Analysis
-
max time kernel
92s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 10:32
Static task
static1
Behavioral task
behavioral1
Sample
fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe
Resource
win7-20231129-en
General
-
Target
fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe
-
Size
14.8MB
-
MD5
f2d26e9e38f67c5402d4ec26b6e7e023
-
SHA1
05e6248c0902d36ade9df0e9cbd9a243f96ce054
-
SHA256
fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365
-
SHA512
9bab9ad3519a24d06206edc7f065ea30f525f2a9ee32bb1bce959e0cb7a1ab3f46346368bd5f6c7475e20994aed8e873731a4ef8b4838511918f662a20266c79
-
SSDEEP
393216:HN4H3X8OlWVs7iN1QeulpRrQp17pZBf9:HNc2Vs7deuHR
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions HEEeGHXVThDsN6h.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 京都江湖.exe -
Executes dropped EXE 3 IoCs
pid Process 1976 HEEeGHXVThDsN6h.exe 956 京都江湖.exe 1696 RXJH2Game.exe -
resource yara_rule behavioral2/files/0x0007000000023408-12.dat vmprotect behavioral2/memory/956-25-0x0000000000400000-0x0000000001015000-memory.dmp vmprotect behavioral2/memory/956-26-0x0000000000400000-0x0000000001015000-memory.dmp vmprotect behavioral2/memory/956-116-0x0000000000400000-0x0000000001015000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: 京都江湖.exe File opened (read-only) \??\k: 京都江湖.exe File opened (read-only) \??\n: 京都江湖.exe File opened (read-only) \??\o: 京都江湖.exe File opened (read-only) \??\p: 京都江湖.exe File opened (read-only) \??\q: 京都江湖.exe File opened (read-only) \??\r: 京都江湖.exe File opened (read-only) \??\t: 京都江湖.exe File opened (read-only) \??\z: 京都江湖.exe File opened (read-only) \??\g: 京都江湖.exe File opened (read-only) \??\i: 京都江湖.exe File opened (read-only) \??\j: 京都江湖.exe File opened (read-only) \??\s: 京都江湖.exe File opened (read-only) \??\v: 京都江湖.exe File opened (read-only) \??\w: 京都江湖.exe File opened (read-only) \??\m: 京都江湖.exe File opened (read-only) \??\x: 京都江湖.exe File opened (read-only) \??\y: 京都江湖.exe File opened (read-only) \??\e: 京都江湖.exe File opened (read-only) \??\h: 京都江湖.exe File opened (read-only) \??\l: 京都江湖.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3624 1696 WerFault.exe 86 -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs 京都江湖.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 京都江湖.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 京都江湖.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 956 京都江湖.exe 956 京都江湖.exe 956 京都江湖.exe 956 京都江湖.exe 956 京都江湖.exe 956 京都江湖.exe 1976 HEEeGHXVThDsN6h.exe 1976 HEEeGHXVThDsN6h.exe 956 京都江湖.exe 956 京都江湖.exe 1976 HEEeGHXVThDsN6h.exe 1976 HEEeGHXVThDsN6h.exe 1976 HEEeGHXVThDsN6h.exe 1976 HEEeGHXVThDsN6h.exe 1976 HEEeGHXVThDsN6h.exe 1976 HEEeGHXVThDsN6h.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 956 京都江湖.exe Token: SeDebugPrivilege 1696 RXJH2Game.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 956 京都江湖.exe 956 京都江湖.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 956 京都江湖.exe 956 京都江湖.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 956 京都江湖.exe 956 京都江湖.exe 1696 RXJH2Game.exe 1696 RXJH2Game.exe 1696 RXJH2Game.exe 956 京都江湖.exe 956 京都江湖.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4848 wrote to memory of 1976 4848 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 80 PID 4848 wrote to memory of 1976 4848 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 80 PID 4848 wrote to memory of 1976 4848 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 80 PID 4848 wrote to memory of 956 4848 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 81 PID 4848 wrote to memory of 956 4848 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 81 PID 4848 wrote to memory of 956 4848 fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe 81 PID 956 wrote to memory of 1696 956 京都江湖.exe 86 PID 956 wrote to memory of 1696 956 京都江湖.exe 86 PID 956 wrote to memory of 1696 956 京都江湖.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\ytool\HEEeGHXVThDsN6h.exe"C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe" "C:\Users\Admin\AppData\Local\Temp\fea445de6e41ce7025f818dc6a6eddccf5eed38e6f7dc2d389be19a9cebce365.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\京都江湖.exe"C:\Users\Admin\AppData\Local\Temp\京都江湖.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe"C:\Users\Admin\AppData\Local\Temp\RXJH2Game.exe" http://xkt.cac88.cn/...................3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 13844⤵
- Program crash
PID:3624
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1696 -ip 16961⤵PID:4128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD564a4ea2a47e049fc907279bde7a54b52
SHA166322364a9dc2156179de7fea5f1d0b930675670
SHA256f965de4a8e553a7eb4853fbc2a0a982efa3e263edec1da4206ea5870c27af024
SHA5124699ebc8304cad67cf0b5531854afc56846f7a77ffc7396640fabdc0e42fb760bafaf213aa4e0ca23961da831a60dd5ceefe11de7fa9767261a07301c34191b7
-
Filesize
829B
MD595f9219fbc6c6d09949c8f29b1fc97ea
SHA1b1e904a31be37c3536977b444761bb59d3c364bd
SHA25607660db85797bb7071abd7b6b5c94074b299fade4c66a65ebbd307ea50072f7a
SHA512edb87f90dbf217788709c6b480c0c126883492e2403bcb3b1672e393eacad1362b81f64ee173224078c77ce1df960cab6f45365596597f363c3455f4f3d596e4
-
Filesize
6KB
MD53dd33ed93947a334c7e3dfcd0bbc96f9
SHA16dd2b488ae0eedf4a3fda00af071c293b2240017
SHA256f2f6e12be2c01e4fc6695cfb2e193bf0dcbf7267d1edc6693a8e14671464deff
SHA512f7839de6564f0df4830aebb00a7e1904c20dac3e93420dc60a6346f590089f5658406adfc5b96c74a3e3a6ac1f5f99c0c37a35b91621e23a5a8a7f3d13ac8e01
-
Filesize
5.2MB
MD5bd071dbab6417cb317d50d1b62fe082c
SHA1ca84d0d018a4b4017cd641d1fc36a47b4348f4df
SHA25611418cd83df43b5f6be435040f2d4242195df5a24dbe295ae26f2dcc5e430b7c
SHA51289bac3f5542399f6c33ba350afc62a36e102bff2650b5ced36eb5f92a1cabfa8d26e19af1fc168b71d48a1c675028042a6d552e78ad64bdf946d14b798820437
-
Filesize
6.6MB
MD5a579211b81cb5fa0f786a238469c51dc
SHA1a3fc7a95bf080e592ebbcc5a6b7986db87fa58f0
SHA256e3e84526ad020930059828bb03abe7cf3b22870ddf888a7cf5b5397d0fa508bf
SHA5129dcab2dd1b6fdb142b495de12dd9bc149e43e7c49d63481598d349d3b96308e5b04b4739d6407ef8057fd8c9ac92932c3d9119e3211de5ca853f830ca842c642