2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257

General

Target

2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe
Size

14.4MB
MD5

7fa9018ac37c34ee1aef85d9f30f9252
SHA1

5ab15223622e1a7899be12567da34e5a771ec3f9
SHA256

2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257
SHA512

a063ece0f4201b3ba8bcfaa14d3e6f573e6423799dfff52c54b655fa36ef702be4d945a27094ed5a041af0530ca41b1440cc9fcc2d7b3f048518ede90c3e6ac9
SSDEEP

393216:fN4H3t6DUis/HiZPyWUaMFgXnU7sElmy:fNcd6DUVPiIWUatXnas

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	真爱破天一剑.exe
File created	C:\Windows\system32\drivers\etc\hosts	真爱破天一剑.exe

Executes dropped EXE 2 IoCs

pid	Process
1824	5GFnRcarAUAsMgB.exe
4552	真爱破天一剑.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4552-31-0x0000000010000000-0x0000000010018000-memory.dmp	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023442-18.dat	vmprotect
behavioral2/memory/4552-29-0x0000000000400000-0x0000000001036000-memory.dmp	vmprotect
behavioral2/memory/4552-33-0x0000000000400000-0x0000000001036000-memory.dmp	vmprotect
behavioral2/memory/4552-35-0x0000000000400000-0x0000000001036000-memory.dmp	vmprotect
behavioral2/memory/4552-39-0x0000000000400000-0x0000000001036000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4552	真爱破天一剑.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4552	真爱破天一剑.exe
4552	真爱破天一剑.exe
4552	真爱破天一剑.exe
4552	真爱破天一剑.exe
1824	5GFnRcarAUAsMgB.exe
1824	5GFnRcarAUAsMgB.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1824	5GFnRcarAUAsMgB.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1824	5GFnRcarAUAsMgB.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4552	真爱破天一剑.exe
4552	真爱破天一剑.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1824	1772	2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe	84
PID 1772 wrote to memory of 1824	1772	2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe	84
PID 1772 wrote to memory of 1824	1772	2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe	84
PID 1772 wrote to memory of 4552	1772	2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe	90
PID 1772 wrote to memory of 4552	1772	2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe	90
PID 1772 wrote to memory of 4552	1772	2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe	90
PID 4552 wrote to memory of 2280	4552	真爱破天一剑.exe	91
PID 4552 wrote to memory of 2280	4552	真爱破天一剑.exe	91
PID 4552 wrote to memory of 2280	4552	真爱破天一剑.exe	91
PID 2280 wrote to memory of 4028	2280	cmd.exe	94
PID 2280 wrote to memory of 4028	2280	cmd.exe	94
PID 2280 wrote to memory of 4028	2280	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe
"C:\Users\Admin\AppData\Local\Temp\2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\ytool\5GFnRcarAUAsMgB.exe
  "C:\Users\Admin\AppData\Local\Temp\2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe" "C:\Users\Admin\AppData\Local\Temp\2a1a13e423efb5c6ddb0736df1fbfb6352530d59aaaab5a5b220c4c26d15e257.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\真爱破天一剑.exe
  "C:\Users\Admin\AppData\Local\Temp\真爱破天一剑.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls.exe c:\windows\system32\drivers\etc\hosts /e /t /p everyone:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\cacls.exe
      cacls.exe c:\windows\system32\drivers\etc\hosts /e /t /p everyone:F
      4⤵
      PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
316B

MD5
c294dad3fe9e1fcc2e4e68ca14b3a8b4

SHA1
5bd1c6833a85847ed933bf9f0976037338ce4658

SHA256
3a135018fd9d73f223d10fc8b80fc62f75718bd8ef0494eb1b78ddc29908dee2

SHA512
8b45d60e4fd55b8451a9c0f894a8a7e151d1d3e0961cc6fb5e7c07b5b60df8c34fe0555ae0adc0ff1f8eeeeecb8bf264a465070cee7359effac0ddfbc7bd8f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
658B

MD5
c92cb573880474eedf9affa6ca26ab7e

SHA1
8f39750cf61fbc9c19b5e50df8a6da83b061f6f1

SHA256
821c7b2e90b95294bafae66668344edfc69e1b8bb482fa02ca70729dbba50ff7

SHA512
d40a3c2a895e6e0e45ad20aa6ba5770df478de86444cb2333c425103dd903c940756f644f7a7d2fa8ac121cdd15335c69309f07a69d9da4ca633115ec2842ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
8fe85c5e2d199519d3e9139ae4138d02

SHA1
7937bfacbaf0819309855b841ee53ee6be5ecfc6

SHA256
ad941f255b60e1f2b15ab0965f61f90cc2fb498866d4b3bde09e8fe70c8f2441

SHA512
1b6d34625b4894582ed5de76aacb390b07e09104bc4b4afd07c8a4800b43c90f7800e20efb91c60c8d115ebf7617708b34cb6fdf0e11843ca55aa99c560304c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\5GFnRcarAUAsMgB.exe

Filesize
5.7MB

MD5
6a0e32116ba9588d4791aeede7fdb5ab

SHA1
4d051eafe84e663868e7a307c91df4052f772f67

SHA256
c9721c886be502337b30bbc5cd652741a1ff847225675f59f65257eab90ea566

SHA512
6c4d476075181845c6996a95144774c66e0f3c9bd65610233b343f44f73c05f075b689f01cd27959ab2d1e3a5dd6b597c0b0d1d5c451f096d7b2e8615c3a21d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\真爱破天一剑.exe

Filesize
5.7MB

MD5
7a2eecaddf96ffd66082849327c6148a

SHA1
ee684fdb9a9a17645349d926a88b31097bab072e

SHA256
8be8adbb191c2ba3942066e530919108f0a920379ca46e027f92f602f219874d

SHA512
382efef2d976888e0d679e31d8313ca329ef5e718fc1a79a3e02f6236128319248a93fad9847a83670b33d4e022cf2451b6c3d37744a6cb760fd6179f039a69d

Download Submit
\??\c:\windows\system32\drivers\etc\hosts

Filesize
732B

MD5
a10c96ee18298bda150c23034adb223a

SHA1
b117771cd2ccf45319ea915ad903a82e454b923b

SHA256
144e11750b729a052d232218bc0c22aa2e6a31fc43e161d8f9e257066f5de5d6

SHA512
1eb27def48b0f57b53c34e88f294842fb4c970a81e7ad55e7bfa718a98bc0792a5e23eaeaa250dc126d12ae2d39c3fffaaffd6eba3c65d11fd31a359bf6fc61d

Download Submit
memory/4552-24-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/4552-33-0x0000000000400000-0x0000000001036000-memory.dmp

Filesize
12.2MB

Download
memory/4552-21-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/4552-20-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4552-27-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/4552-29-0x0000000000400000-0x0000000001036000-memory.dmp

Filesize
12.2MB

Download
memory/4552-31-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4552-22-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/4552-35-0x0000000000400000-0x0000000001036000-memory.dmp

Filesize
12.2MB

Download
memory/4552-23-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/4552-38-0x000000000081F000-0x0000000000A7E000-memory.dmp

Filesize
2.4MB

Download
memory/4552-39-0x0000000000400000-0x0000000001036000-memory.dmp

Filesize
12.2MB

Download
memory/4552-26-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4552-25-0x000000000081F000-0x0000000000A7E000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing