aa9d65c2

SHA256
95146a5fd6aabc6d591805592790bf1dedae2c35d25ab42337ecc02ecab7e60c

SHA512
ec0ead6eba4e40b968a72110b9d0b262daeed1d9ecd171b861286995041676dcffc5c9ced5e1742dc70af1209979f6721ff917c16751dea01357cbce2bad5827

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
2c603352540bf31bc028a491ed5ac63a

SHA1
2723016e9bb8c0557da40c0900bd2eb3241c0cba

SHA256
66ddb1fe8a6c44f1bd9819c0da121f3286055d039c9815cbc3351bb8a48fbf25

SHA512
834a42948caab20e7d4640e867e13f4d4f7c88905ff4d03ce35f127e4fd4e4196b69d9df4a7561d03f7989afbbe05cd895be78e67f8e0ccedaf5ada47f8b1455

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe

Filesize
5.2MB

MD5
ffc9503cf5d4a6e5c513aff68a9adf6f

SHA1
ef78068718d75d231e3b1a3cf24d441aac39bd92

SHA256
f8b96b2a7891264be9526c73a4d4bb3e91e79246c92cdab7bea2a8b5a316bee1

SHA512
67f9abc7351a25df6f64357e38d567d197ff9c9b3c39d341339ac0f3042affb27447a2d7fafb8330cd589777eebc094d3b1d7569685e12754702e89a672e35f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\4pkUWZ5a6VZW98o.exe

Filesize
5.2MB

MD5
ffc9503cf5d4a6e5c513aff68a9adf6f

SHA1
ef78068718d75d231e3b1a3cf24d441aac39bd92

SHA256
f8b96b2a7891264be9526c73a4d4bb3e91e79246c92cdab7bea2a8b5a316bee1

SHA512
67f9abc7351a25df6f64357e38d567d197ff9c9b3c39d341339ac0f3042affb27447a2d7fafb8330cd589777eebc094d3b1d7569685e12754702e89a672e35f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe

Filesize
2.2MB

MD5
a102d21244a3bf2c643c86ab29b05c28

SHA1
dee2ab47f19ddd9090a5550f635981ad3878e70f

SHA256
ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032

SHA512
404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\王者荣耀-品牌.exe

Filesize
2.2MB

MD5
a102d21244a3bf2c643c86ab29b05c28

SHA1
dee2ab47f19ddd9090a5550f635981ad3878e70f

SHA256
ccb29ef2c870069b0d70e87a9bc2d00a3e8c2a774dc4bf9de5c3177784d7d032

SHA512
404ea322abc7cf5eb08814e12ba399744bfe69e04ab63f481b6a3559224d0e71964961560935ef3bf29486c66c365665502f0d6d83b3fdd10bf8afb2d51ecf3d

Download Submit
memory/4260-84-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download
memory/4260-85-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download
memory/4260-86-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download
memory/4260-87-0x0000000002530000-0x0000000002889000-memory.dmp

Filesize
3.3MB

Download
memory/4260-90-0x0000000002530000-0x0000000002889000-memory.dmp

Filesize
3.3MB

Download
memory/4260-92-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4260-93-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4260-96-0x0000000002530000-0x0000000002889000-memory.dmp

Filesize
3.3MB

Download
memory/4260-97-0x0000000000400000-0x0000000000770000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing