db9084b91819dcf7fc10ee6929abcd402dd141fcb64f3d612552c402e8426fa5

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2023 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

酒鬼＊迷失＊100倍充值[0806][云.exe
Size

25.6MB
MD5

17bceb4da62f4de024b159ded6462d47
SHA1

ffbbaaadc0577f8e0d36e3e8ff49dc837a2f5ea9
SHA256

db9084b91819dcf7fc10ee6929abcd402dd141fcb64f3d612552c402e8426fa5
SHA512

4f95da15d1f547babefe20256e3a5bfd7c83609489e5d0114655fcd39954080dca739471fd8274243bca2013082db0f1c0d97f19dcf16f566996806f972b47f6
SSDEEP

393216:21n6+GPJKP3wBit1qPR/lzaxoZONzhJoi6YIhJgZNYlKMYNp6zKy:21nvkJKfwRPkoZShJS/JQNYHYPvy

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe	aspack_v212_v242
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe	aspack_v212_v242
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

酒鬼＊迷失＊100倍充值[0806][云.exe酒鬼＊迷失＊100倍充值[0806][云.exe

pid process

4400 酒鬼＊迷失＊100倍充值[0806][云.exe
3408 酒鬼＊迷失＊100倍充值[0806][云.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

taskmgr.exe

description ioc process

File opened (read-only) \??\F: taskmgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
3408	酒鬼＊迷失＊100倍充值[0806][云.exe

description	ioc	process
File opened (read-only)	\??\F:	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

酒鬼＊迷失＊100倍充值[0806][云.exe酒鬼＊迷失＊100倍充值[0806][云.exe酒鬼＊迷失＊100倍充值[0806][云.exetaskmgr.exe

pid	process
2468	酒鬼＊迷失＊100倍充值[0806][云.exe
2468	酒鬼＊迷失＊100倍充值[0806][云.exe
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
3408	酒鬼＊迷失＊100倍充值[0806][云.exe
3408	酒鬼＊迷失＊100倍充值[0806][云.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

酒鬼＊迷失＊100倍充值[0806][云.exe酒鬼＊迷失＊100倍充值[0806][云.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2468	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeDebugPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: 33	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeIncBasePriorityPrivilege	4400	酒鬼＊迷失＊100倍充值[0806][云.exe
Token: SeDebugPrivilege	4912	taskmgr.exe
Token: SeSystemProfilePrivilege	4912	taskmgr.exe
Token: SeCreateGlobalPrivilege	4912	taskmgr.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

taskmgr.exe

pid	process
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

taskmgr.exe

pid	process
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe
4912	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

酒鬼＊迷失＊100倍充值[0806][云.exe酒鬼＊迷失＊100倍充值[0806][云.exe酒鬼＊迷失＊100倍充值[0806][云.exe

pid	process
2468	酒鬼＊迷失＊100倍充值[0806][云.exe
2468	酒鬼＊迷失＊100倍充值[0806][云.exe
2468	酒鬼＊迷失＊100倍充值[0806][云.exe
2468	酒鬼＊迷失＊100倍充值[0806][云.exe
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
4400	酒鬼＊迷失＊100倍充值[0806][云.exe
3408	酒鬼＊迷失＊100倍充值[0806][云.exe
3408	酒鬼＊迷失＊100倍充值[0806][云.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

酒鬼＊迷失＊100倍充值[0806][云.exe

description	pid	process	target process
PID 2468 wrote to memory of 4400	2468	酒鬼＊迷失＊100倍充值[0806][云.exe	酒鬼＊迷失＊100倍充值[0806][云.exe
PID 2468 wrote to memory of 4400	2468	酒鬼＊迷失＊100倍充值[0806][云.exe	酒鬼＊迷失＊100倍充值[0806][云.exe
PID 2468 wrote to memory of 4400	2468	酒鬼＊迷失＊100倍充值[0806][云.exe	酒鬼＊迷失＊100倍充值[0806][云.exe
PID 2468 wrote to memory of 4300	2468	酒鬼＊迷失＊100倍充值[0806][云.exe	cmd.exe
PID 2468 wrote to memory of 4300	2468	酒鬼＊迷失＊100倍充值[0806][云.exe	cmd.exe
PID 2468 wrote to memory of 4300	2468	酒鬼＊迷失＊100倍充值[0806][云.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\酒鬼＊迷失＊100倍充值[0806][云.exe
"C:\Users\Admin\AppData\Local\Temp\酒鬼＊迷失＊100倍充值[0806][云.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\酒鬼＊迷失＊100倍充值[0806][云.exe
2⤵
PID:4300

F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe
"F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\¾Æ¹íÃÔÊ§100±¶\2FDA28DC7DD5A859_GameOfMir.ini

Filesize
158B

MD5
34e6b47cd058255433528a40d0c4c313

SHA1
01c9a47f2ffd2f67ada51992d05fba88a5ca6422

SHA256
76cfa620fe8001a31494fe134130f177a60c61c6c1f52baabee20009cbc650b6

SHA512
425412f4af12dcd2d5c1b4fc596e0a0cbb40b4de249f5f5afa1577d79b7afc73fac2ce6cdebb23ecd457a3369b9cf0d75d54efb247b476686e74e3084139f9f7

Download Submit
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe

Filesize
25.6MB

MD5
17bceb4da62f4de024b159ded6462d47

SHA1
ffbbaaadc0577f8e0d36e3e8ff49dc837a2f5ea9

SHA256
db9084b91819dcf7fc10ee6929abcd402dd141fcb64f3d612552c402e8426fa5

SHA512
4f95da15d1f547babefe20256e3a5bfd7c83609489e5d0114655fcd39954080dca739471fd8274243bca2013082db0f1c0d97f19dcf16f566996806f972b47f6

Download Submit
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe

Filesize
25.6MB

MD5
17bceb4da62f4de024b159ded6462d47

SHA1
ffbbaaadc0577f8e0d36e3e8ff49dc837a2f5ea9

SHA256
db9084b91819dcf7fc10ee6929abcd402dd141fcb64f3d612552c402e8426fa5

SHA512
4f95da15d1f547babefe20256e3a5bfd7c83609489e5d0114655fcd39954080dca739471fd8274243bca2013082db0f1c0d97f19dcf16f566996806f972b47f6

Download Submit
F:\¾Æ¹íÃÔÊ§100±¶\酒鬼＊迷失＊100倍充值[0806][云.exe

Filesize
25.6MB

MD5
17bceb4da62f4de024b159ded6462d47

SHA1
ffbbaaadc0577f8e0d36e3e8ff49dc837a2f5ea9

SHA256
db9084b91819dcf7fc10ee6929abcd402dd141fcb64f3d612552c402e8426fa5

SHA512
4f95da15d1f547babefe20256e3a5bfd7c83609489e5d0114655fcd39954080dca739471fd8274243bca2013082db0f1c0d97f19dcf16f566996806f972b47f6

Download Submit
memory/2468-10-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2468-9-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/2468-6-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2468-8-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2468-11-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2468-13-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/2468-7-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2468-5-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2468-0-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/2468-1-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/2468-25-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/3408-103-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/3408-110-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/3408-107-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/3408-102-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3408-104-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/3408-100-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/3408-101-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3408-99-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/3408-95-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-32-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-31-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/4400-27-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/4400-87-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-21-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-67-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-59-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-30-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/4400-33-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4400-29-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/4400-78-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-77-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-20-0x0000000000400000-0x0000000001517000-memory.dmp

Filesize
17.1MB

Download
memory/4400-28-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/4912-126-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-116-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-117-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-121-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-122-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-123-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-124-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-125-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download
memory/4912-115-0x0000013C67E10000-0x0000013C67E11000-memory.dmp

Filesize
4KB

Download