dc1ebbb7b12eb3505b1cb173e77fc802a7f064946673d1c06a9e53d1be8e1fab

General

Target

刷QQ音乐排行榜.exe
Size

2.9MB
MD5

d81242d04c8a7e6b9af5c3d35277d6d0
SHA1

538aa66cf73ae5203c4518d09214a33a4f80b9cd
SHA256

e6fa0b6accebd7daac4104c59b43229e9f2964de57a009faa90d1c5905143fb8
SHA512

34adf691c257f7a94f952b74e072ed245d7cdd73221f0a850a684fcb09bcf1c2df28db7121cb13bf877eff36b586dee5de0bba0da8cd6263e2ff26b37bea21eb
SSDEEP

49152:cr2wLOGsUIdtA+9z1y5ULCacRmKAFXUp7ZOZwRTkhJxWEKZf:uFLOGsUIdtAKzdCackKAc7+wyAE

Score

8^/10

vmprotect

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

90.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET78BA.tmp	90.exe
File created	C:\Windows\system32\DRIVERS\SET78BA.tmp	90.exe
File opened for modification	C:\Windows\system32\DRIVERS\Mslmedia.sys	90.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

90.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 90.exe
Executes dropped EXE 2 IoCs

Processes:

46.exe90.exe

pid process

968 46.exe
3708 90.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	90.exe

pid	process
968	46.exe
3708	90.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\46.exe	vmprotect
behavioral2/memory/968-4-0x0000000000400000-0x00000000006CE000-memory.dmp	vmprotect
behavioral2/memory/968-5-0x0000000000400000-0x00000000006CE000-memory.dmp	vmprotect
behavioral2/memory/968-37-0x0000000000400000-0x00000000006CE000-memory.dmp	vmprotect

Drops file in Windows directory 4 IoCs

Processes:

90.exe

description	ioc	process
File created	C:\Windows\_ntdll.bak	90.exe
File opened for modification	C:\Windows\_ntdll.bak	90.exe
File opened for modification	C:\Windows\hllog.txt	90.exe
File created	C:\Windows\Setupsti.log	90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4636 PING.EXE

pid	process
4636	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

刷QQ音乐排行榜.exe46.exe

pid	process
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
1456	刷QQ音乐排行榜.exe
968	46.exe
968	46.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

90.exe

description	pid	process
Token: SeDebugPrivilege	3708	90.exe
Token: SeAssignPrimaryTokenPrivilege	3708	90.exe
Token: SeAuditPrivilege	3708	90.exe
Token: SeBackupPrivilege	3708	90.exe
Token: SeChangeNotifyPrivilege	3708	90.exe
Token: SeCreatePagefilePrivilege	3708	90.exe
Token: SeCreatePermanentPrivilege	3708	90.exe
Token: SeCreateTokenPrivilege	3708	90.exe
Token: SeIncBasePriorityPrivilege	3708	90.exe
Token: SeIncreaseQuotaPrivilege	3708	90.exe
Token: SeLoadDriverPrivilege	3708	90.exe
Token: SeLockMemoryPrivilege	3708	90.exe
Token: SeProfSingleProcessPrivilege	3708	90.exe
Token: SeRemoteShutdownPrivilege	3708	90.exe
Token: SeRestorePrivilege	3708	90.exe
Token: SeSecurityPrivilege	3708	90.exe
Token: SeShutdownPrivilege	3708	90.exe
Token: SeSystemEnvironmentPrivilege	3708	90.exe
Token: SeSystemProfilePrivilege	3708	90.exe
Token: SeSystemtimePrivilege	3708	90.exe
Token: SeTakeOwnershipPrivilege	3708	90.exe
Token: SeTcbPrivilege	3708	90.exe
Token: SeMachineAccountPrivilege	3708	90.exe
Token: SeDebugPrivilege	3708	90.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

刷QQ音乐排行榜.exe46.exe

pid process

1456 刷QQ音乐排行榜.exe
1456 刷QQ音乐排行榜.exe
968 46.exe
968 46.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

