Analysis

  • max time kernel
    126s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 10:27

General

  • Target

    2 修改器/目录.exe

  • Size

    1.4MB

  • MD5

    e3cd2eed47f07bf91c14fc407f96f0ef

  • SHA1

    fc9b233374fdbfb3b6f83aa6d685b983112a82f6

  • SHA256

    f962bc3f919502b67584fe153b101f5bdbdafe25abd315b0501a8ee03e2d15c6

  • SHA512

    309d51567a197aceb632094e31e0738991433daee54c46dd7a4ab80da63e01ab0d4cd67bf1984387e1b024759c29dbbfb2702e1a25183839ddefa075c2d87eca

  • SSDEEP

    24576:YMjhpmn+KkK2lpAwyTYbGrc38qqR82srDEMIcV1Dw3VyX5BZBX4LbKhIOYKcrZaV:rW+KX2lpAbYbAcMP82sPPVW4BBX2bKhr

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2 修改器\目录.exe
    "C:\Users\Admin\AppData\Local\Temp\2 修改器\目录.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\is-DJFEL.tmp\目录.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DJFEL.tmp\目录.tmp" /SL5="$50152,951771,140288,C:\Users\Admin\AppData\Local\Temp\2 修改器\目录.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Local\Temp\2 修改器\StartGame.exe
        "C:\Users\Admin\AppData\Local\Temp\2 修改器\StartGame.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN010KT7iN2Ea8UG1QHqu_!!891218760.jpg

    Filesize

    33KB

    MD5

    7137b099d5587ee860785e8dfe30366f

    SHA1

    539cb4f00ebfb8ebd0c35306956379fa2a3b192d

    SHA256

    9e83d86ccf6a9b4260401261273ba07509df4b38a63fe846694616967a7903b0

    SHA512

    9c99172595ff2fdcc8b6b7d358bd6c81e5743bd35c7f4860b5f9002fa63a3e2b62ebd1ae2c0ebd51ca1c834e5ee634cc25e439b2ee4043a240637cb935f1c061

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01QTha072Ea8WsUeniS_!!891218760.jpg

    Filesize

    44KB

    MD5

    0174d0d207d60611013004c74240ad53

    SHA1

    e72c89578145c3f1fe8ae859d9009ce2d7f50e65

    SHA256

    778c7b03e34dcb4c8a6f5f7e875209e1cd2df6cdfa08e72124d9637aacee4b24

    SHA512

    39a47c02ab40b6286cfffeb78815f087800bd88a83c7a03880c98aad6429f7e721814dc70689652604152b563d9a3bcf1536b931cd08c5a33ce46e3911f8dbb0

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01d2KyQd2Ea8U5aAmy7_!!891218760.jpg

    Filesize

    45KB

    MD5

    6e41e3abb71d676ad17edf90d689a82e

    SHA1

    430a09a1989d36a7707c8c1e793d24463b91bea1

    SHA256

    69fdd085dd9c4a0389373cacbaea8672de99b11712aa5620189575201e1e6dd1

    SHA512

    b8ee9458ae49adb703aa85fc24d9c3d3c9ae09f1b2ccf6253d5f52f52ea811bd49f29ace15111e899314ce61dfe83c48dc0600096bca6fa5c32a61c37f526263

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01e2DQEF2Ea8GWHjoYQ_!!891218760.jpg

    Filesize

    73KB

    MD5

    951a529ae3865354ba68a8f501cd4b6b

    SHA1

    81baeeddddef53c1e68e019acaa261b17b140206

    SHA256

    e0f7f63c328aa46ff2a2b86531a48b348eaa7d42c20f599591f5bafb514aa42d

    SHA512

    cb58d5149aa2dd176eec2e00c6a5efa53ee2c56e9176770c9597f0dfa4f6f54ab7305d76a25a2a59ecfa1ba24b760331f8a35de200cf042fbc59b86f52ffec71

  • C:\Users\Admin\AppData\Roaming\WisdomSys\Tu\O1CN01qfOQhd2Ea8WOwjwlo_!!891218760.jpg

    Filesize

    74KB

    MD5

    523dccc064fa002932f4e54dfb72dcea

    SHA1

    bbcfd30856a0e9abf80b192aec2b6d4bc409ab0a

    SHA256

    5a363116b4e59441991dc06cb9aac7412d142047134fc5afe2a7c1623cab37bf

    SHA512

    1509aa19f3df7d5d0be640262d8e8d252297a56ef48fc2afe8e1e81931e0780524caf694c7c4419620b7dad63e32aa09906438931ed4ba79bee4881f278e4ba3

