773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee

General

Target

773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe
Size

14.6MB
MD5

fe68426c101539218495386138e7ac48
SHA1

f3f3e88d6ea0b43976d4878c7c36438106e1fbc7
SHA256

773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee
SHA512

683b1d91b900632d7d762a99a11d9ead335567e6037e758633dd86027bc4bf657b0d142cc11f6be44b2f52d80114201d37c4d811bc1854921fc4acd2bc6a3d8e
SSDEEP

196608:QNym2iBYGfsV3zP/wYekZ1oKnMK6kJHqPbVruhmR/SACkCkyhXQ6ldGsTQN7pDzh:QN4H3/Jzn8EYpvCEzy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Q5OtjP5ukwzjaEj.exe白衣江湖22.0.exe

pid process

3804 Q5OtjP5ukwzjaEj.exe
3352 白衣江湖22.0.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

白衣江湖22.0.exe

description ioc process

File opened (read-only) \??\e: 白衣江湖22.0.exe
File opened (read-only) \??\h: 白衣江湖22.0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Q5OtjP5ukwzjaEj.exe

pid process

3804 Q5OtjP5ukwzjaEj.exe
3804 Q5OtjP5ukwzjaEj.exe
3804 Q5OtjP5ukwzjaEj.exe
3804 Q5OtjP5ukwzjaEj.exe
3804 Q5OtjP5ukwzjaEj.exe
3804 Q5OtjP5ukwzjaEj.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Q5OtjP5ukwzjaEj.exe

pid process

3804 Q5OtjP5ukwzjaEj.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Q5OtjP5ukwzjaEj.exe

pid process

3804 Q5OtjP5ukwzjaEj.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

白衣江湖22.0.exe

pid process

3352 白衣江湖22.0.exe
3352 白衣江湖22.0.exe
3352 白衣江湖22.0.exe
3352 白衣江湖22.0.exe

pid	process
3804	Q5OtjP5ukwzjaEj.exe
3352	白衣江湖22.0.exe

description	ioc	process
File opened (read-only)	\??\e:	白衣江湖22.0.exe
File opened (read-only)	\??\h:	白衣江湖22.0.exe

pid	process
3804	Q5OtjP5ukwzjaEj.exe
3804	Q5OtjP5ukwzjaEj.exe
3804	Q5OtjP5ukwzjaEj.exe
3804	Q5OtjP5ukwzjaEj.exe
3804	Q5OtjP5ukwzjaEj.exe
3804	Q5OtjP5ukwzjaEj.exe

pid	process
3804	Q5OtjP5ukwzjaEj.exe

pid	process
3804	Q5OtjP5ukwzjaEj.exe

pid	process
3352	白衣江湖22.0.exe
3352	白衣江湖22.0.exe
3352	白衣江湖22.0.exe
3352	白衣江湖22.0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe

description	pid	process	target process
PID 5092 wrote to memory of 3804	5092	773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe	Q5OtjP5ukwzjaEj.exe
PID 5092 wrote to memory of 3804	5092	773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe	Q5OtjP5ukwzjaEj.exe
PID 5092 wrote to memory of 3804	5092	773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe	Q5OtjP5ukwzjaEj.exe
PID 5092 wrote to memory of 3352	5092	773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe	白衣江湖22.0.exe
PID 5092 wrote to memory of 3352	5092	773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe	白衣江湖22.0.exe
PID 5092 wrote to memory of 3352	5092	773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe	白衣江湖22.0.exe

C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe
"C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\ytool\Q5OtjP5ukwzjaEj.exe
"C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe" "C:\Users\Admin\AppData\Local\Temp\773fe664e1198b1c714819fcf7381fae3fb0a6fc342d8dd1c76a21bd426eeeee.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3804

C:\Users\Admin\AppData\Local\Temp\白衣江湖22.0.exe
"C:\Users\Admin\AppData\Local\Temp\白衣江湖22.0.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
316B

MD5
a4ca7c891d28cc436c34f6ab4fd01b12

SHA1
1726bfee31cb457f3975d3c8ee81c672d9e87b05

SHA256
733b4ea25fe832018fbcb2dbf38a0f3996f40c7b4c159f853f84343c516a2241

SHA512
35764787ff289ee364657e83a63b43284a0600471eeeec7ed6b4a2a3056d95ea115643fdcd340f041e0b64c2838deccbb5403f55c6f6bdbce791c5edd38c1745

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
658B

MD5
4e790865a1a4b2ae1096a208ae9ec9fb

SHA1
88219415d1b89eca77d41c5873ffd9cc346184ec

SHA256
855ff495b9b51e34da988e3c2449d72146701ffa1a1270c8219ec219423bb711

SHA512
b3fd988d74424433a59da1ab8c1ab7adefb5c6021c6632066c07552925a7070ef8359426c3f6aff7249ef0db1256a663ce9cc72ace1cf93d2d2a645579faa360

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
15KB

MD5
3a829feb4f6cbaa8b405e642e9186bdf

SHA1
5eb14d0f7c72cf58a22b6d0375f8f6aef543fd2a

SHA256
7237d071ebd415cc4c8fcc290f95580049c10e1332da787dd0d8566ce40defae

SHA512
93cca8a178a690ce671274647d5478353597aeb29777467bec7ef5467228cf68855e32cfdb939a5e7c9f1b797f4006e704c610cedb406e431464b592def9c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\Q5OtjP5ukwzjaEj.exe
Filesize
5.7MB

MD5
fb8e5e0af8afa722693c289e42bec423

SHA1
29c11d35eb8638aa8e1218bf8cca17a83a0a211e

SHA256
b0db234436f22c8e8ffa8710188e99ca67149df40fad9c76fe7c6560ccd77434

SHA512
8534fb82d0c85e063c3667912f477dbd7259f56a59f3f33534dc179469709404c460f5a87ead62ea03b129970f6a8215d8acd82fc1ca94c70137d9acb5d65cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\白衣江湖22.0.exe
Filesize
5.9MB

MD5
9ee4edfd14e372b2c35b7425a3257901

SHA1
6fc47c9ab2f999e2b5b98d97cad279d81da4a67d

SHA256
d4b7638aa8b5293cf3e32f6fec3f580fb5ef04a53beac8bd405107bf865efdd1

SHA512
e5455a176524155f398d92b9bbad5cafbafdc900e32305c50e17a12fe8f7814dad2c6ae62371afb00e9ea902fae6d3fd3c9873d830795e6e7bfdc7c16d96baad

Download Submit

Analysis

Sharing