25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7

General

Target

25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
Size

5.4MB
MD5

ee9138bacbe8df4862f312efac5bdcf2
SHA1

6c104732c30c32977cf93368c304f806022ee9b0
SHA256

25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7
SHA512

adf3b2b40abf1cb0c7a744b2628816aebe54e91596132587b579011dea4a0832080fe8e361f84a0a05a9c05e4f9e08bf2fc1ce43aa743fd7ccf4788ad6b18a71
SSDEEP

98304:I3YZ0ov1IxIB0PtYKUs1P2vkEzCig3YLGc5Qws+/e2I2xDmDqYgxX:btkQJs6p2ig3YUwvPTtmDe

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4gI8nZZc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\4gI8nZZc9 = "C:\\Users\\Admin\\AppData\\Roaming\\ddeaepscann\\hq49ymTjl1_dWj4327vB8\\4gI8nZZc9.exe"	4gI8nZZc9.exe

Executes dropped EXE 3 IoCs

pid	Process
2488	点击此处安装语言包.exe
2388	点击此处安装语言包.exe
2628	4gI8nZZc9.exe

Loads dropped DLL 11 IoCs

pid	Process
864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
2488	点击此处安装语言包.exe
2388	点击此处安装语言包.exe
2388	点击此处安装语言包.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	点击此处安装语言包.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4gI8nZZc9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	点击此处安装语言包.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	4gI8nZZc9.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe
2628	4gI8nZZc9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2488	864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe	30
PID 864 wrote to memory of 2488	864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe	30
PID 864 wrote to memory of 2488	864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe	30
PID 864 wrote to memory of 2488	864	25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe	30
PID 2488 wrote to memory of 2388	2488	点击此处安装语言包.exe	31
PID 2488 wrote to memory of 2388	2488	点击此处安装语言包.exe	31
PID 2488 wrote to memory of 2388	2488	点击此处安装语言包.exe	31
PID 2488 wrote to memory of 2388	2488	点击此处安装语言包.exe	31
PID 2388 wrote to memory of 2628	2388	点击此处安装语言包.exe	33
PID 2388 wrote to memory of 2628	2388	点击此处安装语言包.exe	33
PID 2388 wrote to memory of 2628	2388	点击此处安装语言包.exe	33
PID 2388 wrote to memory of 2628	2388	点击此处安装语言包.exe	33

C:\Users\Admin\AppData\Local\Temp\25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe
"C:\Users\Admin\AppData\Local\Temp\25700718c2ecc955b23220c70c9640a6a3930bba9bc7279820aea6cc7bd83ad7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe
  "C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe
    C:\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe 400339035F03560370036603710370035F03420367036E036A036D035F0342037303730347036203770362035F0351036C0362036E036A036D0364035F036703670366036203660373037003600362036D036D035F036B03720337033A037A036E03570369036F0332035C036703540369033703300331033403750341033B035F03370364034A033B036D035903590360033A03--aa`
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\4gI8nZZc9.exe
      "C:\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\4gI8nZZc9.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\4gI8nZZc9.exe

Filesize
7.7MB

MD5
34ec0f2421c8734e25a6c605825ec76e

SHA1
b536f820de23bfff01debe93f19508441ae88e87

SHA256
51762dd465109bd93a0e93bd181df11cf0b1d1de407c6754bf44f483a746b317

SHA512
d87e9da9e28af556b08e06fc444ed63ebab14114fb26c7c9ca78b814a96ddf4eabcc749a6443530635142a58d6eaa088a376a8fdec79ad18217a30536566dcab

Download Submit
C:\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\4gI8nZZc9.txt

Filesize
137B

MD5
85792b50eecb03b0299199bc01736cf2

SHA1
97b73872dca0711bc6fa17d1678e049b30c393ef

SHA256
6cdeb6f370df6bf9d756930c1ec20307d32db7240c7895b4fad489b8b3eb2809

SHA512
3c92f5f2cf18ee5bb981d5942f9f78467a96861b1cc6b6f75b4390ea8b9cff66b9dbb2955cbab1e247b2378399f55119126aaea49c2fcc00bfda31cd85b16b94

Download Submit
\Users\Admin\AppData\Local\Temp\点击此处安装语言包.exe

Filesize
12.7MB

MD5
5f17efc05edcc22f3b54047d11cf3ec7

SHA1
0ce560ac4a165a04081c313a4e260e74a959d7de

SHA256
8833c2b78311c204e1422c27f74853cdadcc78d8f307b6794b7a7766981d7447

SHA512
991d57d1c8d60cec253ee538610afbc19d5981155c95a0a54bee6925d07566e196b8e7f00cee66abeb15f9fe9525ad8c8d1a081a9b7338498960e8636d3676ec

Download Submit
\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\binkw32.dll

Filesize
170KB

MD5
0d8168d5639b7e93cc3671384517ca93

SHA1
ca82bdbb9404f12c4f6d79079b51716d4a5e6a48

SHA256
ad55ec64a893f233ac648ac974562f53736003b17bfd14527e66b3ffc8c2cdcb

SHA512
f31a43f29a07c9a63f05bd46bd6f86bb04a68c87a0b14da839d757cc412bcb43d50abc13d397831161b6606ad4a2ce967fb933f311ecb8c62d7b59ea9b38a94e

Download Submit
\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\steam_api.dll

Filesize
1.1MB

MD5
d31b903a55f9d8876641d0204b235255

SHA1
e8a2cd3a90b7794f451560da65bafe4db75c5574

SHA256
427edc6f9a35eb175b6e372540b5a302725f83cc31d88ddba227b63700575295

SHA512
235b0d87d16817fb6e8061806170afa079dd5c83778d54369890edf56a7da28396b4bef354c2b83273a1eb3337532fcd17641bea642c78dae92e5469d1f2ac8a

Download Submit
\Users\Admin\AppData\Roaming\ddeaepscann\hq49ymTjl1_dWj4327vB8\xinput1_3.dll

Filesize
79KB

MD5
77f595dee5ffacea72b135b1fce1312e

SHA1
d2a710b332de3ef7a576e0aed27b0ae66892b7e9

SHA256
8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

SHA512
a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

Download Submit
memory/2628-42-0x0000000006C60000-0x0000000006D47000-memory.dmp

Filesize
924KB

Download
memory/2628-40-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2628-44-0x0000000006C60000-0x0000000006D47000-memory.dmp

Filesize
924KB

Download
memory/2628-48-0x0000000008470000-0x000000000855B000-memory.dmp

Filesize
940KB

Download
memory/2628-50-0x0000000008A40000-0x0000000008BB5000-memory.dmp

Filesize
1.5MB

Download
memory/2628-52-0x0000000007D90000-0x0000000007FA1000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads