Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe
Resource
win10v2004-20240508-en
General
-
Target
773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe
-
Size
14.6MB
-
MD5
fe68426c101539218495386138e7ac48
-
SHA1
f3f3e88d6ea0b43976d4878c7c36438106e1fbc7
-
SHA256
773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee
-
SHA512
683b1d91b900632d7d762a99a11d9ead335567e6037e758633dd86027bc4bf657b0d142cc11f6be44b2f52d80114201d37c4d811bc1854921fc4acd2bc6a3d8e
-
SSDEEP
196608:QNym2iBYGfsV3zP/wYekZ1oKnMK6kJHqPbVruhmR/SACkCkyhXQ6ldGsTQN7pDzh:QN4H3/Jzn8EYpvCEzy
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Q5OtjP5ukwzjaEj.exe白衣江湖22.0.exepid process 3804 Q5OtjP5ukwzjaEj.exe 3352 白衣江湖22.0.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
白衣江湖22.0.exedescription ioc process File opened (read-only) \??\e: 白衣江湖22.0.exe File opened (read-only) \??\h: 白衣江湖22.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Q5OtjP5ukwzjaEj.exepid process 3804 Q5OtjP5ukwzjaEj.exe 3804 Q5OtjP5ukwzjaEj.exe 3804 Q5OtjP5ukwzjaEj.exe 3804 Q5OtjP5ukwzjaEj.exe 3804 Q5OtjP5ukwzjaEj.exe 3804 Q5OtjP5ukwzjaEj.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Q5OtjP5ukwzjaEj.exepid process 3804 Q5OtjP5ukwzjaEj.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Q5OtjP5ukwzjaEj.exepid process 3804 Q5OtjP5ukwzjaEj.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
白衣江湖22.0.exepid process 3352 白衣江湖22.0.exe 3352 白衣江湖22.0.exe 3352 白衣江湖22.0.exe 3352 白衣江湖22.0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exedescription pid process target process PID 5092 wrote to memory of 3804 5092 773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe Q5OtjP5ukwzjaEj.exe PID 5092 wrote to memory of 3804 5092 773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe Q5OtjP5ukwzjaEj.exe PID 5092 wrote to memory of 3804 5092 773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe Q5OtjP5ukwzjaEj.exe PID 5092 wrote to memory of 3352 5092 773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe 白衣江湖22.0.exe PID 5092 wrote to memory of 3352 5092 773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe 白衣江湖22.0.exe PID 5092 wrote to memory of 3352 5092 773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe 白衣江湖22.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe"C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ytool\Q5OtjP5ukwzjaEj.exe"C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe" "C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\白衣江湖22.0.exe"C:\Users\Admin\AppData\Local\Temp\白衣江湖22.0.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.logFilesize
316B
MD5a4ca7c891d28cc436c34f6ab4fd01b12
SHA11726bfee31cb457f3975d3c8ee81c672d9e87b05
SHA256733b4ea25fe832018fbcb2dbf38a0f3996f40c7b4c159f853f84343c516a2241
SHA51235764787ff289ee364657e83a63b43284a0600471eeeec7ed6b4a2a3056d95ea115643fdcd340f041e0b64c2838deccbb5403f55c6f6bdbce791c5edd38c1745
-
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.logFilesize
658B
MD54e790865a1a4b2ae1096a208ae9ec9fb
SHA188219415d1b89eca77d41c5873ffd9cc346184ec
SHA256855ff495b9b51e34da988e3c2449d72146701ffa1a1270c8219ec219423bb711
SHA512b3fd988d74424433a59da1ab8c1ab7adefb5c6021c6632066c07552925a7070ef8359426c3f6aff7249ef0db1256a663ce9cc72ace1cf93d2d2a645579faa360
-
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.logFilesize
15KB
MD53a829feb4f6cbaa8b405e642e9186bdf
SHA15eb14d0f7c72cf58a22b6d0375f8f6aef543fd2a
SHA2567237d071ebd415cc4c8fcc290f95580049c10e1332da787dd0d8566ce40defae
SHA51293cca8a178a690ce671274647d5478353597aeb29777467bec7ef5467228cf68855e32cfdb939a5e7c9f1b797f4006e704c610cedb406e431464b592def9c260
-
C:\Users\Admin\AppData\Local\Temp\ytool\Q5OtjP5ukwzjaEj.exeFilesize
5.7MB
MD5fb8e5e0af8afa722693c289e42bec423
SHA129c11d35eb8638aa8e1218bf8cca17a83a0a211e
SHA256b0db234436f22c8e8ffa8710188e99ca67149df40fad9c76fe7c6560ccd77434
SHA5128534fb82d0c85e063c3667912f477dbd7259f56a59f3f33534dc179469709404c460f5a87ead62ea03b129970f6a8215d8acd82fc1ca94c70137d9acb5d65cf2
-
C:\Users\Admin\AppData\Local\Temp\白衣江湖22.0.exeFilesize
5.9MB
MD59ee4edfd14e372b2c35b7425a3257901
SHA16fc47c9ab2f999e2b5b98d97cad279d81da4a67d
SHA256d4b7638aa8b5293cf3e32f6fec3f580fb5ef04a53beac8bd405107bf865efdd1
SHA512e5455a176524155f398d92b9bbad5cafbafdc900e32305c50e17a12fe8f7814dad2c6ae62371afb00e9ea902fae6d3fd3c9873d830795e6e7bfdc7c16d96baad