869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
Size

13.7MB
MD5

a714ddc6076916b1c688b86338a43336
SHA1

d73fd48a4e7db3f44b001c54dff63b9258e6dfaa
SHA256

869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75
SHA512

a0c7c9bade112f518d2db56eb3b6ad6a6cbbb3b118d7a6e41832264c552553288312b44f0682566a0e567a945591581a1ae8112741cfd5a05b4d79e2d0831bdc
SSDEEP

196608:8MD+cpvJ/4H3nmghWoa/fsysMF4JD85l3kjiFJlzLJZzoFWe4fyGsnIRHqrB7XLI:8MFgXnU7sEl3yiLzMwRxnsxJ72

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Executes dropped EXE 1 IoCs

pid	Process
1200	奶罩子轮回.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1200	奶罩子轮回.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
1200	奶罩子轮回.exe
1200	奶罩子轮回.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	奶罩子轮回.exe
Token: SeShutdownPrivilege	1200	奶罩子轮回.exe
Token: SeLoadDriverPrivilege	1200	奶罩子轮回.exe
Token: SeTakeOwnershipPrivilege	1200	奶罩子轮回.exe
Token: SeBackupPrivilege	1200	奶罩子轮回.exe
Token: SeRestorePrivilege	1200	奶罩子轮回.exe
Token: SeDebugPrivilege	1200	奶罩子轮回.exe
Token: SeShutdownPrivilege	1200	奶罩子轮回.exe
Token: SeLoadDriverPrivilege	1200	奶罩子轮回.exe
Token: SeTakeOwnershipPrivilege	1200	奶罩子轮回.exe
Token: SeBackupPrivilege	1200	奶罩子轮回.exe
Token: SeRestorePrivilege	1200	奶罩子轮回.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1200	奶罩子轮回.exe
1200	奶罩子轮回.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1200	2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	28
PID 2320 wrote to memory of 1200	2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	28
PID 2320 wrote to memory of 1200	2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	28
PID 2320 wrote to memory of 1200	2320	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	28

C:\Users\Admin\AppData\Local\Temp\869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
"C:\Users\Admin\AppData\Local\Temp\869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe
  C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
650B

MD5
2cb2385bcba6bfdb181e98a2d3a0220b

SHA1
a7e2428f50eb2017d42a665e3dfe9e126ae26941

SHA256
a11ec87d619b69e56874c30721a92713237c888fbc23635227dd1704df279303

SHA512
a6f7abd2917f8916a1cfd1add03443b9e982a6729dd179368cf937880eb165da2df5133de82a0e90fc7bce6afa71b38d6e55e82eaae1af132c5899192098d0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
3KB

MD5
9d435c0fccf54a1fc0adc8d86bb39ddc

SHA1
9af225807a00988feca3ff7446b3d42e7f2966a2

SHA256
425594c3bc060ca3b1931c75b176bf7f4148d8ebb69bcefbc1bb5c5ee22c1697

SHA512
7d908a63a1ab9ac31dc906cf34312486499e0a4e936b73f2fc61fef658888ba38424f8a5e8d424f0c74d8c9bc44a263ebb8b7820febfcf7596c23e5eaaef0299

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
79a3cb900d27d0e3cb4f044d0eff6be8

SHA1
7ab2051bbfb2777e200b84242a93400716cf8cc8

SHA256
3587f7f30b781f6fd0ff69eb6a1cfaf23f53446ae716adfcd3c2ad4a226a7a8f

SHA512
effbc77c59d07e7f880829818f94e456d460365cefb7d6b753a9b89bf2e7a17a95f1d0bc13b76b358d48f07dc17306224aab90ae865cbe3fc7b6d74bc22675b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
308B

MD5
665bcf97011daebc14c3e05f9793ef0f

SHA1
451a082a8296bbc8bf11670c85d905460c79c52b

SHA256
1b1aab3c6c22cfcde7366cda05af15d6554ed3f247fc64c3fb1efb54e038d9c0

SHA512
0811403eef4aee6335a11ec92978d2c616e5e572a95476dd3d72a4acd7a269ec46dd7bf150a431ba117a5495fa72c297dac8a215e7e3517c1cc4488369d65d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
memory/1200-565-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1200-575-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1200-552-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1200-550-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1200-555-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1200-556-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1200-558-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1200-560-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1200-563-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1200-549-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/1200-568-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1200-570-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1200-573-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1200-553-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/1200-578-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1200-580-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1200-581-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1200-583-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1200-585-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1200-586-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1200-587-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/1200-589-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1200-591-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1200-592-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/1200-609-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/1200-619-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/1200-620-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download