ccda7994e140a412c4bcd8816b850545079c1e568e38d63b70d8de6ffe15497e

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

千千晚星16.exe
Size

5.8MB
MD5

72aa0dbf54d8c3a47d3c3aa1bd875e1d
SHA1

00e272e32a1ea2ce5d1928525ed3b67e8969433a
SHA256

ccda7994e140a412c4bcd8816b850545079c1e568e38d63b70d8de6ffe15497e
SHA512

133f3391afcde20546b58254acafd2042dbc32ab262cccbb6063d6bcd8141859ee59476e39c18ca7cb52d1862287b098bde7ed540177a530b5e18b3d88002717
SSDEEP

98304:WRNDM/GMltzUmaMRZkD3utHxY5aF5+xwTQqqB/F2cCmgfamW9ejyDoYNP1oy:ONI/Go9ayZmyY5a6xwvqB/fEoEixoy

Score

7^/10

discovery vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

2868 update.exe

pid	process
2868	update.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2712-9-0x0000000000400000-0x000000000105A000-memory.dmp	vmprotect
behavioral2/memory/2712-12-0x0000000000400000-0x000000000105A000-memory.dmp	vmprotect
behavioral2/memory/2712-20-0x0000000000400000-0x000000000105A000-memory.dmp	vmprotect

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

千千晚星16.exeupdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	千千晚星16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

千千晚星16.exeupdate.exe

pid process

2712 千千晚星16.exe
2712 千千晚星16.exe
2712 千千晚星16.exe
2712 千千晚星16.exe
2868 update.exe
2868 update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

千千晚星16.exe

description pid process

Token: SeDebugPrivilege 2712 千千晚星16.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

千千晚星16.exeupdate.exe

pid process

2712 千千晚星16.exe
2712 千千晚星16.exe
2868 update.exe
2868 update.exe

pid	process
2712	千千晚星16.exe
2712	千千晚星16.exe
2712	千千晚星16.exe
2712	千千晚星16.exe
2868	update.exe
2868	update.exe

description	pid	process
Token: SeDebugPrivilege	2712	千千晚星16.exe

pid	process
2712	千千晚星16.exe
2712	千千晚星16.exe
2868	update.exe
2868	update.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

千千晚星16.exe

description	pid	process	target process
PID 2712 wrote to memory of 2868	2712	千千晚星16.exe	update.exe
PID 2712 wrote to memory of 2868	2712	千千晚星16.exe	update.exe
PID 2712 wrote to memory of 2868	2712	千千晚星16.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\千千晚星16.exe
"C:\Users\Admin\AppData\Local\Temp\千千晚星16.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\update.exe
  update.exe 1.2 ????16.exe http://38.6.175.25:901/down http://38.6.175.25:901
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
868KB

MD5
ca57bdff74665a2a42a8cf4ad4593d9f

SHA1
7562003f808c469579227a01eca809539de5cc8d

SHA256
e5c30e02daa7c7178ee58f7f74f27a8ca4134ad736ba15cf34f863d8b70b2516

SHA512
c305958ba78172cdafe1cedb4cf7125641be05bdadc5233ad3c3cfad1ae13f4b8c91995cd12d9cec4a7087d33b4f9bff05a0f2c43b0540d06ad066d9d061ec24

Download Submit
memory/2712-11-0x00000000007F0000-0x0000000000A84000-memory.dmp

Filesize
2.6MB

Download
memory/2712-12-0x0000000000400000-0x000000000105A000-memory.dmp

Filesize
12.4MB

Download
memory/2712-9-0x0000000000400000-0x000000000105A000-memory.dmp

Filesize
12.4MB

Download
memory/2712-5-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/2712-4-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2712-3-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/2712-6-0x00000000007F0000-0x0000000000A84000-memory.dmp

Filesize
2.6MB

Download
memory/2712-1-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2712-2-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/2712-0-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2712-20-0x0000000000400000-0x000000000105A000-memory.dmp

Filesize
12.4MB

Download
memory/2712-19-0x00000000007F0000-0x0000000000A84000-memory.dmp

Filesize
2.6MB

Download
memory/2868-18-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2868-16-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2868-21-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download