aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480

General

Target

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe
Size

15.3MB
MD5

708b631ca4cee7708d45ee5aeddccd6d
SHA1

3b69c09829aaf8b3412b511fd6d8c189cb3b62bb
SHA256

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480
SHA512

b54723d740c216a6a1277bdc16f4c979feb1c642b7b3087cbe6989a575f35f0ea8a3917f05917a339830695542331a05aa75cc9c55bfb0af81816850df04ed6a
SSDEEP

196608:VZzrENt07+s5HL+qLyR66z5cC+uUGqJ3qQr2Ur5tljHkqMD+cpvJ/4H3nmghWoaf:VZVzn6FBUqa2sd5MFgXnU7sElvy

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ODBtUekZBCaNAUZ.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions ODBtUekZBCaNAUZ.exe
Executes dropped EXE 2 IoCs

Processes:

ODBtUekZBCaNAUZ.exe金焱江湖.exe

pid process

3052 ODBtUekZBCaNAUZ.exe
2716 金焱江湖.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	ODBtUekZBCaNAUZ.exe

Loads dropped DLL 2 IoCs

Processes:

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe

pid	process
1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe
1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

金焱江湖.exe

description ioc process

File opened (read-only) \??\e: 金焱江湖.exe
File opened (read-only) \??\h: 金焱江湖.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\e:	金焱江湖.exe
File opened (read-only)	\??\h:	金焱江湖.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

pid	process
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe
3052	ODBtUekZBCaNAUZ.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

description	pid	process
Token: SeShutdownPrivilege	3052	ODBtUekZBCaNAUZ.exe
Token: SeShutdownPrivilege	3052	ODBtUekZBCaNAUZ.exe
Token: SeShutdownPrivilege	3052	ODBtUekZBCaNAUZ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

pid process

3052 ODBtUekZBCaNAUZ.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

pid process

3052 ODBtUekZBCaNAUZ.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

金焱江湖.exe

pid process

2716 金焱江湖.exe
2716 金焱江湖.exe
2716 金焱江湖.exe
2716 金焱江湖.exe

pid	process
2716	金焱江湖.exe
2716	金焱江湖.exe
2716	金焱江湖.exe
2716	金焱江湖.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe

description	pid	process	target process
PID 1992 wrote to memory of 3052	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 1992 wrote to memory of 3052	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 1992 wrote to memory of 3052	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 1992 wrote to memory of 3052	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 1992 wrote to memory of 2716	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe
PID 1992 wrote to memory of 2716	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe
PID 1992 wrote to memory of 2716	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe
PID 1992 wrote to memory of 2716	1992	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe

C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe
"C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\ytool\ODBtUekZBCaNAUZ.exe
  "C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe" "C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\金焱江湖.exe
  "C:\Users\Admin\AppData\Local\Temp\金焱江湖.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
9KB

MD5
8d5a672032a1a505188e5e2536bbd12a

SHA1
3b1c12551933091365e0b9632130482b7ac8b495

SHA256
1a25981065c273cdca1db99c21bb429344dcceeb9f4a6e5cbfdbd7fc298df666

SHA512
44a3cc90dce3bfe2ce6a6d0c4b339866468c7509221b513b6dbec950a6ebab820620e25884489c8e933405401e54c99c25ce49af3b5cca88ba6ea6473dfb05bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
3KB

MD5
1f0b0a19c0ac188d18f1058a7727b7c6

SHA1
a23702e764607746e177f4794cb83ba2cf42d24f

SHA256
4cb074c324fe8395613027e247183b196556492fbdcd3bc91dd9eb24ce0a933f

SHA512
b3693972602f87baf5c9c6fe3292a732dc7476b88c730630a85023a669e4c4adfded40ad5d6635c62bc061d37ef00068c4df41479683f8c4a12456664a839159

Download Submit
\Users\Admin\AppData\Local\Temp\ytool\ODBtUekZBCaNAUZ.exe

Filesize
5.7MB

MD5
d8139a34276e4411b3d6a050b8e46c3a

SHA1
8ce1a2e8e8f208693df72c053abb026ab81dd48d

SHA256
526f880b30698cd71406a903a24d5e565cb5c707bd22c69537bbdbb445230b67

SHA512
c90c61616a3a85b345f6b1b9aefdc662d0e8ee1fc48d6fa730ed6946066e941e6cc31e649a1b4209f581fd2d38eba0035456ae26c1c6ca81a08465fe55c82d3b

Download Submit
\Users\Admin\AppData\Local\Temp\金焱江湖.exe

Filesize
6.7MB

MD5
a27ef3ed4c04cd4513080663f99482d3

SHA1
d5235db91ba1b447ec87f77d8c14eb5364e7b7a0

SHA256
bb7c27d92289595c9c7c0c89cb2f51fd4092384965b14f4e961f9e4987564e3d

SHA512
b89d940e9e76bc83db8bfc4e83a116a74900ce4eeaa2ad8b4ec99f5c63c0065ca3259cbaa7006d79ee5322ec76e0427e308588fba1c0c5e28b283836763a0415

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads