89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac

General

Target

89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe
Size

14.9MB
MD5

a805ddc9a1ef0889b0fbefa9ce2619b3
SHA1

d1c70376d904316b987796f868b385a060b47ab3
SHA256

89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac
SHA512

6bfd8a29c1f72cc21da4750781e249db58ec4f9252ba5ba5af594f3fc76659b0f533eaec632e0a29737ab70db093ccb8e8bca44b77e2c84bcee39641b64786ef
SSDEEP

196608:5Nym2iBYGfsV3DXYS8acXISlP2liFEIeV1rN7VfvVjMD+cpvJ/4H3nmghWoa/fsL:5N4H3yYuP5eVPRfdjMFgXnU7sElFy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4268	4zL2r2m1lAB7rpe.exe
4456	傲世江湖-新V22.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	傲世江湖-新V22.exe
File opened (read-only)	\??\h:	傲世江湖-新V22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	4zL2r2m1lAB7rpe.exe
4268	4zL2r2m1lAB7rpe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4268	4zL2r2m1lAB7rpe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4268	4zL2r2m1lAB7rpe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4456	傲世江湖-新V22.exe
4456	傲世江湖-新V22.exe
4456	傲世江湖-新V22.exe
4456	傲世江湖-新V22.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 4268	1132	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	81
PID 1132 wrote to memory of 4268	1132	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	81
PID 1132 wrote to memory of 4268	1132	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	81
PID 1132 wrote to memory of 4456	1132	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	82
PID 1132 wrote to memory of 4456	1132	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	82
PID 1132 wrote to memory of 4456	1132	89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe	82

C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe
"C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\ytool\4zL2r2m1lAB7rpe.exe
  "C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe" "C:\Users\Admin\AppData\Local\Temp\89062204cf1b3f21a78a1352968f96b0fb39a4df41f847782253f5ed0df763ac.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\傲世江湖-新V22.exe
  "C:\Users\Admin\AppData\Local\Temp\傲世江湖-新V22.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
316B

MD5
9c989a18d655f476b4fbda7138dee7e6

SHA1
307df8f5c64543e2e1211abdcab1714151ca701d

SHA256
3281f564cf7230b041aa0f6d1e33e297f348e729c1b19a34f9f2cc1bd1e752c6

SHA512
3ea029776af05302de5caca39cf16f6c1932f171558101889d01c99633836c1b722d294f6138408f83cf015b81cc34d8dd58b9c94bfa22481274b5380754301c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
658B

MD5
6deb3881e652f15fbfb96f2e068ec00f

SHA1
6d8c0b05fd0f430e3180ce80424a2814f71b8287

SHA256
132f84948360ac18444d0f1db9ea083afc836a62fda49bf666a32651cc33525c

SHA512
c247dff1b2ee74451f1293e9ed5cf378b6327eefbbeb3f24d22431723c47fff0c5929c3360a0bbcf9eead74968ba5aa5d1727c119fb0e036e698236aa4f0ccd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
2KB

MD5
54c1b7e7847ec4f4e35c3328cbb0c9e3

SHA1
32ef44fb8526e5cfbcceb9b253693802c55c4258

SHA256
ee3eeb6deda6b1a31a94c8e1e7b9f96413a859d91e95261a8641dd4418ed972d

SHA512
da631379c38b5188a37af0f19ce4144476227f1f9a299bd8a57542f7658a32908b02fff03edfa364d402ae6d10ec29b848009d33f28d6b6d0ec0572647ce5299

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
7fd18cf8e6dc4828333eda8add4fbeba

SHA1
686a53fbab06cfc5e3893c88ac66663064ef28be

SHA256
350ce02cdaa26d675f830c25c890bf750e76b3045ed5d76abe3abe8924c11f74

SHA512
90bbb9f52b319c07cb1bae64bf1c7f0ac618587af6680bc5b23df55330f5bf447d920621540305c094d41d6c1693ebb5d3189e036d6d0bafea3f1ffc6c0c6088

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\4zL2r2m1lAB7rpe.exe

Filesize
5.7MB

MD5
dcd0d2fe37a4f0b6d9692e24cd007b02

SHA1
399cf0443fd178847efbb0be2f58ec7cd8d93e5e

SHA256
eddc83e032f2bd8ad0c62b8a96db2c353d6b8b1561c09e1a93e2ae484398011c

SHA512
bd388cd0f05377218c82aca5a5466d099ace139cc03fe7e900a93423719135f7372c1f5418f6863513108f539e396133e6ed59914134e9800897245ebb1d5341

Download Submit
C:\Users\Admin\AppData\Local\Temp\傲世江湖-新V22.exe

Filesize
6.3MB

MD5
cebe5898a964e29089a0ba35126ddaa3

SHA1
b10cbb6d1d7067ed077600460bcc4cb6a211b85e

SHA256
f4711a39260cc29a3d908277ff21a86c5716db544202abb31f8fee9db20e16d6

SHA512
8de283cb8a4c848feec8cb60c28d624491a0e714f5a13dd831c59e3970f7568cfa116b0431f95b235ac51942aae003a05c8fd17e3e54ea7ca230558646278dea

Download Submit

Analysis

Sharing