dc1ebbb7b12eb3505b1cb173e77fc802a7f064946673d1c06a9e53d1be8e1fab

General

Target

刷QQ音乐排行榜.exe
Size

2.9MB
MD5

d81242d04c8a7e6b9af5c3d35277d6d0
SHA1

538aa66cf73ae5203c4518d09214a33a4f80b9cd
SHA256

e6fa0b6accebd7daac4104c59b43229e9f2964de57a009faa90d1c5905143fb8
SHA512

34adf691c257f7a94f952b74e072ed245d7cdd73221f0a850a684fcb09bcf1c2df28db7121cb13bf877eff36b586dee5de0bba0da8cd6263e2ff26b37bea21eb
SSDEEP

49152:cr2wLOGsUIdtA+9z1y5ULCacRmKAFXUp7ZOZwRTkhJxWEKZf:uFLOGsUIdtAKzdCackKAc7+wyAE

Score

8^/10

vmprotect

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

87.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\Mslmedia.sys	87.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6059.tmp	87.exe
File created	C:\Windows\system32\DRIVERS\SET6059.tmp	87.exe

Executes dropped EXE 2 IoCs

Processes:

81.exe87.exe

pid process

1036 81.exe
1268 87.exe
Loads dropped DLL 3 IoCs

Processes:

刷QQ音乐排行榜.exe

pid process

2240 刷QQ音乐排行榜.exe
2240 刷QQ音乐排行榜.exe
2240 刷QQ音乐排行榜.exe

pid	process
1036	81.exe
1268	87.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\81.exe	vmprotect
behavioral1/memory/1036-11-0x0000000000400000-0x00000000006CE000-memory.dmp	vmprotect
behavioral1/memory/1036-20-0x0000000000400000-0x00000000006CE000-memory.dmp	vmprotect
behavioral1/memory/1036-57-0x0000000000400000-0x00000000006CE000-memory.dmp	vmprotect

Drops file in Windows directory 5 IoCs

Processes:

87.exe

description	ioc	process
File created	C:\Windows\_ntdll.bak	87.exe
File opened for modification	C:\Windows\_ntdll.bak	87.exe
File opened for modification	C:\Windows\hllog.txt	87.exe
File created	C:\Windows\Setupsti.log	87.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

572 PING.EXE

pid	process
572	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

刷QQ音乐排行榜.exe81.exe

pid	process
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
2240	刷QQ音乐排行榜.exe
1036	81.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

87.exe

description	pid	process
Token: SeDebugPrivilege	1268	87.exe
Token: SeAssignPrimaryTokenPrivilege	1268	87.exe
Token: SeAuditPrivilege	1268	87.exe
Token: SeBackupPrivilege	1268	87.exe
Token: SeChangeNotifyPrivilege	1268	87.exe
Token: SeCreatePagefilePrivilege	1268	87.exe
Token: SeCreatePermanentPrivilege	1268	87.exe
Token: SeCreateTokenPrivilege	1268	87.exe
Token: SeIncBasePriorityPrivilege	1268	87.exe
Token: SeIncreaseQuotaPrivilege	1268	87.exe
Token: SeLoadDriverPrivilege	1268	87.exe
Token: SeLockMemoryPrivilege	1268	87.exe
Token: SeProfSingleProcessPrivilege	1268	87.exe
Token: SeRemoteShutdownPrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeSecurityPrivilege	1268	87.exe
Token: SeShutdownPrivilege	1268	87.exe
Token: SeSystemEnvironmentPrivilege	1268	87.exe
Token: SeSystemProfilePrivilege	1268	87.exe
Token: SeSystemtimePrivilege	1268	87.exe
Token: SeTakeOwnershipPrivilege	1268	87.exe
Token: SeTcbPrivilege	1268	87.exe
Token: SeMachineAccountPrivilege	1268	87.exe
Token: SeDebugPrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe
Token: SeRestorePrivilege	1268	87.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

刷QQ音乐排行榜.exe81.exe

pid process

2240 刷QQ音乐排行榜.exe
2240 刷QQ音乐排行榜.exe
1036 81.exe
1036 81.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

