Analysis

  • max time kernel
    119s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 05:00

General

  • Target

    修改器/目录.exe

  • Size

    1.4MB

  • MD5

    e3cd2eed47f07bf91c14fc407f96f0ef

  • SHA1

    fc9b233374fdbfb3b6f83aa6d685b983112a82f6

  • SHA256

    f962bc3f919502b67584fe153b101f5bdbdafe25abd315b0501a8ee03e2d15c6

  • SHA512

    309d51567a197aceb632094e31e0738991433daee54c46dd7a4ab80da63e01ab0d4cd67bf1984387e1b024759c29dbbfb2702e1a25183839ddefa075c2d87eca

  • SSDEEP

    24576:YMjhpmn+KkK2lpAwyTYbGrc38qqR82srDEMIcV1Dw3VyX5BZBX4LbKhIOYKcrZaV:rW+KX2lpAbYbAcMP82sPPVW4BBX2bKhr

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\修改器\目录.exe
    "C:\Users\Admin\AppData\Local\Temp\修改器\目录.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Users\Admin\AppData\Local\Temp\is-2PRDR.tmp\目录.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2PRDR.tmp\目录.tmp" /SL5="$601DA,951771,140288,C:\Users\Admin\AppData\Local\Temp\修改器\目录.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Users\Admin\AppData\Local\Temp\修改器\StartGame.exe
        "C:\Users\Admin\AppData\Local\Temp\修改器\StartGame.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-2PRDR.tmp\目录.tmp

    Filesize

    1.4MB

    MD5

    a3a1c4337ea7f1a2183f0d8058f89ec5

    SHA1

    ce6d241b125023d833cb3e34581a0c4d9c1150e0

    SHA256

    16e669417be50d8ea3cc3b0717e4000711cc4609b124e73b16239197991799e8

    SHA512

    5b2a5b59ae9f415a63e2427448af044c226febdf9e0ab9709d03cbd26aff9e2c3b880e65efacff9b61b69e312d206b5c3324bf55d256a1cbdf8a0c825d111056

  • C:\Users\Admin\AppData\Local\Temp\修改器\StartGame.exe

    Filesize

    5.3MB

    MD5

    79291bc804f6bd5a90a1d2d8e599ec99

    SHA1

    8d7f12bc2e5c0257e23391e52c9aed697d44c12e

    SHA256

    24c48b516e3be71261b392574ba9aedd5af517ab6c860d4f90d2c92949ebdb1b

    SHA512

    1337007566a03477fcd719d15df28b4f9ca046ad66488e43c1c8431db870073cf1332dcacf2626deb725c367aa1354dd5d5e337ff381419b0810ff3fbd4dabee

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN010KT7iN2Ea8UG1QHqu_!!891218760.jpg.ddtu.tmp

    Filesize

    33KB

    MD5

    7137b099d5587ee860785e8dfe30366f

    SHA1

    539cb4f00ebfb8ebd0c35306956379fa2a3b192d

    SHA256

    9e83d86ccf6a9b4260401261273ba07509df4b38a63fe846694616967a7903b0

    SHA512

    9c99172595ff2fdcc8b6b7d358bd6c81e5743bd35c7f4860b5f9002fa63a3e2b62ebd1ae2c0ebd51ca1c834e5ee634cc25e439b2ee4043a240637cb935f1c061

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01QTha072Ea8WsUeniS_!!891218760.jpg

    Filesize

    44KB

    MD5

    0174d0d207d60611013004c74240ad53

    SHA1

    e72c89578145c3f1fe8ae859d9009ce2d7f50e65

    SHA256

    778c7b03e34dcb4c8a6f5f7e875209e1cd2df6cdfa08e72124d9637aacee4b24

    SHA512

    39a47c02ab40b6286cfffeb78815f087800bd88a83c7a03880c98aad6429f7e721814dc70689652604152b563d9a3bcf1536b931cd08c5a33ce46e3911f8dbb0

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01d2KyQd2Ea8U5aAmy7_!!891218760.jpg

    Filesize

    45KB

    MD5

    6e41e3abb71d676ad17edf90d689a82e

    SHA1

    430a09a1989d36a7707c8c1e793d24463b91bea1

    SHA256

    69fdd085dd9c4a0389373cacbaea8672de99b11712aa5620189575201e1e6dd1

    SHA512

    b8ee9458ae49adb703aa85fc24d9c3d3c9ae09f1b2ccf6253d5f52f52ea811bd49f29ace15111e899314ce61dfe83c48dc0600096bca6fa5c32a61c37f526263

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01e2DQEF2Ea8GWHjoYQ_!!891218760.jpg

    Filesize

    73KB

    MD5

    951a529ae3865354ba68a8f501cd4b6b

    SHA1

    81baeeddddef53c1e68e019acaa261b17b140206

    SHA256

    e0f7f63c328aa46ff2a2b86531a48b348eaa7d42c20f599591f5bafb514aa42d

    SHA512

    cb58d5149aa2dd176eec2e00c6a5efa53ee2c56e9176770c9597f0dfa4f6f54ab7305d76a25a2a59ecfa1ba24b760331f8a35de200cf042fbc59b86f52ffec71

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01qfOQhd2Ea8WOwjwlo_!!891218760.jpg

