8272912ee1bf16a05192042253c37356e5944c0e26795772a14c606565ca58b6

Analysis

max time kernel
157s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YY5331过非法VE/Vzla Engine.exe
Size

2.3MB
MD5

e9b474c85cf7783fbd41e8411844cac5
SHA1

1af729aa53eed933fecc77ee5633ff4aae61371b
SHA256

f1dbbe9ba61a7e03dcb263b3444a3ccaeabe165cda937864772ecd1e8c5771b7
SHA512

4dc75d9e10551cf801cdae469bf5f42cd1907cfe43a993695d35456d564a9c7ae138df284445987ac4de237925fcad8fdcdf8c52cddbcd182e72a11b7a2aceb8
SSDEEP

24576:UVXRfLOKgZDB21NmRPqx+1Ceg0bedstbvCz0qcWyth+Ybx12raCTb7Yt8NFmQaak:UVXmuHsg0bnU4krawb7Yt8NFmQJAa

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/2820-0-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-2-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-3-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-4-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-5-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-6-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-8-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-10-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-12-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-14-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-17-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-19-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-32-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-35-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-37-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-39-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-30-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-49-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-47-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-45-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-43-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-41-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-28-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-26-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-24-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-22-0x0000000000350000-0x000000000038D000-memory.dmp	upx
behavioral7/memory/2820-53-0x0000000000350000-0x000000000038D000-memory.dmp	upx

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell	Vzla Engine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open	Vzla Engine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open\command\preCE	Vzla Engine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YY5331???VE\\Vzla Engine.exe \"%1\""	Vzla Engine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open\command	Vzla Engine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	Vzla Engine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\DefaultIcon	Vzla Engine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\DefaultIcon\preCE	Vzla Engine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YY5331???VE\\Vzla Engine.exe,0"	Vzla Engine.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	Vzla Engine.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	Vzla Engine.exe

C:\Users\Admin\AppData\Local\Temp\YY5331过非法VE\Vzla Engine.exe
"C:\Users\Admin\AppData\Local\Temp\YY5331过非法VE\Vzla Engine.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-0-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-2-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-3-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-4-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-5-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-6-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-8-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-10-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-12-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-14-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-17-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-19-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-32-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-35-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-37-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-39-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-30-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-49-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-47-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-45-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-43-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-41-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-28-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-26-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-24-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-22-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-52-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2820-53-0x0000000000350000-0x000000000038D000-memory.dmp

Filesize
244KB

Download
memory/2820-54-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2820-55-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2820-56-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/2820-57-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2820-58-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2820-59-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/2820-60-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/2820-61-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download