89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac

General

Target

89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe
Size

14.9MB
MD5

a805ddc9a1ef0889b0fbefa9ce2619b3
SHA1

d1c70376d904316b987796f868b385a060b47ab3
SHA256

89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac
SHA512

6bfd8a29c1f72cc21da4750781e249db58ec4f9252ba5ba5af594f3fc76659b0f533eaec632e0a29737ab70db093ccb8e8bca44b77e2c84bcee39641b64786ef
SSDEEP

196608:5Nym2iBYGfsV3DXYS8acXISlP2liFEIeV1rN7VfvVjMD+cpvJ/4H3nmghWoa/fsL:5N4H3yYuP5eVPRfdjMFgXnU7sElFy

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	4zL2r2m1lAB7rpe.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	4zL2r2m1lAB7rpe.exe
2656	傲世江湖-新V22.exe

Loads dropped DLL 2 IoCs

pid	Process
2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe
2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	傲世江湖-新V22.exe
File opened (read-only)	\??\h:	傲世江湖-新V22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe
1988	4zL2r2m1lAB7rpe.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe
Token: SeShutdownPrivilege	1988	4zL2r2m1lAB7rpe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	4zL2r2m1lAB7rpe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1988	4zL2r2m1lAB7rpe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2656	傲世江湖-新V22.exe
2656	傲世江湖-新V22.exe
2656	傲世江湖-新V22.exe
2656	傲世江湖-新V22.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1988	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	28
PID 2836 wrote to memory of 1988	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	28
PID 2836 wrote to memory of 1988	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	28
PID 2836 wrote to memory of 1988	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	28
PID 2836 wrote to memory of 2656	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	29
PID 2836 wrote to memory of 2656	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	29
PID 2836 wrote to memory of 2656	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	29
PID 2836 wrote to memory of 2656	2836	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	29

C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe
"C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\ytool\4zL2r2m1lAB7rpe.exe
  "C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe" "C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\傲世江湖-新V22.exe
  "C:\Users\Admin\AppData\Local\Temp\傲世江湖-新V22.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
258B

MD5
7d486f61ae132dcb3e55c5315cc5fb72

SHA1
3eb02ccb794e9ee6baaaae7375c73e11650fba20

SHA256
460798e340c91d24e8be06adc08aaf0ee33d478bc865a22a69c9f07b251fbef9

SHA512
ccada80684f3ac1809daab5b242544d99d7023a30397d95f8d6fb660c9e03c0013295f0658c2c1ec66b60c6ce864c0187f0d87db3deea710b13c8aa6a8471f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
658B

MD5
f74221b2e673044ceee61740196dc6ae

SHA1
824115722a6db061a0f3925e0605ef9ca867a5e5

SHA256
da6ccfeee85902cd8acc575ed1f8242a3fb2f4fb25b40489adfb76c1700a76a5

SHA512
9668a36ea455f7e9f5b3632355bc4c9d527a923c2c739b08782510af909ff922ac7506145edf4d1512706c7f81a3c823b13203e38b8cc1482dc708c03b4bcfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
987e0278876ba4304ec244c5a5347649

SHA1
48f47d2ea26be4bc05ba411022b318a08ff05e7c

SHA256
40e5c61aa114cd18cd88ca2f9da2471a86b8657b81fb88415da8cc52813f957f

SHA512
b8a0f2720ea3ca47fb999c916abc865419326b40a1faaa202d41aaaa8401eab561eeb3e7f57d09afb5b387424ac0b29a963938797be4b7f1e19b2cd8d634b771

Download Submit
\Users\Admin\AppData\Local\Temp\ytool\4zL2r2m1lAB7rpe.exe

Filesize
5.7MB

MD5
dcd0d2fe37a4f0b6d9692e24cd007b02

SHA1
399cf0443fd178847efbb0be2f58ec7cd8d93e5e

SHA256
eddc83e032f2bd8ad0c62b8a96db2c353d6b8b1561c09e1a93e2ae484398011c

SHA512
bd388cd0f05377218c82aca5a5466d099ace139cc03fe7e900a93423719135f7372c1f5418f6863513108f539e396133e6ed59914134e9800897245ebb1d5341

Download Submit
\Users\Admin\AppData\Local\Temp\傲世江湖-新V22.exe

Filesize
6.3MB

MD5
cebe5898a964e29089a0ba35126ddaa3

SHA1
b10cbb6d1d7067ed077600460bcc4cb6a211b85e

SHA256
f4711a39260cc29a3d908277ff21a86c5716db544202abb31f8fee9db20e16d6

SHA512
8de283cb8a4c848feec8cb60c28d624491a0e714f5a13dd831c59e3970f7568cfa116b0431f95b235ac51942aae003a05c8fd17e3e54ea7ca230558646278dea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads