b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

Target

keygen-step-4 — копия.exe
Size

4.6MB
MD5

563107b1df2a00f4ec868acd9e08a205
SHA1

9cb9c91d66292f5317aa50d92e38834861e9c9b7
SHA256

bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9
SHA512

99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xiuhuali.exe

pid process

2352 xiuhuali.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2352	xiuhuali.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

keygen-step-4 — копия.exe

description	pid	process	target process
PID 3904 wrote to memory of 2352	3904	keygen-step-4 — копия.exe	xiuhuali.exe
PID 3904 wrote to memory of 2352	3904	keygen-step-4 — копия.exe	xiuhuali.exe
PID 3904 wrote to memory of 2352	3904	keygen-step-4 — копия.exe	xiuhuali.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  PID:2352
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    PID:3304
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\install.dat

MD5
ad824c9aed459a9121e0155181c5d651

SHA1
4dfab89653e5b24a972739cd6df3f04677b14095

SHA256
5877a2022475b4b9f7975b856cc6728e253b5904071a35a89841ffd724e17b90

SHA512
8d9f1591cda3a840cd19c31cb4a7a142c21cda57b32002e565db07737566973b04dd7dcede32942d1db32e800233bfa0cff00186b1bf39e00b50b50ebf74c3fd

Download Submit
C:\Program Files\install.dll

MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe

MD5
3b1b318df4d314a35dce9e8fd89e5121

SHA1
55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

SHA256
4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

SHA512
f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe

MD5
3b1b318df4d314a35dce9e8fd89e5121

SHA1
55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

SHA256
4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

SHA512
f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe

MD5
e72eb3a565d7b5b83c7ff6fad519c6c9

SHA1
1a2668a26b01828eec1415aa614743abb0a4fb70

SHA256
8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

SHA512
71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe

MD5
e72eb3a565d7b5b83c7ff6fad519c6c9

SHA1
1a2668a26b01828eec1415aa614743abb0a4fb70

SHA256
8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

SHA512
71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

Download Submit
\Program Files\install.dll

MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
memory/2352-116-0x0000000000000000-mapping.dmp

Download
memory/3304-119-0x0000000000000000-mapping.dmp

Download
memory/3304-134-0x000000000487C000-0x000000000497D000-memory.dmp

Filesize
1.0MB

Download
memory/3328-126-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3328-128-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3328-131-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/3328-120-0x0000000000000000-mapping.dmp

Download
memory/3328-138-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3832-137-0x0000020AC4770000-0x0000020AC47BB000-memory.dmp

Filesize
300KB

Download