Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:27
Static task
static1
Behavioral task
behavioral1
Sample
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
Resource
win10v2004-20240508-en
General
-
Target
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
-
Size
10.8MB
-
MD5
ecd7dad0774859a0e8730122ba6dd350
-
SHA1
5ad6f0dc19c7973cd9149bb8a3005214ba6e1bf2
-
SHA256
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693
-
SHA512
572b96a50d02a61d782c6110a993ea56b603905a498ddaab71a2caa79e2ebcbb9cb0756b79c1e98ab7f7941690c017e84289bbaa5c86feec0d4f3a004c58306f
-
SSDEEP
196608:sZzrENt07+s5HL1ZUT5xFEAPlMD+cpvJ/4H3nmghWoa/fsysMF4JD85lXkji:sZVzUTfuANMFgXnU7sElXy
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions mp8K1rfGIxnmZqj.exe -
Executes dropped EXE 3 IoCs
pid Process 1372 mp8K1rfGIxnmZqj.exe 2544 血狱群攻盒子.exe 2124 RXJH2Game.exe -
Loads dropped DLL 9 IoCs
pid Process 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 2544 血狱群攻盒子.exe 2544 血狱群攻盒子.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe -
resource yara_rule behavioral1/files/0x0007000000015c98-19.dat vmprotect behavioral1/memory/2544-23-0x0000000000400000-0x00000000008B3000-memory.dmp vmprotect behavioral1/memory/2544-33-0x0000000000400000-0x00000000008B3000-memory.dmp vmprotect behavioral1/memory/2544-153-0x0000000000400000-0x00000000008B3000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: 血狱群攻盒子.exe File opened (read-only) \??\i: 血狱群攻盒子.exe File opened (read-only) \??\k: 血狱群攻盒子.exe File opened (read-only) \??\p: 血狱群攻盒子.exe File opened (read-only) \??\q: 血狱群攻盒子.exe File opened (read-only) \??\v: 血狱群攻盒子.exe File opened (read-only) \??\y: 血狱群攻盒子.exe File opened (read-only) \??\s: 血狱群攻盒子.exe File opened (read-only) \??\z: 血狱群攻盒子.exe File opened (read-only) \??\e: 血狱群攻盒子.exe File opened (read-only) \??\j: 血狱群攻盒子.exe File opened (read-only) \??\l: 血狱群攻盒子.exe File opened (read-only) \??\m: 血狱群攻盒子.exe File opened (read-only) \??\n: 血狱群攻盒子.exe File opened (read-only) \??\t: 血狱群攻盒子.exe File opened (read-only) \??\w: 血狱群攻盒子.exe File opened (read-only) \??\g: 血狱群攻盒子.exe File opened (read-only) \??\o: 血狱群攻盒子.exe File opened (read-only) \??\r: 血狱群攻盒子.exe File opened (read-only) \??\u: 血狱群攻盒子.exe File opened (read-only) \??\x: 血狱群攻盒子.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1320 2124 WerFault.exe 31 -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TypedURLs 血狱群攻盒子.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 血狱群攻盒子.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 血狱群攻盒子.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2544 血狱群攻盒子.exe 2544 血狱群攻盒子.exe 1372 mp8K1rfGIxnmZqj.exe 2544 血狱群攻盒子.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe 1372 mp8K1rfGIxnmZqj.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2544 血狱群攻盒子.exe Token: SeDebugPrivilege 2124 RXJH2Game.exe Token: SeShutdownPrivilege 1372 mp8K1rfGIxnmZqj.exe Token: SeShutdownPrivilege 1372 mp8K1rfGIxnmZqj.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1372 mp8K1rfGIxnmZqj.exe 2544 血狱群攻盒子.exe 2544 血狱群攻盒子.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1372 mp8K1rfGIxnmZqj.exe 2544 血狱群攻盒子.exe 2544 血狱群攻盒子.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2544 血狱群攻盒子.exe 2544 血狱群攻盒子.exe 2124 RXJH2Game.exe 2124 RXJH2Game.exe 2124 RXJH2Game.exe 2544 血狱群攻盒子.exe 2544 血狱群攻盒子.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1372 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 28 PID 2336 wrote to memory of 1372 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 28 PID 2336 wrote to memory of 1372 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 28 PID 2336 wrote to memory of 1372 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 28 PID 2336 wrote to memory of 2544 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 30 PID 2336 wrote to memory of 2544 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 30 PID 2336 wrote to memory of 2544 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 30 PID 2336 wrote to memory of 2544 2336 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 30 PID 2544 wrote to memory of 2124 2544 血狱群攻盒子.exe 31 PID 2544 wrote to memory of 2124 2544 血狱群攻盒子.exe 31 PID 2544 wrote to memory of 2124 2544 血狱群攻盒子.exe 31 PID 2544 wrote to memory of 2124 2544 血狱群攻盒子.exe 31 PID 2124 wrote to memory of 1320 2124 RXJH2Game.exe 35 PID 2124 wrote to memory of 1320 2124 RXJH2Game.exe 35 PID 2124 wrote to memory of 1320 2124 RXJH2Game.exe 35 PID 2124 wrote to memory of 1320 2124 RXJH2Game.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe" "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 8204⤵
- Loads dropped DLL
- Program crash
PID:1320
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD503b6e5e3624c8128a401dca21d4a95b1
SHA1cd4f8e55b8db920502d59929f780a41e9fc32e64
SHA2569d5b4d1a193f82dd325a540af5ba06a5ef5a16ec5aa787fdc975b55f13e032b4
SHA5122409b80e9e32a7d60f9a1f307d6cd42f6c63fe3007cef512cd3348ac2984045bf77f59e80e3a55628acff1a7807f44c773033aa8c3c5909335dbfc4f4770fe01
-
Filesize
44KB
MD564a4ea2a47e049fc907279bde7a54b52
SHA166322364a9dc2156179de7fea5f1d0b930675670
SHA256f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA5124699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7
-
Filesize
5.7MB
MD5120f116cfcdaad584b09e7f13e2fc208
SHA118572eedde71cd344e023227221805f5c51bd585
SHA2563e614f163a061f8cc7e864b2304d407675f80952b5a870b2ab427782eec2ec5d
SHA512e1246094012b6cfac0902153d905be907a9c0feb8a4907235b3e2c0153837421410a3c1d6891bf1d11421b9b2fcc332c6c3a45aa3ec2d8e7a6657830504b1ea9
-
Filesize
2.1MB
MD5d7481b8835ad1b833a29a47cc98335e5
SHA1b0549680b5324da5e6f1d73bc35454ce68f8d216
SHA25602fb70a3aec6d52cb1070883d5f3bcfeba3713d39a1cb71149f9ab852e54b7b2
SHA51249f1aa7dcf00b330bd7d84fa6a177e6409b58abf4d3c2ed92cfddbd66f88fb85098005eac57c54024eb50fc01c05cd06434d6d54ec255a57e6284089207cd272