Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17-11-2023 15:42
Static task
static1
Behavioral task
behavioral1
Sample
加速器破解/BGX工具SST6.0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
加速器破解/BGX工具SST6.0.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
加速器破解/破解补丁.exe
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
加速器破解/破解补丁.exe
Resource
win10v2004-20231020-en
General
-
Target
加速器破解/破解补丁.exe
-
Size
1.7MB
-
MD5
3a740fd4be0cf91afb6b24578377831b
-
SHA1
13672b2c077adab7132243ad5668b790d97542a9
-
SHA256
098d2e56d29568e907b5df84ca8cd629fb5e24ec1f612b60133dda9063ce8aef
-
SHA512
b3d9821e2677d9a696548a65ea842b9bac2cec5b616f0162c53c83a1da9bf64beddfe4a46fcb901ba8490d9abe6d02e8cb88c57c8864a91981b27a6ae84de0ae
-
SSDEEP
12288:2G/0XYg0NtX46rHjOe7Sy5oFUEv6xgIsxITrLSRfWP5x0c:2G8XY5NF4sjP152Ua6dsxI8f05v
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 1 IoCs
resource yara_rule behavioral3/memory/2144-8-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet -
Executes dropped EXE 2 IoCs
pid Process 2144 Server.exe 2276 Gouarlv.exe -
Loads dropped DLL 2 IoCs
pid Process 2540 破解补丁.exe 2540 破解补丁.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: Server.exe File opened (read-only) \??\S: Server.exe File opened (read-only) \??\V: Server.exe File opened (read-only) \??\G: Server.exe File opened (read-only) \??\I: Server.exe File opened (read-only) \??\P: Server.exe File opened (read-only) \??\O: Server.exe File opened (read-only) \??\Y: Server.exe File opened (read-only) \??\Z: Server.exe File opened (read-only) \??\H: Server.exe File opened (read-only) \??\K: Server.exe File opened (read-only) \??\L: Server.exe File opened (read-only) \??\M: Server.exe File opened (read-only) \??\R: Server.exe File opened (read-only) \??\W: Server.exe File opened (read-only) \??\N: Server.exe File opened (read-only) \??\T: Server.exe File opened (read-only) \??\U: Server.exe File opened (read-only) \??\X: Server.exe File opened (read-only) \??\B: Server.exe File opened (read-only) \??\E: Server.exe File opened (read-only) \??\J: Server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Server.exe 破解补丁.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Gouarlv.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe Server.exe File opened for modification C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Server.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Gouarlv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c\WpadDecisionReason = "1" Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c\WpadDecision = "0" Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Gouarlv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Gouarlv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0079000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE} Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadDecisionReason = "1" Gouarlv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadDecision = "0" Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Gouarlv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Gouarlv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c\WpadDecisionTime = c04d67d36c19da01 Gouarlv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadNetworkName = "Network 2" Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c Gouarlv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\e2-a4-fb-8f-af-0c Gouarlv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Gouarlv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadDecisionTime = c04d67d36c19da01 Gouarlv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe 2540 破解补丁.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2540 破解补丁.exe 2540 破解补丁.exe 2144 Server.exe 2276 Gouarlv.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2144 2540 破解补丁.exe 28 PID 2540 wrote to memory of 2144 2540 破解补丁.exe 28 PID 2540 wrote to memory of 2144 2540 破解补丁.exe 28 PID 2540 wrote to memory of 2144 2540 破解补丁.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\加速器破解\破解补丁.exe"C:\Users\Admin\AppData\Local\Temp\加速器破解\破解补丁.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Server.exeC:\Windows\system32\\Server.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe"C:\Program Files (x86)\Microsoft Eiwisc\Gouarlv.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437
-
Filesize
1.0MB
MD55e0bd14c0976831e38f6674892ed9ac6
SHA12d345b6ce9fb5c3f70353530f392c70b5776e95a
SHA25635f667c4f1cdd84b6eeb17d17047d0943a6fe72ea61a37295ef41d1b3fdd6302
SHA5124a36d2c59d911517b27d0ac60db6c6a9c3e1e2a26c49aee3a7cc4985658bc881135fbb1ec7f2667147c7b9db015a9dfb7a7e57838180027dfe9e8f197c0cf437