  • \Users\Admin\AppData\Local\Temp\2 修改器\StartGame.exe

    Filesize

    5.3MB

    MD5

    79291bc804f6bd5a90a1d2d8e599ec99

    SHA1

    8d7f12bc2e5c0257e23391e52c9aed697d44c12e

    SHA256

    24c48b516e3be71261b392574ba9aedd5af517ab6c860d4f90d2c92949ebdb1b

    SHA512

    1337007566a03477fcd719d15df28b4f9ca046ad66488e43c1c8431db870073cf1332dcacf2626deb725c367aa1354dd5d5e337ff381419b0810ff3fbd4dabee

  • \Users\Admin\AppData\Local\Temp\is-90E0B.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-DJFEL.tmp\目录.tmp

    Filesize

    1.4MB

    MD5

    a3a1c4337ea7f1a2183f0d8058f89ec5

    SHA1

    ce6d241b125023d833cb3e34581a0c4d9c1150e0

    SHA256

    16e669417be50d8ea3cc3b0717e4000711cc4609b124e73b16239197991799e8

    SHA512

    5b2a5b59ae9f415a63e2427448af044c226febdf9e0ab9709d03cbd26aff9e2c3b880e65efacff9b61b69e312d206b5c3324bf55d256a1cbdf8a0c825d111056

  • memory/316-43-0x0000000000A50000-0x0000000000A6A000-memory.dmp

    Filesize

    104KB

  • memory/316-47-0x0000000000B90000-0x0000000000B98000-memory.dmp

    Filesize

    32KB

  • memory/316-35-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

  • memory/316-38-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/316-41-0x0000000000600000-0x0000000000614000-memory.dmp

    Filesize

    80KB

  • memory/316-42-0x0000000000A30000-0x0000000000A4A000-memory.dmp

    Filesize

    104KB

  • memory/316-40-0x00000000005D0000-0x0000000000602000-memory.dmp

    Filesize

    200KB

  • memory/316-39-0x0000000005100000-0x0000000005250000-memory.dmp

    Filesize

    1.3MB

  • memory/316-37-0x00000000003F0000-0x00000000003FA000-memory.dmp

    Filesize

    40KB

  • memory/316-36-0x0000000000390000-0x00000000003A0000-memory.dmp

    Filesize

    64KB

  • memory/316-32-0x0000000000D60000-0x00000000012C0000-memory.dmp

    Filesize

    5.4MB

  • memory/316-34-0x0000000000370000-0x000000000037C000-memory.dmp

    Filesize

    48KB

  • memory/316-44-0x00000000048D0000-0x0000000004982000-memory.dmp

    Filesize

    712KB

  • memory/316-46-0x0000000000B80000-0x0000000000B88000-memory.dmp

    Filesize

    32KB

  • memory/316-45-0x0000000000A40000-0x0000000000A4A000-memory.dmp

    Filesize

    40KB

  • memory/316-33-0x0000000000220000-0x000000000022E000-memory.dmp

    Filesize

    56KB

  • memory/316-48-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

    Filesize

    32KB

  • memory/316-49-0x0000000000D10000-0x0000000000D18000-memory.dmp

    Filesize

    32KB

  • memory/316-52-0x0000000000D40000-0x0000000000D48000-memory.dmp

    Filesize

    32KB

  • memory/316-51-0x0000000000D30000-0x0000000000D38000-memory.dmp

    Filesize

    32KB

  • memory/316-53-0x0000000000D50000-0x0000000000D58000-memory.dmp

    Filesize

    32KB

  • memory/316-50-0x0000000000D20000-0x0000000000D28000-memory.dmp

    Filesize

    32KB

  • memory/316-55-0x0000000004980000-0x000000000498A000-memory.dmp

    Filesize

    40KB

  • memory/316-54-0x0000000004980000-0x000000000498A000-memory.dmp

    Filesize

    40KB

  • memory/316-56-0x0000000004A30000-0x0000000004A38000-memory.dmp

    Filesize

    32KB

  • memory/316-57-0x0000000004980000-0x000000000498A000-memory.dmp

    Filesize

    40KB

  • memory/1904-2-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

  • memory/1904-31-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1904-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2608-29-0x0000000000400000-0x0000000000578000-memory.dmp

    Filesize

    1.5MB

  • memory/2608-8-0x0000000000400000-0x0000000000578000-memory.dmp

    Filesize

    1.5MB