刷QQ音乐排行榜.exe87.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 1036	2240	刷QQ音乐排行榜.exe	81.exe
PID 2240 wrote to memory of 1036	2240	刷QQ音乐排行榜.exe	81.exe
PID 2240 wrote to memory of 1036	2240	刷QQ音乐排行榜.exe	81.exe
PID 2240 wrote to memory of 1036	2240	刷QQ音乐排行榜.exe	81.exe
PID 2240 wrote to memory of 1268	2240	刷QQ音乐排行榜.exe	87.exe
PID 2240 wrote to memory of 1268	2240	刷QQ音乐排行榜.exe	87.exe
PID 2240 wrote to memory of 1268	2240	刷QQ音乐排行榜.exe	87.exe
PID 2240 wrote to memory of 1268	2240	刷QQ音乐排行榜.exe	87.exe
PID 1268 wrote to memory of 2012	1268	87.exe	cmd.exe
PID 1268 wrote to memory of 2012	1268	87.exe	cmd.exe
PID 1268 wrote to memory of 2012	1268	87.exe	cmd.exe
PID 1268 wrote to memory of 2012	1268	87.exe	cmd.exe
PID 2012 wrote to memory of 572	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 572	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 572	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 572	2012	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\刷QQ音乐排行榜.exe
"C:\Users\Admin\AppData\Local\Temp\刷QQ音乐排行榜.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\81.exe
C:\Users\Admin\AppData\Local\Temp\81.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Users\Admin\AppData\Local\Temp\87.exe
C:\Users\Admin\AppData\Local\Temp\87.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\PING.EXE
C:\Windows\system32\ping.exe 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\87.exe

Filesize
926KB

MD5
493fd3fea30ec04f504651751bafe15e

SHA1
3bc4cea48691bb2c47aae2054d1c909c802d52d6

SHA256
ec786e2604aafa308a84c0b1c321651f4981fac9f96973d138bc79bb8c54fe6a

SHA512
cb501015c3ac6cb8e9933a5219f9c5a6dff05a50079865635e203bab98a0824ffd4bc1d5928a2ef3fa49b22eca853cb8c695c0a6120c324586fdab13a0627f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat

Filesize
102B

MD5
fc1cdcc5d72d2511dee0662b9b342312

SHA1
84571afa30f31970fbedb424eb51b833831b1786

SHA256
21dd8777689643a0839941573c5254c8967be4f129e0f9ad7b2d6c3b9a3c67ab

SHA512
6f52b2a150b1ad706ea4da9f01d3dae670ee77b9b4cf0963c69c14e23e7206a275e6cb39fd543f7d8155f993254cc63e37ce444c79b3d869c4790aaa0d1a56be

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tmp_hl\mslmedia.sys

Filesize
22KB

MD5
9d9dc0cdbf3e6be3bdaee95872f7c5b3

SHA1
ad74265c02507ebf5a4e283a4b24000fd946b4f2

SHA256
a3442dbb95c96bf15f40f84dd80eacdd02a2b8511a64c0827ada0e3484da026e

SHA512
c105110cc57c25089d9e7feeae2e1f4cc9730351f05d7ec947e736ac3c8d51b02a9fd4c279bc0484770a38980a8013ee05f440b9e44a8f6b5e3151f7a404a6d1

Download Submit
\Users\Admin\AppData\Local\Temp\81.exe

Filesize
1.2MB

MD5
930e16d438c4bf3f4b1b12c4d1fbbb24

SHA1
aefca05fdad45b77a1eda04ea5c9f74526d4f048

SHA256
c75be5467243b5ba610386fa4ece8a76324f5ac7142130a52ce44b0d1632a653

SHA512
ba089584371ea86dbf36f3edf735a9bb2d634766821902012f0e3c33078dc968bfc3666e0d8ca93bb611c642bc4d15f84709027c8b1d461246f48ec890a8c4ca

Download Submit
memory/1036-14-0x0000000078010000-0x0000000078011000-memory.dmp

Filesize
4KB

Download
memory/1036-18-0x0000000077580000-0x0000000077581000-memory.dmp

Filesize
4KB

Download
memory/1036-20-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/1036-12-0x0000000078010000-0x0000000078011000-memory.dmp

Filesize
4KB

Download
memory/1036-24-0x0000000078010000-0x0000000078011000-memory.dmp

Filesize
4KB

Download
memory/1036-23-0x0000000077580000-0x0000000077581000-memory.dmp

Filesize
4KB

Download
memory/1036-11-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/1036-57-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/1268-55-0x00000000010D0000-0x0000000001107000-memory.dmp

Filesize
220KB

Download
memory/2240-7-0x00000000022B0000-0x000000000257E000-memory.dmp

Filesize
2.8MB

Download
memory/2240-8-0x00000000022B0000-0x000000000257E000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads