Overview
overview
10Static
static
ﱞﱞﱞ�...ﱞﱞ
windows10_x64
8ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows10_x64
8ﱞﱞﱞ�...ฺฺ
windows10_x64
ﱞﱞﱞ�...ฺฺ
windows10_x64
8ﱞﱞﱞ�...ฺฺ
windows10_x64
ﱞﱞﱞ�...ฺฺ
windows10_x64
8ﱞﱞﱞ�...ﱞﱞ
windows10_x64
ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows10_x64
8ﱞﱞﱞ�...ﱞﱞ
windows10_x64
ﱞﱞﱞ�...ﱞﱞ
windows10_x64
8ﱞﱞﱞ�...ﱞﱞ
windows10_x64
ﱞﱞﱞ�...ﱞﱞ
windows10_x64
8ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows7_x64
ﱞﱞﱞ�...ﱞﱞ
windows7_x64
8ﱞﱞﱞ�...ﱞﱞ
windows7_x64
ﱞﱞﱞ�...ﱞﱞ
windows7_x64
10win102
windows10_x64
win102
windows10_x64
8win102
windows10_x64
10win102
windows10_x64
win104
windows10_x64
8win104
windows10_x64
win104
windows10_x64
win104
windows10_x64
8win105
windows10_x64
8win105
windows10_x64
win105
windows10_x64
8win105
windows10_x64
8Resubmissions
08-07-2021 12:18
210708-8z6d5h8z2n 1006-07-2021 17:53
210706-g6we6sa7sa 1019-06-2021 18:17
210619-vr8bj2dzfn 1017-06-2021 21:39
210617-a9cvlnmrbx 1011-06-2021 17:26
210611-wvab1yw2tj 1008-06-2021 06:47
210608-qrbpch3y46 1008-06-2021 06:47
210608-64tndgm1ln 1005-06-2021 18:40
210605-cd6qpr55sx 1004-06-2021 11:56
210604-5c416rs3ns 1004-06-2021 08:52
210604-jy9885jen2 10Analysis
-
max time kernel
3s -
max time network
10s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-05-2021 11:51
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral2
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
keygen-step-4d.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral6
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
keygen-step-4d.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral14
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral16
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
Install.exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
Install2.exe
Resource
win7v20210408
Behavioral task
behavioral19
Sample
keygen-step-4.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
keygen-step-4d.exe
Resource
win7v20210408
Behavioral task
behavioral21
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral23
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral24
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral26
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral28
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral30
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral31
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral32
Sample
keygen-step-4d.exe
Resource
win10v20210408
General
-
Target
keygen-step-4.exe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xiuhuali.exepid process 2732 xiuhuali.exe -
Drops file in Program Files directory 3 IoCs
Processes:
xiuhuali.exedescription ioc process File created C:\Program Files\install.dat xiuhuali.exe File created C:\Program Files\install.dll xiuhuali.exe File created C:\Program Files\libEGL.dll xiuhuali.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
xiuhuali.exepid process 2732 xiuhuali.exe 2732 xiuhuali.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
keygen-step-4.exedescription pid process target process PID 1840 wrote to memory of 2732 1840 keygen-step-4.exe xiuhuali.exe PID 1840 wrote to memory of 2732 1840 keygen-step-4.exe xiuhuali.exe PID 1840 wrote to memory of 2732 1840 keygen-step-4.exe xiuhuali.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install3⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"2⤵PID:200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3f4176abe57c776cfc0a71be3c3ee9e
SHA19179832f5da966a6ca83264bf970823acd2f8d28
SHA256f31d082ec54e53be57d9a9daa9d3bf2b6a9f83d2b8660e9efb2917a75e010422
SHA512181762ca55e235a4b22160f003a795d86e05e8181f21df53c3a0ca7ee32e897d476d56ee3367cb1c6721ce922c345a71f3e5d4d5df203f81388db7204acafe7c
-
MD5
fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536
-
MD5
3b1b318df4d314a35dce9e8fd89e5121
SHA155b0f8d56212a74bda0fc5f8cc0632ef52a4bc71
SHA2564df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b
SHA512f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4
-
MD5
3b1b318df4d314a35dce9e8fd89e5121
SHA155b0f8d56212a74bda0fc5f8cc0632ef52a4bc71
SHA2564df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b
SHA512f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4
-
MD5
e72eb3a565d7b5b83c7ff6fad519c6c9
SHA11a2668a26b01828eec1415aa614743abb0a4fb70
SHA2568ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599
SHA51271ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3
-
MD5
e72eb3a565d7b5b83c7ff6fad519c6c9
SHA11a2668a26b01828eec1415aa614743abb0a4fb70
SHA2568ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599
SHA51271ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3
-
MD5
fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536