65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

description	ioc	process
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files\install.dll	xiuhuali.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

xiuhuali.exe

pid process

3036 xiuhuali.exe
3036 xiuhuali.exe

pid	process
3036	xiuhuali.exe
3036	xiuhuali.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

keygen-step-4d.exexiuhuali.exe

description	pid	process	target process
PID 2116 wrote to memory of 3036	2116	keygen-step-4d.exe	xiuhuali.exe
PID 2116 wrote to memory of 3036	2116	keygen-step-4d.exe	xiuhuali.exe
PID 2116 wrote to memory of 3036	2116	keygen-step-4d.exe	xiuhuali.exe
PID 3036 wrote to memory of 208	3036	xiuhuali.exe	rundll32.exe
PID 3036 wrote to memory of 208	3036	xiuhuali.exe	rundll32.exe
PID 3036 wrote to memory of 208	3036	xiuhuali.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
2⤵
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\install.dat
MD5
806c3221a013fec9530762750556c332

SHA1
36475bcfd0a18555d7c0413d007bbe80f7d321b5

SHA256
9bcecc5fb84d21db673c81a7ed1d10b28686b8261f79136f748ab7bbad7752f7

SHA512
56bbaafe7b0883f4e5dcff00ae69339a3b81ac8ba90b304aeab3e4e7e7523b568fd9b269241fc38a39f74894084f1f252a91c22b79cc0a16f9e135859a13145e

Download Submit
C:\Program Files\install.dll
MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
MD5
3b1b318df4d314a35dce9e8fd89e5121

SHA1
55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

SHA256
4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

SHA512
f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
MD5
3b1b318df4d314a35dce9e8fd89e5121

SHA1
55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

SHA256
4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

SHA512
f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
MD5
e72eb3a565d7b5b83c7ff6fad519c6c9

SHA1
1a2668a26b01828eec1415aa614743abb0a4fb70

SHA256
8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

SHA512
71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
MD5
e72eb3a565d7b5b83c7ff6fad519c6c9

SHA1
1a2668a26b01828eec1415aa614743abb0a4fb70

SHA256
8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

SHA512
71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

Download Submit
\Program Files\install.dll
MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
memory/208-137-0x000000000479E000-0x000000000489F000-memory.dmp

Filesize
1.0MB

Download
memory/208-119-0x0000000000000000-mapping.dmp

Download
memory/208-144-0x00000000048A0000-0x00000000048FC000-memory.dmp

Filesize
368KB

Download
memory/644-149-0x0000014F1F4C0000-0x0000014F1F530000-memory.dmp

Filesize
448KB

Download
memory/912-166-0x000001E4B4B10000-0x000001E4B4B80000-memory.dmp

Filesize
448KB

Download
memory/1012-139-0x000001E6DB160000-0x000001E6DB1AB000-memory.dmp

Filesize
300KB

Download
memory/1012-143-0x000001E6DB280000-0x000001E6DB2F0000-memory.dmp

Filesize
448KB

Download
memory/1100-160-0x00000258DF030000-0x00000258DF0A0000-memory.dmp

Filesize
448KB

Download
memory/2372-155-0x000001A3B4EE0000-0x000001A3B4F50000-memory.dmp

Filesize
448KB

Download
memory/2424-150-0x0000018CA3F40000-0x0000018CA3FB0000-memory.dmp

Filesize
448KB

Download
memory/2560-161-0x000001B274C80000-0x000001B274CF0000-memory.dmp

Filesize
448KB

Download
memory/2704-133-0x00007FF6A78A4060-mapping.dmp

Download
memory/2704-165-0x0000020D19900000-0x0000020D19970000-memory.dmp

Filesize
448KB

Download
memory/3036-116-0x0000000000000000-mapping.dmp

Download
memory/3156-131-0x00000000011D0000-0x00000000011EC000-memory.dmp

Filesize
112KB

Download
memory/3156-142-0x00000000015E0000-0x00000000015E2000-memory.dmp

Filesize
8KB

Download
memory/3156-136-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3156-120-0x0000000000000000-mapping.dmp

Download
memory/3156-128-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3156-126-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download