刷QQ音乐排行榜.exe90.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 968	1456	刷QQ音乐排行榜.exe	46.exe
PID 1456 wrote to memory of 968	1456	刷QQ音乐排行榜.exe	46.exe
PID 1456 wrote to memory of 968	1456	刷QQ音乐排行榜.exe	46.exe
PID 1456 wrote to memory of 3708	1456	刷QQ音乐排行榜.exe	90.exe
PID 1456 wrote to memory of 3708	1456	刷QQ音乐排行榜.exe	90.exe
PID 1456 wrote to memory of 3708	1456	刷QQ音乐排行榜.exe	90.exe
PID 3708 wrote to memory of 400	3708	90.exe	cmd.exe
PID 3708 wrote to memory of 400	3708	90.exe	cmd.exe
PID 3708 wrote to memory of 400	3708	90.exe	cmd.exe
PID 400 wrote to memory of 4636	400	cmd.exe	PING.EXE
PID 400 wrote to memory of 4636	400	cmd.exe	PING.EXE
PID 400 wrote to memory of 4636	400	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\刷QQ音乐排行榜.exe
"C:\Users\Admin\AppData\Local\Temp\刷QQ音乐排行榜.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\46.exe
C:\Users\Admin\AppData\Local\Temp\46.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:968

C:\Users\Admin\AppData\Local\Temp\90.exe
C:\Users\Admin\AppData\Local\Temp\90.exe
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\PING.EXE
C:\Windows\system32\ping.exe 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46.exe

Filesize
1.2MB

MD5
930e16d438c4bf3f4b1b12c4d1fbbb24

SHA1
aefca05fdad45b77a1eda04ea5c9f74526d4f048

SHA256
c75be5467243b5ba610386fa4ece8a76324f5ac7142130a52ce44b0d1632a653

SHA512
ba089584371ea86dbf36f3edf735a9bb2d634766821902012f0e3c33078dc968bfc3666e0d8ca93bb611c642bc4d15f84709027c8b1d461246f48ec890a8c4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\90.exe

Filesize
926KB

MD5
493fd3fea30ec04f504651751bafe15e

SHA1
3bc4cea48691bb2c47aae2054d1c909c802d52d6

SHA256
ec786e2604aafa308a84c0b1c321651f4981fac9f96973d138bc79bb8c54fe6a

SHA512
cb501015c3ac6cb8e9933a5219f9c5a6dff05a50079865635e203bab98a0824ffd4bc1d5928a2ef3fa49b22eca853cb8c695c0a6120c324586fdab13a0627f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat

Filesize
102B

MD5
20839f38a7605f8b67a1521a531407ff

SHA1
91903f6ebe798410eba115a078dd5fcabe03abda

SHA256
5671cab2d881c099ee5f5dce2147de818f620c1f6a1276c099ca66b64a84566c

SHA512
3dd855ab0521aa758a0498a8699ef73dd590db1714ef8d53524902b3f7961f0d40d8dbac205c36ca9e4e0a6011f8d28fb6c15fd667ad22be9da68324ea929d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tmp_hl\mslmedia.sys

Filesize
22KB

MD5
9d9dc0cdbf3e6be3bdaee95872f7c5b3

SHA1
ad74265c02507ebf5a4e283a4b24000fd946b4f2

SHA256
a3442dbb95c96bf15f40f84dd80eacdd02a2b8511a64c0827ada0e3484da026e

SHA512
c105110cc57c25089d9e7feeae2e1f4cc9730351f05d7ec947e736ac3c8d51b02a9fd4c279bc0484770a38980a8013ee05f440b9e44a8f6b5e3151f7a404a6d1

Download Submit
memory/968-4-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/968-5-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/968-7-0x0000000076800000-0x0000000076801000-memory.dmp

Filesize
4KB

Download
memory/968-8-0x0000000077FB0000-0x0000000077FB1000-memory.dmp

Filesize
4KB

Download
memory/968-37-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3708-35-0x0000000000E60000-0x0000000000E97000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads