Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 08:27

General

  • Target

    383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe

  • Size

    10.8MB

  • MD5

    ecd7dad0774859a0e8730122ba6dd350

  • SHA1

    5ad6f0dc19c7973cd9149bb8a3005214ba6e1bf2

  • SHA256

    383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693

  • SHA512

    572b96a50d02a61d782c6110a993ea56b603905a498ddaab71a2caa79e2ebcbb9cb0756b79c1e98ab7f7941690c017e84289bbaa5c86feec0d4f3a004c58306f

  • SSDEEP

    196608:sZzrENt07+s5HL1ZUT5xFEAPlMD+cpvJ/4H3nmghWoa/fsysMF4JD85lXkji:sZVzUTfuANMFgXnU7sElXy

Score
9/10

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
    "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe
      "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe" "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1372
    • C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe
      "C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe
        "C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 820
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

    Filesize

    9KB

    MD5

    03b6e5e3624c8128a401dca21d4a95b1

    SHA1

    cd4f8e55b8db920502d59929f780a41e9fc32e64

    SHA256

    9d5b4d1a193f82dd325a540af5ba06a5ef5a16ec5aa787fdc975b55f13e032b4

    SHA512

    2409b80e9e32a7d60f9a1f307d6cd42f6c63fe3007cef512cd3348ac2984045bf77f59e80e3a55628acff1a7807f44c773033aa8c3c5909335dbfc4f4770fe01

  • \Users\Admin\AppData\Local\Temp\RXJH2Game.exe

    Filesize

    44KB

    MD5

    64a4ea2a47e049fc907279bde7a54b52

    SHA1

    66322364a9dc2156179de7fea5f1d0b930675670

    SHA256

    f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024

    SHA512

    4699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7

  • \Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe

    Filesize

    5.7MB

    MD5

    120f116cfcdaad584b09e7f13e2fc208

    SHA1

    18572eedde71cd344e023227221805f5c51bd585

    SHA256

    3e614f163a061f8cc7e864b2304d407675f80952b5a870b2ab427782eec2ec5d

    SHA512

    e1246094012b6cfac0902153d905be907a9c0feb8a4907235b3e2c0153837421410a3c1d6891bf1d11421b9b2fcc332c6c3a45aa3ec2d8e7a6657830504b1ea9

  • \Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe

    Filesize

    2.1MB

    MD5

    d7481b8835ad1b833a29a47cc98335e5

    SHA1

    b0549680b5324da5e6f1d73bc35454ce68f8d216

    SHA256

    02fb70a3aec6d52cb1070883d5f3bcfeba3713d39a1cb71149f9ab852e54b7b2

    SHA512

    49f1aa7dcf00b330bd7d84fa6a177e6409b58abf4d3c2ed92cfddbd66f88fb85098005eac57c54024eb50fc01c05cd06434d6d54ec255a57e6284089207cd272

  • memory/2544-23-0x0000000000400000-0x00000000008B3000-memory.dmp

    Filesize

    4.7MB

  • memory/2544-25-0x00000000778D0000-0x00000000778D1000-memory.dmp

    Filesize

    4KB

  • memory/2544-27-0x00000000778D0000-0x00000000778D1000-memory.dmp

    Filesize

    4KB

  • memory/2544-31-0x0000000076E90000-0x0000000076E91000-memory.dmp

    Filesize

    4KB

  • memory/2544-33-0x0000000000400000-0x00000000008B3000-memory.dmp

    Filesize

    4.7MB

  • memory/2544-153-0x0000000000400000-0x00000000008B3000-memory.dmp

    Filesize

    4.7MB