869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75

General

Target

869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
Size

13.7MB
MD5

a714ddc6076916b1c688b86338a43336
SHA1

d73fd48a4e7db3f44b001c54dff63b9258e6dfaa
SHA256

869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75
SHA512

a0c7c9bade112f518d2db56eb3b6ad6a6cbbb3b118d7a6e41832264c552553288312b44f0682566a0e567a945591581a1ae8112741cfd5a05b4d79e2d0831bdc
SSDEEP

196608:8MD+cpvJ/4H3nmghWoa/fsysMF4JD85l3kjiFJlzLJZzoFWe4fyGsnIRHqrB7XLI:8MFgXnU7sEl3yiLzMwRxnsxJ72

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Executes dropped EXE 1 IoCs

pid	Process
3848	奶罩子轮回.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3848	奶罩子轮回.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
3848	奶罩子轮回.exe
3848	奶罩子轮回.exe
3848	奶罩子轮回.exe
3848	奶罩子轮回.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3848	奶罩子轮回.exe
Token: SeShutdownPrivilege	3848	奶罩子轮回.exe
Token: SeLoadDriverPrivilege	3848	奶罩子轮回.exe
Token: SeTakeOwnershipPrivilege	3848	奶罩子轮回.exe
Token: SeBackupPrivilege	3848	奶罩子轮回.exe
Token: SeRestorePrivilege	3848	奶罩子轮回.exe
Token: SeDebugPrivilege	3848	奶罩子轮回.exe
Token: SeShutdownPrivilege	3848	奶罩子轮回.exe
Token: SeLoadDriverPrivilege	3848	奶罩子轮回.exe
Token: SeTakeOwnershipPrivilege	3848	奶罩子轮回.exe
Token: SeBackupPrivilege	3848	奶罩子轮回.exe
Token: SeRestorePrivilege	3848	奶罩子轮回.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3848	奶罩子轮回.exe
3848	奶罩子轮回.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3848	1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	95
PID 1212 wrote to memory of 3848	1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	95
PID 1212 wrote to memory of 3848	1212	869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe	95

C:\Users\Admin\AppData\Local\Temp\869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe
"C:\Users\Admin\AppData\Local\Temp\869ec3df6a7bee8f076c73ec1fb35d80af72ca846e051199ecd1102c6faeff75.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe
  C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
27KB

MD5
a4db9ccf43c0d361c99255091be684a0

SHA1
073e82d4e325d6f5d7b14638ef2cce50fdadc181

SHA256
36272e829db2cfbec2d33a8d1f5ef6004454f513921e64406e5f343eacf84578

SHA512
acff520e9da5d56309ac5606aa3235f832faccabb19841de674bdae7f95c9c3f43d6f0b95100555b9295e9e56373d4b0d067c8a5863f95a68897fc7b24274b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
32KB

MD5
6dfed3d17627244147b6fb19cb0577cc

SHA1
a6c0deeb8b8491ad6afce1cbfe45631d4ba10d7d

SHA256
11b2e4bb75bf9776ac776b4c201b8ca1f52f559c02c808ef62b79fccfb35c525

SHA512
01fa024923d115be9cd6790c6112c3cfa21705cbec16e24e1f782a22f58014ae240c2d78c4569829cb48ed4e4642f85b5d8669e52a188edc988eae742383f15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
308B

MD5
4ac55e95e3b40750ac81edc530b189be

SHA1
03c8a05dffa337b6093426d37f6fdf58e775cc12

SHA256
1514e6fcba6161c81c80da821c4a1dbb1622cd0426d790ce174d971dddbbb55b

SHA512
3f1ad127ac2d45a09c26579806bc1b02d710610a61901336b0cd44a45b8d932819020809066544e1fe71d81629e5f68bffefe7785ea7084353367d2bc024c075

Download Submit
C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\奶罩子轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
memory/3848-544-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/3848-542-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/3848-543-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/3848-540-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3848-545-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/3848-546-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/3848-541-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/3848-547-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/3848-548-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3848-550-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/3848-553-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3848-559-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/3848-560-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads