Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:27
Static task
static1
Behavioral task
behavioral1
Sample
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
Resource
win10v2004-20240508-en
General
-
Target
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe
-
Size
10.8MB
-
MD5
ecd7dad0774859a0e8730122ba6dd350
-
SHA1
5ad6f0dc19c7973cd9149bb8a3005214ba6e1bf2
-
SHA256
383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693
-
SHA512
572b96a50d02a61d782c6110a993ea56b603905a498ddaab71a2caa79e2ebcbb9cb0756b79c1e98ab7f7941690c017e84289bbaa5c86feec0d4f3a004c58306f
-
SSDEEP
196608:sZzrENt07+s5HL1ZUT5xFEAPlMD+cpvJ/4H3nmghWoa/fsysMF4JD85lXkji:sZVzUTfuANMFgXnU7sElXy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 血狱群攻盒子.exe -
Executes dropped EXE 3 IoCs
pid Process 4596 mp8K1rfGIxnmZqj.exe 3024 血狱群攻盒子.exe 4856 RXJH2Game.exe -
resource yara_rule behavioral2/files/0x0007000000023429-19.dat vmprotect behavioral2/memory/3024-21-0x0000000000400000-0x00000000008B3000-memory.dmp vmprotect behavioral2/memory/3024-22-0x0000000000400000-0x00000000008B3000-memory.dmp vmprotect behavioral2/memory/3024-146-0x0000000000400000-0x00000000008B3000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: 血狱群攻盒子.exe File opened (read-only) \??\z: 血狱群攻盒子.exe File opened (read-only) \??\g: 血狱群攻盒子.exe File opened (read-only) \??\j: 血狱群攻盒子.exe File opened (read-only) \??\r: 血狱群攻盒子.exe File opened (read-only) \??\s: 血狱群攻盒子.exe File opened (read-only) \??\q: 血狱群攻盒子.exe File opened (read-only) \??\w: 血狱群攻盒子.exe File opened (read-only) \??\h: 血狱群攻盒子.exe File opened (read-only) \??\i: 血狱群攻盒子.exe File opened (read-only) \??\n: 血狱群攻盒子.exe File opened (read-only) \??\o: 血狱群攻盒子.exe File opened (read-only) \??\e: 血狱群攻盒子.exe File opened (read-only) \??\l: 血狱群攻盒子.exe File opened (read-only) \??\m: 血狱群攻盒子.exe File opened (read-only) \??\x: 血狱群攻盒子.exe File opened (read-only) \??\y: 血狱群攻盒子.exe File opened (read-only) \??\k: 血狱群攻盒子.exe File opened (read-only) \??\p: 血狱群攻盒子.exe File opened (read-only) \??\t: 血狱群攻盒子.exe File opened (read-only) \??\u: 血狱群攻盒子.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 血狱群攻盒子.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 血狱群攻盒子.exe Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs 血狱群攻盒子.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe 4596 mp8K1rfGIxnmZqj.exe 4596 mp8K1rfGIxnmZqj.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3024 血狱群攻盒子.exe Token: SeDebugPrivilege 4856 RXJH2Game.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4596 mp8K1rfGIxnmZqj.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4596 mp8K1rfGIxnmZqj.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe 4856 RXJH2Game.exe 4856 RXJH2Game.exe 4856 RXJH2Game.exe 3024 血狱群攻盒子.exe 3024 血狱群攻盒子.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4060 wrote to memory of 4596 4060 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 81 PID 4060 wrote to memory of 4596 4060 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 81 PID 4060 wrote to memory of 4596 4060 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 81 PID 4060 wrote to memory of 3024 4060 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 83 PID 4060 wrote to memory of 3024 4060 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 83 PID 4060 wrote to memory of 3024 4060 383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe 83 PID 3024 wrote to memory of 4856 3024 血狱群攻盒子.exe 89 PID 3024 wrote to memory of 4856 3024 血狱群攻盒子.exe 89 PID 3024 wrote to memory of 4856 3024 血狱群攻盒子.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\ytool\mp8K1rfGIxnmZqj.exe"C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe" "C:\Users\Admin\AppData\Local\Temp\383a71303c545b3e8fc4ca36c6c8b997e08621e168dd167e3f94e7e699de7693.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"C:\Users\Admin\AppData\Local\Temp\血狱群攻盒子.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://www.baidu.com:89/client.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4856
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD564a4ea2a47e049fc907279bde7a54b52
SHA166322364a9dc2156179de7fea5f1d0b930675670
SHA256f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA5124699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7
-
Filesize
316B
MD5dedceb9fc25dc8604e9b270159741a76
SHA141cfac0a2c2d9d3d77a4c9faa5f5f92d2b2e067e
SHA25621bfed0b7b222ff3f19140084f95632c486d13a38f1ec8677cc11171fbd99440
SHA512060cd72f86ee98e8dd53f8231a03201d07bc91dbf491ea7dbff96ce553bd5ea7ce4ef5b0825a43a4d95241d3174da400b8c869ca6acee75ecffbd66122566820
-
Filesize
658B
MD552e964c9096dda6922cb6083cc63a5a5
SHA1a673f80efebde15eaab17f3c65e2b9bb748376a4
SHA2563f9d74fc0dea67e952c6df4e2c365b4a211a9583266efc526a28ae08d5b243bc
SHA512d297afeafffd13cee93b0a2627bfd7c898595ff9c8ca79d337fca63030f4e5bec66af3154a4c61a9ceb5626099822a6eb6d9485418b2db53ae7888fa67c5727e
-
Filesize
9KB
MD5606ce41f3cf8ccfab8050f40c0b4b7e5
SHA158da7c301a9645fc8343b835ffc696d3032fe261
SHA256751bf8e91cd08ad7f01a1c38254b6d97ecc1e555e92ba41d16d04fc56016190d
SHA512ab5157bc32636bf7238ba470bdee60edde02ae0cde900b6dd205ecdad42c7b6fec6fbed5ca3d2b6878e222a55fbecd391095dbaae0bfb3366225069a0c7f7b6c
-
Filesize
5.7MB
MD5120f116cfcdaad584b09e7f13e2fc208
SHA118572eedde71cd344e023227221805f5c51bd585
SHA2563e614f163a061f8cc7e864b2304d407675f80952b5a870b2ab427782eec2ec5d
SHA512e1246094012b6cfac0902153d905be907a9c0feb8a4907235b3e2c0153837421410a3c1d6891bf1d11421b9b2fcc332c6c3a45aa3ec2d8e7a6657830504b1ea9
-
Filesize
2.1MB
MD5d7481b8835ad1b833a29a47cc98335e5
SHA1b0549680b5324da5e6f1d73bc35454ce68f8d216
SHA25602fb70a3aec6d52cb1070883d5f3bcfeba3713d39a1cb71149f9ab852e54b7b2
SHA51249f1aa7dcf00b330bd7d84fa6a177e6409b58abf4d3c2ed92cfddbd66f88fb85098005eac57c54024eb50fc01c05cd06434d6d54ec255a57e6284089207cd272