fa4b24b57aa2e808b446fd026814727482e00b10e5feee0f0bec569c00687427

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smzy_qiyiqqguaji/[破解版]奇易QQ挂常用IP工具V2.63/JK.dll
Size

1.3MB
MD5

90c0c724fcb7e4f8825c86d366054624
SHA1

152e04e3b2a2ff0b45077aaa4edb6b7ccb93d7d3
SHA256

a0f73d795471c646fbb11daf20e1e3790f6bc0a22831865ec16a4346ad102786
SHA512

d5b38caa14b70d723149c4b1ccb941b23ed4ab7e2c95c672a3ab920877549bd299b084b040e76c6b62f29362438f9c5767ba73d99e53780e9c87b01f6653ed23
SSDEEP

24576:T1upyCZ8MRbiJufgO8XLcMi2dEk9AXBnsXjo4sHbeIAKWqTVboN93C:T1uEO8WeOgZLcMBsaTo7v7YpC

Score

7^/10

discovery vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral4/memory/4792-1-0x0000000010000000-0x0000000010306000-memory.dmp	vmprotect
behavioral4/memory/4792-2-0x0000000010000000-0x0000000010306000-memory.dmp	vmprotect

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4792	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4792	5100	rundll32.exe	82
PID 5100 wrote to memory of 4792	5100	rundll32.exe	82
PID 5100 wrote to memory of 4792	5100	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\smzy_qiyiqqguaji\[破解版]奇易QQ挂常用IP工具V2.63\JK.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\smzy_qiyiqqguaji\[破解版]奇易QQ挂常用IP工具V2.63\JK.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4792-0-0x0000000000E80000-0x0000000000E9C000-memory.dmp

Filesize
112KB

Download
memory/4792-1-0x0000000010000000-0x0000000010306000-memory.dmp

Filesize
3.0MB

Download
memory/4792-2-0x0000000010000000-0x0000000010306000-memory.dmp

Filesize
3.0MB

Download