bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558

General

Target

bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe
Size

13.8MB
MD5

a83e41b3b359c022d8b19a7fe2bec8d8
SHA1

430b8e6f1de0c41bb73e8f89e1580881bb9ae161
SHA256

bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558
SHA512

d2f973d41b347d1469900506377a1cc78f9e0c57454a4fb67dc25f229ca7fd5667aa6a554b581e0a8a38140f9af4d5e9789d3aa320e85594e0e0ab58eed513f9
SSDEEP

98304:VPb0eFzKzpyeDMFGP9eJgNUiXSd+8LYq/3k/XB2fgNKryCXDv+rvy80GTSD7lof2:FbdWzQFGFxqh+OY0U+SKVQybof6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	Updata.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	Updata.exe

Loads dropped DLL 1 IoCs

pid	Process
1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe
1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe
1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 1508 wrote to memory of 2652	1508	bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe	28
PID 2652 wrote to memory of 2984	2652	Updata.exe	29
PID 2652 wrote to memory of 2984	2652	Updata.exe	29
PID 2652 wrote to memory of 2984	2652	Updata.exe	29
PID 2652 wrote to memory of 2984	2652	Updata.exe	29

C:\Users\Admin\AppData\Local\Temp\bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe
"C:\Users\Admin\AppData\Local\Temp\bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\Updata.exe
  "C:\Users\Admin\AppData\Local\Temp\Updata.exe" http://wang.cdn.it668.top:1668//神话-蓝音辅助09260.rar C:\Users\Admin\AppData\Local\Temp\bbb457877ecfe6b03cad4f9d51a362e0fef883e9350bd25729bca264a3b72558.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c _deleteme.bat
    3⤵
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
3.2MB

MD5
2d0043419a62ed871edbb0ee2d7ca090

SHA1
01c27014ead6e85ed5f897a14a99cc3d4655ab34

SHA256
a750a6d03bfb0b3986c123d5e39fd36f1fcf13005aa04eaa7e1e4b906b9b32a5

SHA512
06593448407cfe69a643ec8777a920733e6d39167cc782d7332ce4ba978abbe8d11be8e5d9d5bac965a57781da4e824fc5937fbb073af34faea839fb6ad2981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
3.2MB

MD5
2d0043419a62ed871edbb0ee2d7ca090

SHA1
01c27014ead6e85ed5f897a14a99cc3d4655ab34

SHA256
a750a6d03bfb0b3986c123d5e39fd36f1fcf13005aa04eaa7e1e4b906b9b32a5

SHA512
06593448407cfe69a643ec8777a920733e6d39167cc782d7332ce4ba978abbe8d11be8e5d9d5bac965a57781da4e824fc5937fbb073af34faea839fb6ad2981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_deleteme.bat

Filesize
132B

MD5
16b6f2900fd8504bcccae4e8e267620b

SHA1
17bf767eb7a9bdb64ced60fb22c3c2d7d2ca5eef

SHA256
1e61a52a0102f772414888fb6eb680ae1ca4aae8cecd2600e0dea12983bf029e

SHA512
c50a31a6f9d5576e49829e23fc64af75165af24d966fcb9c31afac4f6a73746760255ac85a8a89cc62c5705a84eb45e4adf40725989841e80f839b7ada49fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_deleteme.bat

Filesize
132B

MD5
16b6f2900fd8504bcccae4e8e267620b

SHA1
17bf767eb7a9bdb64ced60fb22c3c2d7d2ca5eef

SHA256
1e61a52a0102f772414888fb6eb680ae1ca4aae8cecd2600e0dea12983bf029e

SHA512
c50a31a6f9d5576e49829e23fc64af75165af24d966fcb9c31afac4f6a73746760255ac85a8a89cc62c5705a84eb45e4adf40725989841e80f839b7ada49fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\主线脚本\怀旧版主线-缥缈.txt

Filesize
16KB

MD5
af9bb45d209b19f234ab56f89b6c3e71

SHA1
e9f52ad308dfee11f6817f4b636b73884952427d

SHA256
3988ba5d8ebb45b93ec7f748d963b8ac18947252aa61322a300eb6aa340b204f

SHA512
53bb35fa07671788d304b5feabb86c586fdab29452c460972bfd070703d010f478d24b52332c1a711f09b7e5c18e3e120e7254508276748670d0c61ad20ddef1

Download Submit
\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
3.2MB

MD5
2d0043419a62ed871edbb0ee2d7ca090

SHA1
01c27014ead6e85ed5f897a14a99cc3d4655ab34

SHA256
a750a6d03bfb0b3986c123d5e39fd36f1fcf13005aa04eaa7e1e4b906b9b32a5

SHA512
06593448407cfe69a643ec8777a920733e6d39167cc782d7332ce4ba978abbe8d11be8e5d9d5bac965a57781da4e824fc5937fbb073af34faea839fb6ad2981e

Download Submit
memory/1508-0-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1508-9-0x0000000000DD0000-0x0000000001BC6000-memory.dmp

Filesize
14.0MB

Download
memory/2652-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2652-96-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/2652-173-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2652-187-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing