Overview

overview

9

Static

static

3

0f12888bff...e9.exe

windows7-x64

9

0f12888bff...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24/05/2024, 06:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f12888bff39b06188df927bdc0a66980ec951a11216dd1c3d119858af2d62e9.exe

  • Size

    11.2MB

  • MD5

    9df4f79810edbe385c215d7257711b44

  • SHA1

    d76ecc65aa69986154d91e2d147443f5578f1fe5

  • SHA256

    0f12888bff39b06188df927bdc0a66980ec951a11216dd1c3d119858af2d62e9

  • SHA512

    1dd0027be32869ec7b44868bb9dd3671c59c606a0733a7004cba45c9f611e213f39ca159556ea8b511b405f789ff26531966035676177e72b415cea71df2f7c8

  • SSDEEP

    196608:hNym2iBYGfsV3Se3dIh8V6WyFSMD+cpvJ/4H3nmghWoa/fsysMF4JD85lXkji8:hN4H39eSMFgXnU7sElXy

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f12888bff39b06188df927bdc0a66980ec951a11216dd1c3d119858af2d62e9.exe
    "C:\Users\Admin\AppData\Local\Temp\0f12888bff39b06188df927bdc0a66980ec951a11216dd1c3d119858af2d62e9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\ytool\GVHdhietY0GiKl0.exe
      "C:\Users\Admin\AppData\Local\Temp\0f12888bff39b06188df927bdc0a66980ec951a11216dd1c3d119858af2d62e9.exe" "C:\Users\Admin\AppData\Local\Temp\0f12888bff39b06188df927bdc0a66980ec951a11216dd1c3d119858af2d62e9.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2556
    • C:\Users\Admin\AppData\Local\Temp\大名江湖.exe
      "C:\Users\Admin\AppData\Local\Temp\大名江湖.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
        "C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 804
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1728

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
          Filesize

          389B

          MD5

          cd3deb42653cedc674c36d1ca6b73d01

          SHA1

          28b947d92ff530bbc0a91357edfeb6e6b551b623

          SHA256

          aca0844bde79a42941501155abfe2afed6497cb15bd48fbedbcb3bfa55922039

          SHA512

          4e8dc33b66884df4b3554d50110b53f46e01bac4184405254fa7382fa2c46d89ace03ee54fe08cc2eaf061a07a306e7c149e07c2815e0b992bbef8b9af633fa1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
          Filesize

          3KB

          MD5

          102192e37c954c64a847d551dafea615

          SHA1

          eb047dc5e8b1ef8a661b6924d9b53e6c7cf7112b

          SHA256

          72a4647d3590ca6af129e68a1b1d0a5cba41abdec2c42792c2a41045f77cd1bc

          SHA512

          2add10c4440cf1af632291af8ed0becf30a40a57c39a5e71a4699d2708c7c6d46ae8fa50933e6ffd7440e1b52064e4cc85eb9ebcf0f8ca44b18d9bbc142eb44b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\RXJH2Game.exe
          Filesize

          44KB

          MD5

          64a4ea2a47e049fc907279bde7a54b52

          SHA1

          66322364a9dc2156179de7fea5f1d0b930675670

          SHA256

          f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024

          SHA512

          4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

          Download Submit

        • \Users\Admin\AppData\Local\Temp\ytool\GVHdhietY0GiKl0.exe
          Filesize

          5.7MB

          MD5

          163c73ceab924857e67e58c49319d694

          SHA1

          255ed80750b3655724fb34e7cb4de07411b58d13

          SHA256

          fd525459a082043891862b07970fe85b7a0d256c67d1a8aacf65029a36c943f1

          SHA512

          01d0686b5c258a697885ecb7a55aeb6c998bbf0667c040923a1ca1c2fa4b7906ffbde1ab87022061ce8bead581b2865b5c197a20bdd902130e8b87c44818b1c9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\大名江湖.exe
          Filesize

          2.5MB

          MD5

          15fe7ac57968d53248aa59b8530f5aa3

          SHA1

          3aede651d6ce0c6d985c98a640bd0ea3c6d07d5f

          SHA256

          a6e0ffdfe8725607f09f6ce0524ba227f5ed3e28cfee7d3b4ca5433ec0428255

          SHA512

          07f3f9aeb0d2933b870a1c2a0c00da1317f833a16b3df9f8b7f36f44d1bdeb6bf044080f40263c4ef85fb9d813f603f79c3be4fddaeb6dd8f60fbacb1bf4775c

          Download Submit