e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c

General

Target

e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe
Size

13.7MB
MD5

ae930f11fc92fac995f4257ea1671e59
SHA1

ea3682072b032f2e37ee0cac1801b85b0eef66b8
SHA256

e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c
SHA512

d88935259a6b726f2419e0868b46b98b665394419adb12ce58e61cf0bb1bd848e6c28a32d7d36a8effdbd6aefeba4183b5ee381280b0f14cbd55144d24eca6f8
SSDEEP

196608:JHnqYUuSlkutvSpZIIImvUEsFEZTqTGdukjiVJlzLJZzoFWe4fyGsnIRHqrB7XLI:JCtaTpDyGduyoLzMwRxnsxJ72

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3924	再战枭雄轮回.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3924	再战枭雄轮回.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3924	再战枭雄轮回.exe
3924	再战枭雄轮回.exe
3924	再战枭雄轮回.exe
3924	再战枭雄轮回.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	再战枭雄轮回.exe
Token: SeShutdownPrivilege	3924	再战枭雄轮回.exe
Token: SeLoadDriverPrivilege	3924	再战枭雄轮回.exe
Token: SeTakeOwnershipPrivilege	3924	再战枭雄轮回.exe
Token: SeBackupPrivilege	3924	再战枭雄轮回.exe
Token: SeRestorePrivilege	3924	再战枭雄轮回.exe
Token: SeDebugPrivilege	3924	再战枭雄轮回.exe
Token: SeShutdownPrivilege	3924	再战枭雄轮回.exe
Token: SeLoadDriverPrivilege	3924	再战枭雄轮回.exe
Token: SeTakeOwnershipPrivilege	3924	再战枭雄轮回.exe
Token: SeBackupPrivilege	3924	再战枭雄轮回.exe
Token: SeRestorePrivilege	3924	再战枭雄轮回.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2972	e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3924	再战枭雄轮回.exe
3924	再战枭雄轮回.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3924	2972	e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe	81
PID 2972 wrote to memory of 3924	2972	e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe	81
PID 2972 wrote to memory of 3924	2972	e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe	81

C:\Users\Admin\AppData\Local\Temp\e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe
"C:\Users\Admin\AppData\Local\Temp\e335b128ca467d6da272ae977fe900f4eeffba51ea9f3eb39db55a9de24c629c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\再战枭雄轮回.exe
  C:\Users\Admin\AppData\Local\Temp\再战枭雄轮回.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
579B

MD5
27a8612090cfa7ede4025370cc4f0e7b

SHA1
627c35413e7c80ccd16b4d802120c5e3ee55626a

SHA256
09f0d976cf00fe87b12a68dd6bb62b19e1b982308ba076cb81453db73115f58d

SHA512
227cab72944d322bf66159d294930d79d193b6038f7a37847cd5ecae633c52606a35aa52df79016eab6e8a689253fb0c9af14a0316730d8a8962323491e0244a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
310B

MD5
0faec26915d2ae8d56fc2883b1ba23b3

SHA1
63653f8965791d89991540385afda97b7ef66d70

SHA256
8de34115f74d954d552bbcefa31435815c68a24c4b190539f90e7d3feeaa76c9

SHA512
2b8a395cfd30851f5e53f81370138c7e837978a0afb0b33bc7d0123de4fd6535f9ea86b97d23df1513d66c7fd8a4bc5ffddae96b58d07f53f8ccb077f3898d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
34KB

MD5
4e37ecdf31969ee3e32151556725a8c6

SHA1
7207c8200b59795148fdcd05f92ad986674898a4

SHA256
9dc2af94527c4d17dffa6cb8e1d31f65a26ba35f4b2ed827868c80fbaf87a70a

SHA512
57435a7b0b96b83ce616d42f996ec5b859b8781222a32ee94dffa5e8db65f9606c3a82ef03796f19f7b32bb19f263547b3498e870162e77fa60d8b6fac40fd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\再战枭雄轮回.exe

Filesize
8.0MB

MD5
0f79956e611a733dbd438dc8a9bed0df

SHA1
2a83a037ac20d30879d831e9007e2d35e7ec98ba

SHA256
49670cde80663d5ddfab7ca5bf5f78d3398a513ee91debc7f74abab9afe8b335

SHA512
5fc52c85db35b2cd538c1005552012d30b9a6fb6fd8e6e3f31a72ccb5f3cb958fea3f991e01f6637cfca909aa5c1e853f3f66fc917043927b244760d974691f3

Download Submit
memory/3924-27-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/3924-23-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/3924-29-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/3924-28-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/3924-24-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/3924-26-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3924-25-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3924-30-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3924-34-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/3924-35-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3924-39-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download
memory/3924-22-0x000000000074D000-0x0000000000BCE000-memory.dmp

Filesize
4.5MB

Download
memory/3924-564-0x000000000074D000-0x0000000000BCE000-memory.dmp

Filesize
4.5MB

Download
memory/3924-573-0x0000000000400000-0x00000000013D0000-memory.dmp

Filesize
15.8MB

Download

Analysis

Sharing