77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
Size

9.3MB
MD5

d09d9f610155636bc596d79b7d0648b6
SHA1

922479f62247c64b97ba7cf431913c1d120dfdfe
SHA256

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643
SHA512

e1ceea4f593e3dafbdcac33c9f71191e722e457f5297d984b396d1d3f6e9ee37fc1c0c78b1a206c592ade89f3510e852e66bed694bd8c4b79d0108b6a10f0d42
SSDEEP

196608:8MD+cpvJ/4H3nmghWoa/fsysMF4JD85l7kjiSOScPrKOIuQbmafkfNciU7Iknt:8MFgXnU7sEl7yPvcjPIuQbmagNGT

Score

9^/10

aspackv2 evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\光明1.exe aspack_v212_v242
Executes dropped EXE 1 IoCs

Processes:

光明1.exe

pid process

2852 光明1.exe
Loads dropped DLL 1 IoCs

Processes:

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid process

840 77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid process

840 77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid process

840 77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid process

840 77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

光明1.exe

pid process

2852 光明1.exe
2852 光明1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\光明1.exe	aspack_v212_v242

pid	process
2852	光明1.exe

pid	process
840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid	process
840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid	process
840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid	process
840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

pid	process
2852	光明1.exe
2852	光明1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe

description	pid	process	target process
PID 840 wrote to memory of 2852	840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe	光明1.exe
PID 840 wrote to memory of 2852	840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe	光明1.exe
PID 840 wrote to memory of 2852	840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe	光明1.exe
PID 840 wrote to memory of 2852	840	77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe	光明1.exe

C:\Users\Admin\AppData\Local\Temp\77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe
"C:\Users\Admin\AppData\Local\Temp\77e00c836d5194ddb4f4ee12ed1e7f932c18d3edd912f88e09134f55ab077643.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\光明1.exe
C:\Users\Admin\AppData\Local\Temp\光明1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
20KB

MD5
12ae133f2eacebb7f28f9124710e6f6e

SHA1
10234af4af85bc54504b7bf95b90d281d7ac3cad

SHA256
76214cb8e76a63a0410bcd12ff22766aee2405e5327a76716955b1db03caf0bc

SHA512
46dbfccb44e72e9e2f1e87b60a088f1838b46a5c9c8964265dbbe354ba35b47515b2d24d7422f9fb2a28954b8548f234f00f8e2766b118158acdc78ad8f3bca3

Download Submit
\Users\Admin\AppData\Local\Temp\光明1.exe
Filesize
3.6MB

MD5
d19a267264fc0ba4665042540405e2dc

SHA1
d88bd535edf60a36f4fee4cf9a84a93b9862d49a

SHA256
12bf00b1782d5f287a345667bdf7003f8d92abf609db5e3f5b7fe1f656be46ba

SHA512
1631b693435a6cfe36b647ccd7ee1e9eaf5b8d39dbb5e9a5d9749d1f752670a5c20449e9407f1d3a2237defb35e6dd04c0afd3f0d4d0e21ae9cd48b1e01bd192

Download Submit
memory/840-527-0x0000000004CE0000-0x00000000050A6000-memory.dmp

Filesize
3.8MB

Download
memory/2852-530-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2852-531-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2852-532-0x0000000002430000-0x0000000002786000-memory.dmp

Filesize
3.3MB

Download
memory/2852-533-0x0000000002430000-0x0000000002786000-memory.dmp

Filesize
3.3MB

Download
memory/2852-534-0x0000000002430000-0x0000000002786000-memory.dmp

Filesize
3.3MB

Download
memory/2852-535-0x0000000002430000-0x0000000002786000-memory.dmp

Filesize
3.3MB

Download
memory/2852-537-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2852-538-0x0000000002430000-0x0000000002786000-memory.dmp

Filesize
3.3MB

Download