    Filesize

    74KB

    MD5

    523dccc064fa002932f4e54dfb72dcea

    SHA1

    bbcfd30856a0e9abf80b192aec2b6d4bc409ab0a

    SHA256

    5a363116b4e59441991dc06cb9aac7412d142047134fc5afe2a7c1623cab37bf

    SHA512

    1509aa19f3df7d5d0be640262d8e8d252297a56ef48fc2afe8e1e81931e0780524caf694c7c4419620b7dad63e32aa09906438931ed4ba79bee4881f278e4ba3

  • memory/508-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

  • memory/508-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/508-25-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2540-45-0x0000000005AD0000-0x0000000005AD8000-memory.dmp

    Filesize

    32KB

  • memory/2540-50-0x0000000005F20000-0x0000000005F28000-memory.dmp

    Filesize

    32KB

  • memory/2540-34-0x0000000005730000-0x0000000005880000-memory.dmp

    Filesize

    1.3MB

  • memory/2540-33-0x00000000055E0000-0x00000000055E8000-memory.dmp

    Filesize

    32KB

  • memory/2540-32-0x00000000055C0000-0x00000000055CA000-memory.dmp

    Filesize

    40KB

  • memory/2540-31-0x00000000055B0000-0x00000000055C0000-memory.dmp

    Filesize

    64KB

  • memory/2540-30-0x00000000055A0000-0x00000000055AA000-memory.dmp

    Filesize

    40KB

  • memory/2540-29-0x0000000003140000-0x000000000314C000-memory.dmp

    Filesize

    48KB

  • memory/2540-37-0x0000000005650000-0x000000000566A000-memory.dmp

    Filesize

    104KB

  • memory/2540-39-0x00000000058C0000-0x0000000005972000-memory.dmp

    Filesize

    712KB

  • memory/2540-38-0x0000000005690000-0x00000000056AA000-memory.dmp

    Filesize

    104KB

  • memory/2540-40-0x0000000005A60000-0x0000000005A6A000-memory.dmp

    Filesize

    40KB

  • memory/2540-41-0x0000000005A70000-0x0000000005A78000-memory.dmp

    Filesize

    32KB

  • memory/2540-42-0x0000000005A80000-0x0000000005A88000-memory.dmp

    Filesize

    32KB

  • memory/2540-43-0x0000000005B00000-0x0000000005B66000-memory.dmp

    Filesize

    408KB

  • memory/2540-44-0x0000000005AC0000-0x0000000005AC8000-memory.dmp

    Filesize

    32KB

  • memory/2540-36-0x0000000005640000-0x0000000005654000-memory.dmp

    Filesize

    80KB

  • memory/2540-46-0x0000000005AE0000-0x0000000005AE8000-memory.dmp

    Filesize

    32KB

  • memory/2540-47-0x0000000005AF0000-0x0000000005AF8000-memory.dmp

    Filesize

    32KB

  • memory/2540-48-0x0000000005B70000-0x0000000005B78000-memory.dmp

    Filesize

    32KB

  • memory/2540-49-0x0000000005B90000-0x0000000005B98000-memory.dmp

    Filesize

    32KB

  • memory/2540-35-0x0000000005600000-0x0000000005632000-memory.dmp

    Filesize

    200KB

  • memory/2540-51-0x00000000086E0000-0x00000000086E8000-memory.dmp

    Filesize

    32KB

  • memory/2540-52-0x0000000073EF0000-0x00000000746A0000-memory.dmp

    Filesize

    7.7MB

  • memory/2540-54-0x000000000B5E0000-0x000000000B5EE000-memory.dmp

    Filesize

    56KB

  • memory/2540-53-0x000000000B620000-0x000000000B658000-memory.dmp

    Filesize

    224KB

  • memory/2540-55-0x0000000073EF0000-0x00000000746A0000-memory.dmp

    Filesize

    7.7MB

  • memory/2540-56-0x00000000094E0000-0x0000000009572000-memory.dmp

    Filesize

    584KB

  • memory/2540-57-0x000000000A170000-0x000000000A714000-memory.dmp

    Filesize

    5.6MB

  • memory/2540-58-0x00000000094C0000-0x00000000094C8000-memory.dmp

    Filesize

    32KB

  • memory/2540-59-0x00000000090B0000-0x00000000090D2000-memory.dmp

    Filesize

    136KB

  • memory/2540-60-0x000000000FB50000-0x000000000FEA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-61-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

    Filesize

    4KB

  • memory/2540-62-0x0000000073EF0000-0x00000000746A0000-memory.dmp

    Filesize

    7.7MB

  • memory/2540-63-0x0000000073EF0000-0x00000000746A0000-memory.dmp

    Filesize

    7.7MB

  • memory/2540-64-0x0000000073EF0000-0x00000000746A0000-memory.dmp

    Filesize

    7.7MB

  • memory/2540-28-0x0000000003130000-0x000000000313E000-memory.dmp

    Filesize

    56KB

  • memory/2540-27-0x0000000073EF0000-0x00000000746A0000-memory.dmp

    Filesize

    7.7MB

  • memory/2540-26-0x0000000000730000-0x0000000000C90000-memory.dmp

    Filesize

    5.4MB

  • memory/2540-22-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

    Filesize

    4KB

  • memory/2540-66-0x0000000009140000-0x0000000009148000-memory.dmp

    Filesize

    32KB

  • memory/4404-7-0x0000000000400000-0x0000000000578000-memory.dmp

    Filesize

    1.5MB

  • memory/4404-24-0x0000000000400000-0x0000000000578000-memory.dmp

    Filesize

    1.5MB