Analysis
-
max time kernel
124s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 15:06
Behavioral task
behavioral1
Sample
100%游戏存档/双击我改签v0.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
100%游戏存档/双击我改签v0.5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
修改器/Nioh 2 The Complete Edition v1.25-v1.28 Plus 35 Trainer.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
修改器/Nioh 2 The Complete Edition v1.25-v1.28 Plus 35 Trainer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
修改器/目录.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
修改器/目录.exe
Resource
win10v2004-20240802-en
General
-
Target
修改器/目录.exe
-
Size
1.4MB
-
MD5
e3cd2eed47f07bf91c14fc407f96f0ef
-
SHA1
fc9b233374fdbfb3b6f83aa6d685b983112a82f6
-
SHA256
f962bc3f919502b67584fe153b101f5bdbdafe25abd315b0501a8ee03e2d15c6
-
SHA512
309d51567a197aceb632094e31e0738991433daee54c46dd7a4ab80da63e01ab0d4cd67bf1984387e1b024759c29dbbfb2702e1a25183839ddefa075c2d87eca
-
SSDEEP
24576:YMjhpmn+KkK2lpAwyTYbGrc38qqR82srDEMIcV1Dw3VyX5BZBX4LbKhIOYKcrZaV:rW+KX2lpAbYbAcMP82sPPVW4BBX2bKhr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2732 目录.tmp 2640 StartGame.exe -
Loads dropped DLL 5 IoCs
pid Process 3032 目录.exe 2732 目录.tmp 2732 目录.tmp 2732 目录.tmp 2732 目录.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 目录.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StartGame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 目录.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2732 目录.tmp 2732 目录.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2640 StartGame.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2732 目录.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 3032 wrote to memory of 2732 3032 目录.exe 30 PID 2732 wrote to memory of 2640 2732 目录.tmp 31 PID 2732 wrote to memory of 2640 2732 目录.tmp 31 PID 2732 wrote to memory of 2640 2732 目录.tmp 31 PID 2732 wrote to memory of 2640 2732 目录.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\修改器\目录.exe"C:\Users\Admin\AppData\Local\Temp\修改器\目录.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\is-LDKQF.tmp\目录.tmp"C:\Users\Admin\AppData\Local\Temp\is-LDKQF.tmp\目录.tmp" /SL5="$70122,951771,140288,C:\Users\Admin\AppData\Local\Temp\修改器\目录.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\修改器\StartGame.exe"C:\Users\Admin\AppData\Local\Temp\修改器\StartGame.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD57137b099d5587ee860785e8dfe30366f
SHA1539cb4f00ebfb8ebd0c35306956379fa2a3b192d
SHA2569e83d86ccf6a9b4260401261273ba07509df4b38a63fe846694616967a7903b0
SHA5129c99172595ff2fdcc8b6b7d358bd6c81e5743bd35c7f4860b5f9002fa63a3e2b62ebd1ae2c0ebd51ca1c834e5ee634cc25e439b2ee4043a240637cb935f1c061
-
Filesize
44KB
MD50174d0d207d60611013004c74240ad53
SHA1e72c89578145c3f1fe8ae859d9009ce2d7f50e65
SHA256778c7b03e34dcb4c8a6f5f7e875209e1cd2df6cdfa08e72124d9637aacee4b24
SHA51239a47c02ab40b6286cfffeb78815f087800bd88a83c7a03880c98aad6429f7e721814dc70689652604152b563d9a3bcf1536b931cd08c5a33ce46e3911f8dbb0
-
Filesize
45KB
MD56e41e3abb71d676ad17edf90d689a82e
SHA1430a09a1989d36a7707c8c1e793d24463b91bea1
SHA25669fdd085dd9c4a0389373cacbaea8672de99b11712aa5620189575201e1e6dd1
SHA512b8ee9458ae49adb703aa85fc24d9c3d3c9ae09f1b2ccf6253d5f52f52ea811bd49f29ace15111e899314ce61dfe83c48dc0600096bca6fa5c32a61c37f526263
-
Filesize
73KB
MD5951a529ae3865354ba68a8f501cd4b6b
SHA181baeeddddef53c1e68e019acaa261b17b140206
SHA256e0f7f63c328aa46ff2a2b86531a48b348eaa7d42c20f599591f5bafb514aa42d
SHA512cb58d5149aa2dd176eec2e00c6a5efa53ee2c56e9176770c9597f0dfa4f6f54ab7305d76a25a2a59ecfa1ba24b760331f8a35de200cf042fbc59b86f52ffec71
-
Filesize
74KB
MD5523dccc064fa002932f4e54dfb72dcea
SHA1bbcfd30856a0e9abf80b192aec2b6d4bc409ab0a
SHA2565a363116b4e59441991dc06cb9aac7412d142047134fc5afe2a7c1623cab37bf
SHA5121509aa19f3df7d5d0be640262d8e8d252297a56ef48fc2afe8e1e81931e0780524caf694c7c4419620b7dad63e32aa09906438931ed4ba79bee4881f278e4ba3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.4MB
MD5a3a1c4337ea7f1a2183f0d8058f89ec5
SHA1ce6d241b125023d833cb3e34581a0c4d9c1150e0
SHA25616e669417be50d8ea3cc3b0717e4000711cc4609b124e73b16239197991799e8
SHA5125b2a5b59ae9f415a63e2427448af044c226febdf9e0ab9709d03cbd26aff9e2c3b880e65efacff9b61b69e312d206b5c3324bf55d256a1cbdf8a0c825d111056
-
Filesize
5.3MB
MD579291bc804f6bd5a90a1d2d8e599ec99
SHA18d7f12bc2e5c0257e23391e52c9aed697d44c12e
SHA25624c48b516e3be71261b392574ba9aedd5af517ab6c860d4f90d2c92949ebdb1b
SHA5121337007566a03477fcd719d15df28b4f9ca046ad66488e43c1c8431db870073cf1332dcacf2626deb725c367aa1354dd5d5e337ff381419b0810ff3fbd4dabee