a0d9bdc9fb26ade718dae42a4d12e23156c997dc742074de1c1f154071a3f93b

General

Target

洛克迷顺辅助V1.0版.exe
Size

1000KB
MD5

a07dbbcbaa07de2c41e8aab1c7b2b3c5
SHA1

a985ee8036968d9d701f90e78e7b28568e980d17
SHA256

2a2f645f06a8ee4470b7480aad5d42bb36c2f09f196315bf85eebc9283f0c4ce
SHA512

2ba37e7afdfed841f9387bf272793359003ffebfd139db4762e9404eb9439428e82f5242ce778888401e811cb20b786ade4f3afd1706728ad8f1e2880ac9e0d1
SSDEEP

12288:cbGhrr0viiK2lkgru/uJ//z8836jfnY057eGV8uAxKT/wCj52HLixv8yRPZ72y:cbGRVgou16zhFeG9ToC9uuxvrB2

Score

7^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4000-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4000-0-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-2-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-48-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-49-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-65-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-69-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-68-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-79-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect
behavioral2/memory/4000-91-0x0000000000400000-0x0000000000712000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	洛克迷顺辅助V1.0版.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	洛克迷顺辅助V1.0版.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\IESettingSync	洛克迷顺辅助V1.0版.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	洛克迷顺辅助V1.0版.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	洛克迷顺辅助V1.0版.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4000	洛克迷顺辅助V1.0版.exe
4000	洛克迷顺辅助V1.0版.exe
4000	洛克迷顺辅助V1.0版.exe
4000	洛克迷顺辅助V1.0版.exe
4000	洛克迷顺辅助V1.0版.exe

C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe
"C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

Filesize
110B

MD5
f9fc3e4f710ea6068eccca29ed784970

SHA1
eb6f961e7102e3aef227b204ff4dd9563f745812

SHA256
1c12badabe490d7c3d63bb0187965344ce0ed923eab707e446900a9b98913fcb

SHA512
b2d0db7a2c4b4d4e53a8daf2caff6a0ea826133038380e5dcf8c6493417f2884ecd61f047798189a3cff13cca3b9dbe99e5a501ce5de10488b2a337389b019ed

Download Submit
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url

Filesize
115B

MD5
514d1b59ae8925c5edea3c446ce588dd

SHA1
60dd675b65c7ffaac6ca731dba265a6f316a6f75

SHA256
6bbfe9e113e075b646ae49400657b8bb20cbab06854b38bf007ac6e15cd7b773

SHA512
5bf3d0f1715b445852ad184907d2161967d51cb8fe9673330438d8705502bc63e263222c43839140c613a427b0b58b297e522b3953c2543453625e01b8017253

Download Submit
memory/4000-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-48-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-49-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-2-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-1-0x000000000061D000-0x000000000061F000-memory.dmp

Filesize
8KB

Download
memory/4000-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-65-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4000-69-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-68-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-79-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4000-91-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing