Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 10:32
Static task
static1
Behavioral task
behavioral1
Sample
fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe
Resource
win7-20231129-en
General
-
Target
fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe
-
Size
14.8MB
-
MD5
f2d26e9e38f67c5402d4ec26b6e7e023
-
SHA1
05e6248c0902d36ade9df0e9cbd9a243f96ce054
-
SHA256
fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365
-
SHA512
9bab9ad3519a24d06206edc7f065ea30f525f2a9ee32bb1bce959e0cb7a1ab3f46346368bd5f6c7475e20994aed8e873731a4ef8b4838511918f662a20266c79
-
SSDEEP
393216:HN4H3X8OlWVs7iN1QeulpRrQp17pZBf9:HNc2Vs7deuHR
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions HEEeGHXVThDsN6h.exe -
Executes dropped EXE 3 IoCs
pid Process 1848 HEEeGHXVThDsN6h.exe 2120 京都江湖.exe 2472 RXJH2Game.exe -
Loads dropped DLL 9 IoCs
pid Process 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 2120 京都江湖.exe 2120 京都江湖.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe -
resource yara_rule behavioral1/files/0x0008000000015626-12.dat vmprotect behavioral1/memory/2120-52-0x0000000000400000-0x0000000001015000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: 京都江湖.exe File opened (read-only) \??\w: 京都江湖.exe File opened (read-only) \??\x: 京都江湖.exe File opened (read-only) \??\i: 京都江湖.exe File opened (read-only) \??\j: 京都江湖.exe File opened (read-only) \??\o: 京都江湖.exe File opened (read-only) \??\s: 京都江湖.exe File opened (read-only) \??\u: 京都江湖.exe File opened (read-only) \??\e: 京都江湖.exe File opened (read-only) \??\k: 京都江湖.exe File opened (read-only) \??\l: 京都江湖.exe File opened (read-only) \??\t: 京都江湖.exe File opened (read-only) \??\p: 京都江湖.exe File opened (read-only) \??\q: 京都江湖.exe File opened (read-only) \??\r: 京都江湖.exe File opened (read-only) \??\v: 京都江湖.exe File opened (read-only) \??\g: 京都江湖.exe File opened (read-only) \??\h: 京都江湖.exe File opened (read-only) \??\m: 京都江湖.exe File opened (read-only) \??\n: 京都江湖.exe File opened (read-only) \??\y: 京都江湖.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 940 2472 WerFault.exe 30 -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 京都江湖.exe Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TypedURLs 京都江湖.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 京都江湖.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2120 京都江湖.exe 2120 京都江湖.exe 2120 京都江湖.exe 1848 HEEeGHXVThDsN6h.exe 2120 京都江湖.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe 1848 HEEeGHXVThDsN6h.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2120 京都江湖.exe Token: SeDebugPrivilege 2472 RXJH2Game.exe Token: SeShutdownPrivilege 1848 HEEeGHXVThDsN6h.exe Token: SeShutdownPrivilege 1848 HEEeGHXVThDsN6h.exe Token: SeShutdownPrivilege 1848 HEEeGHXVThDsN6h.exe Token: SeShutdownPrivilege 1848 HEEeGHXVThDsN6h.exe Token: SeShutdownPrivilege 1848 HEEeGHXVThDsN6h.exe Token: SeShutdownPrivilege 1848 HEEeGHXVThDsN6h.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2120 京都江湖.exe 2120 京都江湖.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2120 京都江湖.exe 2120 京都江湖.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2120 京都江湖.exe 2120 京都江湖.exe 2472 RXJH2Game.exe 2472 RXJH2Game.exe 2472 RXJH2Game.exe 2120 京都江湖.exe 2120 京都江湖.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1392 wrote to memory of 1848 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 28 PID 1392 wrote to memory of 1848 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 28 PID 1392 wrote to memory of 1848 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 28 PID 1392 wrote to memory of 1848 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 28 PID 1392 wrote to memory of 2120 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 29 PID 1392 wrote to memory of 2120 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 29 PID 1392 wrote to memory of 2120 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 29 PID 1392 wrote to memory of 2120 1392 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 29 PID 2120 wrote to memory of 2472 2120 京都江湖.exe 30 PID 2120 wrote to memory of 2472 2120 京都江湖.exe 30 PID 2120 wrote to memory of 2472 2120 京都江湖.exe 30 PID 2120 wrote to memory of 2472 2120 京都江湖.exe 30 PID 2472 wrote to memory of 940 2472 RXJH2Game.exe 31 PID 2472 wrote to memory of 940 2472 RXJH2Game.exe 31 PID 2472 wrote to memory of 940 2472 RXJH2Game.exe 31 PID 2472 wrote to memory of 940 2472 RXJH2Game.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe" "C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\京都江湖.exe"C:\Users\Admin\AppData\Local\Temp\京都江湖.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://xkt.cac88.cn/...................3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:940
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449B
MD5ee2165cd3e7b5976c3121746f2fe94cf
SHA1999d620e7b2e5035cf652d5358ce26214326b2f0
SHA256b6e143e6d9060fd8dddb81e8b59954136634456005008c7b2c726cf846e74f87
SHA51250aa5e38f4d5fb3a7e4bd3f74960999f7fa7f665c3dfeb178172472d121cd353a7ab4c1cb38a562b22176ebd8b1791ddb0caf1582796c00c7935e54fd5d90629
-
Filesize
6KB
MD5c3a3fe4e9c8980687ee8ff574629c362
SHA1d8bc3e2363eddf4c148f8d4922956ff506807998
SHA25645f8639091a9c281efe5920c45f2e8a0e4739ae8f92e2c02f0adba9b2e3ca946
SHA512bb7cedac6b4d194924d2c99445b74c992ab7e5e31d24fc1b4d4d9ee0f714318f81f0917b354631fc47f83107dc00f8edea16db1ecf1f4b5f053c2327b7d34153
-
Filesize
44KB
MD564a4ea2a47e049fc907279bde7a54b52
SHA166322364a9dc2156179de7fea5f1d0b930675670
SHA256f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA5124699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7
-
Filesize
5.2MB
MD5bd071dbab6417cb317d50d1b62fe082c
SHA1ca84d0d018a4b4017cd641d1fc36a47b4348f4df
SHA25611418cd83df43b5f6be435040f2d4242195df5a24dbe295ae26f2dcc5e430b7c
SHA51289bac3f5542399f6c33ba350afc62a36e102bff2650b5ced36eb5f92a1cabfa8d26e19af1fc168b71d48a1c675028042a6d552e78ad64bdf946d14b798820437
-
Filesize
6.6MB
MD5a579211b81cb5fa0f786a238469c51dc
SHA1a3fc7a95bf080e592ebbcc5a6b7986db87fa58f0
SHA256e3e84526ad020930059828bb03abe7cf3b22870ddf888a7cf5b5397d0fa508bf
SHA5129dcab2dd1b6fdb142b495de12dd9bc149e43e7c49d63481598d349d3b96308e5b04b4739d6407ef8057fd8c9ac92932c3d9119e3211de5ca853f830ca842c642