aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480

General

Target

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe
Size

15.3MB
MD5

708b631ca4cee7708d45ee5aeddccd6d
SHA1

3b69c09829aaf8b3412b511fd6d8c189cb3b62bb
SHA256

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480
SHA512

b54723d740c216a6a1277bdc16f4c979feb1c642b7b3087cbe6989a575f35f0ea8a3917f05917a339830695542331a05aa75cc9c55bfb0af81816850df04ed6a
SSDEEP

196608:VZzrENt07+s5HL+qLyR66z5cC+uUGqJ3qQr2Ur5tljHkqMD+cpvJ/4H3nmghWoaf:VZVzn6FBUqa2sd5MFgXnU7sElvy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ODBtUekZBCaNAUZ.exe金焱江湖.exe

pid process

2904 ODBtUekZBCaNAUZ.exe
5100 金焱江湖.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

金焱江湖.exe

description ioc process

File opened (read-only) \??\e: 金焱江湖.exe
File opened (read-only) \??\h: 金焱江湖.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

pid process

2904 ODBtUekZBCaNAUZ.exe
2904 ODBtUekZBCaNAUZ.exe
2904 ODBtUekZBCaNAUZ.exe
2904 ODBtUekZBCaNAUZ.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

pid process

2904 ODBtUekZBCaNAUZ.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ODBtUekZBCaNAUZ.exe

pid process

2904 ODBtUekZBCaNAUZ.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

金焱江湖.exe

pid process

5100 金焱江湖.exe
5100 金焱江湖.exe
5100 金焱江湖.exe
5100 金焱江湖.exe

pid	process
2904	ODBtUekZBCaNAUZ.exe
5100	金焱江湖.exe

description	ioc	process
File opened (read-only)	\??\e:	金焱江湖.exe
File opened (read-only)	\??\h:	金焱江湖.exe

pid	process
2904	ODBtUekZBCaNAUZ.exe
2904	ODBtUekZBCaNAUZ.exe
2904	ODBtUekZBCaNAUZ.exe
2904	ODBtUekZBCaNAUZ.exe

pid	process
2904	ODBtUekZBCaNAUZ.exe

pid	process
2904	ODBtUekZBCaNAUZ.exe

pid	process
5100	金焱江湖.exe
5100	金焱江湖.exe
5100	金焱江湖.exe
5100	金焱江湖.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe

description	pid	process	target process
PID 3196 wrote to memory of 2904	3196	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 3196 wrote to memory of 2904	3196	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 3196 wrote to memory of 2904	3196	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	ODBtUekZBCaNAUZ.exe
PID 3196 wrote to memory of 5100	3196	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe
PID 3196 wrote to memory of 5100	3196	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe
PID 3196 wrote to memory of 5100	3196	aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe	金焱江湖.exe

C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe
"C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\ytool\ODBtUekZBCaNAUZ.exe
  "C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe" "C:\Users\Admin\AppData\Local\Temp\aa58c6f341f46785ee871d5e73318c7d5ca981fdf0a5fc057a63c3f59a0be480.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\金焱江湖.exe
  "C:\Users\Admin\AppData\Local\Temp\金焱江湖.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
316B

MD5
71767b16eae39b9e15f3f8ec1ffda8b0

SHA1
6f6f7313f1a72a0b93952e672821d871c713b878

SHA256
efd0137e350d150ddaa142be45b169ef54b0decf7ce44e88dd38e3c5a1de4a2d

SHA512
7daadb246f33de1fd75e8e3a8f9ec552d0755008833d65402017b9f54fbb2e24d8f14a9916e8921e23d2e4d256d1409470c57b422459a8458b6e4973514ac0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
658B

MD5
7766c2abf6a17463c4946dc893f77bce

SHA1
cc0bb9dd5e6e65277ffd34b3d0514daedc77d70a

SHA256
df33a629f282c98427928ebf3fa21a35d0553d4929681e965447bc4f626dccae

SHA512
224b56125b257a340fbdc68311186baf3fc1cdab374805c447782f2d4ca67e6545599e39c4bc6d434bca3079ef57b22340d03e79550bf270e946a73b1856d7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
9KB

MD5
ba9079daa6abc69d8eef328341d8539a

SHA1
2519c031febac744b462c92c13e3564ab8e6451e

SHA256
dff72a264b775089ed17b0e44d4d032afd22fd05bf662bee41e8aa2c61fd7f5c

SHA512
65f0b597f3464934198b5ae3d5463937e984634d97d6739abe0f8d2ca46498ac71640413918e1ea8eb258563a343a521026403d0cef645932d735ce0a4906b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\ODBtUekZBCaNAUZ.exe

Filesize
5.7MB

MD5
d8139a34276e4411b3d6a050b8e46c3a

SHA1
8ce1a2e8e8f208693df72c053abb026ab81dd48d

SHA256
526f880b30698cd71406a903a24d5e565cb5c707bd22c69537bbdbb445230b67

SHA512
c90c61616a3a85b345f6b1b9aefdc662d0e8ee1fc48d6fa730ed6946066e941e6cc31e649a1b4209f581fd2d38eba0035456ae26c1c6ca81a08465fe55c82d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\金焱江湖.exe

Filesize
6.7MB

MD5
a27ef3ed4c04cd4513080663f99482d3

SHA1
d5235db91ba1b447ec87f77d8c14eb5364e7b7a0

SHA256
bb7c27d92289595c9c7c0c89cb2f51fd4092384965b14f4e961f9e4987564e3d

SHA512
b89d940e9e76bc83db8bfc4e83a116a74900ce4eeaa2ad8b4ec99f5c63c0065ca3259cbaa7006d79ee5322ec76e0427e308588fba1c0c5e28b283836763a0415

Download Submit

Analysis

Sharing