Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 04:52
Behavioral task
behavioral1
Sample
2 修改器/Atelier Ryza 2 Lost Legends and the Secret Fairy v1.0 Plus 29 Trainer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2 修改器/Atelier Ryza 2 Lost Legends and the Secret Fairy v1.0 Plus 29 Trainer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2 修改器/目录.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2 修改器/目录.exe
Resource
win10v2004-20240910-en
General
-
Target
2 修改器/目录.exe
-
Size
1.4MB
-
MD5
e3cd2eed47f07bf91c14fc407f96f0ef
-
SHA1
fc9b233374fdbfb3b6f83aa6d685b983112a82f6
-
SHA256
f962bc3f919502b67584fe153b101f5bdbdafe25abd315b0501a8ee03e2d15c6
-
SHA512
309d51567a197aceb632094e31e0738991433daee54c46dd7a4ab80da63e01ab0d4cd67bf1984387e1b024759c29dbbfb2702e1a25183839ddefa075c2d87eca
-
SSDEEP
24576:YMjhpmn+KkK2lpAwyTYbGrc38qqR82srDEMIcV1Dw3VyX5BZBX4LbKhIOYKcrZaV:rW+KX2lpAbYbAcMP82sPPVW4BBX2bKhr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3116 目录.tmp 2192 StartGame.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 目录.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StartGame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 目录.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3116 目录.tmp 3116 目录.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2192 StartGame.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3116 目录.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1600 wrote to memory of 3116 1600 目录.exe 84 PID 1600 wrote to memory of 3116 1600 目录.exe 84 PID 1600 wrote to memory of 3116 1600 目录.exe 84 PID 3116 wrote to memory of 2192 3116 目录.tmp 90 PID 3116 wrote to memory of 2192 3116 目录.tmp 90 PID 3116 wrote to memory of 2192 3116 目录.tmp 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2 修改器\目录.exe"C:\Users\Admin\AppData\Local\Temp\2 修改器\目录.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\is-3QF96.tmp\目录.tmp"C:\Users\Admin\AppData\Local\Temp\is-3QF96.tmp\目录.tmp" /SL5="$80052,951771,140288,C:\Users\Admin\AppData\Local\Temp\2 修改器\目录.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\2 修改器\StartGame.exe"C:\Users\Admin\AppData\Local\Temp\2 修改器\StartGame.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD579291bc804f6bd5a90a1d2d8e599ec99
SHA18d7f12bc2e5c0257e23391e52c9aed697d44c12e
SHA25624c48b516e3be71261b392574ba9aedd5af517ab6c860d4f90d2c92949ebdb1b
SHA5121337007566a03477fcd719d15df28b4f9ca046ad66488e43c1c8431db870073cf1332dcacf2626deb725c367aa1354dd5d5e337ff381419b0810ff3fbd4dabee
-
Filesize
1.4MB
MD5a3a1c4337ea7f1a2183f0d8058f89ec5
SHA1ce6d241b125023d833cb3e34581a0c4d9c1150e0
SHA25616e669417be50d8ea3cc3b0717e4000711cc4609b124e73b16239197991799e8
SHA5125b2a5b59ae9f415a63e2427448af044c226febdf9e0ab9709d03cbd26aff9e2c3b880e65efacff9b61b69e312d206b5c3324bf55d256a1cbdf8a0c825d111056
-
Filesize
33KB
MD57137b099d5587ee860785e8dfe30366f
SHA1539cb4f00ebfb8ebd0c35306956379fa2a3b192d
SHA2569e83d86ccf6a9b4260401261273ba07509df4b38a63fe846694616967a7903b0
SHA5129c99172595ff2fdcc8b6b7d358bd6c81e5743bd35c7f4860b5f9002fa63a3e2b62ebd1ae2c0ebd51ca1c834e5ee634cc25e439b2ee4043a240637cb935f1c061
-
Filesize
44KB
MD50174d0d207d60611013004c74240ad53
SHA1e72c89578145c3f1fe8ae859d9009ce2d7f50e65
SHA256778c7b03e34dcb4c8a6f5f7e875209e1cd2df6cdfa08e72124d9637aacee4b24
SHA51239a47c02ab40b6286cfffeb78815f087800bd88a83c7a03880c98aad6429f7e721814dc70689652604152b563d9a3bcf1536b931cd08c5a33ce46e3911f8dbb0
-
Filesize
45KB
MD56e41e3abb71d676ad17edf90d689a82e
SHA1430a09a1989d36a7707c8c1e793d24463b91bea1
SHA25669fdd085dd9c4a0389373cacbaea8672de99b11712aa5620189575201e1e6dd1
SHA512b8ee9458ae49adb703aa85fc24d9c3d3c9ae09f1b2ccf6253d5f52f52ea811bd49f29ace15111e899314ce61dfe83c48dc0600096bca6fa5c32a61c37f526263
-
Filesize
73KB
MD5951a529ae3865354ba68a8f501cd4b6b
SHA181baeeddddef53c1e68e019acaa261b17b140206
SHA256e0f7f63c328aa46ff2a2b86531a48b348eaa7d42c20f599591f5bafb514aa42d
SHA512cb58d5149aa2dd176eec2e00c6a5efa53ee2c56e9176770c9597f0dfa4f6f54ab7305d76a25a2a59ecfa1ba24b760331f8a35de200cf042fbc59b86f52ffec71
-
Filesize
74KB
MD5523dccc064fa002932f4e54dfb72dcea
SHA1bbcfd30856a0e9abf80b192aec2b6d4bc409ab0a
SHA2565a363116b4e59441991dc06cb9aac7412d142047134fc5afe2a7c1623cab37bf
SHA5121509aa19f3df7d5d0be640262d8e8d252297a56ef48fc2afe8e1e81931e0780524caf694c7c4419620b7dad63e32aa09906438931ed4ba79bee4881f278e4ba3