fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4

Analysis

max time kernel
134s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 22:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe
Size

9.5MB
MD5

780b671e9c2a630ca00a75a5bb191ca6
SHA1

b8fb25ba070efc9d16aa37d1aa33f1448906f309
SHA256

fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4
SHA512

801adcb8d7cf6a9b51551a64122031d1117232797a4483453b4b50f375eb20f82de1a4d60e9667df0cb76f474db533359ad882315768c54d54198be8eb73501e
SSDEEP

196608:uZzrENt07+s5HLrpgEmGMD+cpvJ/4H3nmghWoa/fsysMF4JD85lakji:uZVzFgbGMFgXnU7sElay

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2664	pwpYVwqJ69zhmjy.exe
2060	龙迹传奇3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2060	龙迹传奇3.exe
2060	龙迹传奇3.exe
2664	pwpYVwqJ69zhmjy.exe
2664	pwpYVwqJ69zhmjy.exe
2664	pwpYVwqJ69zhmjy.exe
2664	pwpYVwqJ69zhmjy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	龙迹传奇3.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2060	龙迹传奇3.exe
2060	龙迹传奇3.exe
2664	pwpYVwqJ69zhmjy.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2060	龙迹传奇3.exe
2060	龙迹传奇3.exe
2664	pwpYVwqJ69zhmjy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	龙迹传奇3.exe
2060	龙迹传奇3.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2664	1144	fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe	85
PID 1144 wrote to memory of 2664	1144	fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe	85
PID 1144 wrote to memory of 2664	1144	fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe	85
PID 1144 wrote to memory of 2060	1144	fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe	90
PID 1144 wrote to memory of 2060	1144	fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe	90

C:\Users\Admin\AppData\Local\Temp\fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe
"C:\Users\Admin\AppData\Local\Temp\fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\ytool\pwpYVwqJ69zhmjy.exe
  "C:\Users\Admin\AppData\Local\Temp\fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe" "C:\Users\Admin\AppData\Local\Temp\fc90a45a1b7a52464ad350a29b603a07366e44a996b6383a6b2bb971988183a4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\龙迹传奇3.exe
  "C:\Users\Admin\AppData\Local\Temp\龙迹传奇3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
258B

MD5
093b2f9aede8b8a90490a69d59147273

SHA1
69f34015f0ab862cfdfed7c91cd8cbc8201a6d03

SHA256
6f6a11036dc04de82bcbe2e725b72992c70e1e2c88b925d8863bc7cbdb6d8034

SHA512
c7327c42c79e2d224a2c5eea2d88ad3a4d0049649480de526018c368316e7bdd1b9c6c7d7e1384f8c638c357f4e50a0c96fd2ebc73fc2c753823a8641cdc9b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\pwpYVwqJ69zhmjy.exe

Filesize
5.7MB

MD5
e870664e705b60c7dd371417228bc983

SHA1
031be8e394299a3b972e98cbc07f4c0177f4e026

SHA256
d5f4cc240afce4a34059a60d239d9a79fcc9b5363c0037477a251733aeff0b92

SHA512
5d9606da62ad93a35c46a277cf5fe46a8bbeabd284055751d8820c391d69b92a19a42da1a7aa6d0776e15044b24ca32252897a4a463642c02f2831b516662ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\龙迹传奇3.exe

Filesize
886KB

MD5
aad400211bd1f3b70d6f00c53113e58c

SHA1
62ddf951a29a1434d3f9f9dd2db5361921755e06

SHA256
e4085d4714834cecedb094dc73c417ece1e34211fa3ed48d3f58d708332d72e6

SHA512
aa1aa9859dd6b472adeb8b188f67cc1633d342944d1e3a651bb47b7c632ebe78acaf7199520bf7a3538702145e1bb1da302b986fbf8a50d7e25b00a87e109042

Download Submit
memory/2060-23-0x00007FF96C8A0000-0x00007FF96D361000-memory.dmp

Filesize
10.8MB

Download
memory/2060-21-0x000001BBEEBF0000-0x000001BBEECBA000-memory.dmp

Filesize
808KB

Download
memory/2060-22-0x00007FF96C8A0000-0x00007FF96D361000-memory.dmp

Filesize
10.8MB

Download
memory/2060-20-0x00007FF96C8A3000-0x00007FF96C8A5000-memory.dmp

Filesize
8KB

Download
memory/2060-24-0x000001BBF08D0000-0x000001BBF08D8000-memory.dmp

Filesize
32KB

Download
memory/2060-26-0x000001BBF1240000-0x000001BBF124E000-memory.dmp

Filesize
56KB

Download
memory/2060-25-0x000001BBF1280000-0x000001BBF12B8000-memory.dmp

Filesize
224KB

Download
memory/2060-27-0x000001BBF2570000-0x000001BBF25E6000-memory.dmp

Filesize
472KB

Download
memory/2060-28-0x000001BBF2530000-0x000001BBF254E000-memory.dmp

Filesize
120KB

Download
memory/2060-49-0x00007FF96C8A3000-0x00007FF96C8A5000-memory.dmp

Filesize
8KB

Download
memory/2060-51-0x00007FF96C8A0000-0x00007FF96D361000-memory.dmp

Filesize
10.8MB

Download
memory/2060-52-0x00007FF96C8A0000-0x00007FF96D361000-memory.dmp

Filesize
10.8MB

Download