3d4ed21206cca50faa9bc5d670d8aaaa99f70619fca1ede637f74a051456ede0

General

Target

可能是病毒的游戏/8.26有毒/APP1066/开始游戏.exe
Size

353KB
MD5

132d7c8c6880dbb8e7cf18e7ed4a2a5c
SHA1

2e23f923f2724f8254daaaf059178278a1375fc6
SHA256

b6b86a7a3036cdad16309e9fef1e2532ac4602c02f154d246ae5f0e3cf614374
SHA512

36b719a0ed52f81e008f1faad11a521b1f407238a11483cfd80ee611840ad4e51b19e29f69cfed5e50f5b37b1c535737e1d10d9f171bbbc96960ebfa70f8def3
SSDEEP

6144:7BlkZvaF4NTBG8ZecxBLnOP1QVUjfcqyDxMXF:7oSWNToRrP1OUjfcqyDW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	HipsMain.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral9/memory/2404-9-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral9/files/0x0006000000016d1c-6.dat	upx
behavioral9/files/0x0006000000016d1c-8.dat	upx
behavioral9/memory/2404-11-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral9/memory/2404-10-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HipsMain.exe = "C:\\Windows\\HipsMain.exe"	HipsMain.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HipsMain.exe	cmd.exe
File created	C:\Windows\HipsMain.exe	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2404	HipsMain.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2404	HipsMain.exe
2404	HipsMain.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1276	1712	开始游戏.exe	29
PID 1712 wrote to memory of 1276	1712	开始游戏.exe	29
PID 1712 wrote to memory of 1276	1712	开始游戏.exe	29
PID 1712 wrote to memory of 1276	1712	开始游戏.exe	29
PID 1276 wrote to memory of 2404	1276	cmd.exe	30
PID 1276 wrote to memory of 2404	1276	cmd.exe	30
PID 1276 wrote to memory of 2404	1276	cmd.exe	30
PID 1276 wrote to memory of 2404	1276	cmd.exe	30
PID 1276 wrote to memory of 2536	1276	cmd.exe	31
PID 1276 wrote to memory of 2536	1276	cmd.exe	31
PID 1276 wrote to memory of 2536	1276	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\可能是病毒的游戏\8.26有毒\APP1066\开始游戏.exe
"C:\Users\Admin\AppData\Local\Temp\可能是病毒的游戏\8.26有毒\APP1066\开始游戏.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7704.tmp\7705.tmp\7706.bat C:\Users\Admin\AppData\Local\Temp\可能是病毒的游戏\8.26有毒\APP1066\开始游戏.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\HipsMain.exe
    C:\Windows\HipsMain.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\可能是病毒的游戏\8.26有毒\APP1066\HypnoApp_Data\HypnoApp.exe
    C:\Users\Admin\AppData\Local\Temp\可能是病毒的游戏\8.26有毒\APP1066\\HypnoApp_Data\HypnoApp.exe C:\Users\Admin\AppData\Local\Temp\可能是病毒的游戏\8.26有毒\APP1066\
    3⤵
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7704.tmp\7705.tmp\7706.bat

Filesize
192B

MD5
8ac60af3b2c54f1f32a3000fffd922ee

SHA1
829539258e43135cf2558e9f1584abeb13af48f8

SHA256
d9ae483fc7c8c60e73d65713f1a974fc9a8a29c4d137468397b872730b73cf05

SHA512
0627737aa29bc07dc5fddb0ac112f52e1512ed75cf4ddcd575ae7f69e4803c629a60a984ad24ef39a3e1c2a783874c268a491ad56833a2bf3e078c17a3ee059b

Download Submit
C:\Windows\HipsMain.exe

Filesize
574KB

MD5
a2d882f67ae7c42748a7cb3a2d0fdb2b

SHA1
057877d7a6cf85a6583dd8646957fda574a3b2c2

SHA256
a6319736190ee3d714a8849408e1a38cdb509bb051b7b682905530c74330e052

SHA512
60b2a0b9f0e11b0619fbe6db3c074a2bfad6325379bc0023eeb3c044374b96ec7dcfa79565decbfdc77b420aba6b0cc681bae5ea004272e981ca554a0a158533

Download Submit
C:\Windows\HipsMain.exe

Filesize
574KB

MD5
a2d882f67ae7c42748a7cb3a2d0fdb2b

SHA1
057877d7a6cf85a6583dd8646957fda574a3b2c2

SHA256
a6319736190ee3d714a8849408e1a38cdb509bb051b7b682905530c74330e052

SHA512
60b2a0b9f0e11b0619fbe6db3c074a2bfad6325379bc0023eeb3c044374b96ec7dcfa79565decbfdc77b420aba6b0cc681bae5ea004272e981ca554a0a158533

Download Submit
memory/2404-9-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2404-11-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2404-10-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2404-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads