e539edfc388879c786f774a7a7c7a0399f6525820211194f6faad57423417942

General

Target

AKH8536375001TGz_仰贸易上海有限公司_dwg.exe
Size

859KB
MD5

a20ed75cdd3f8ce28737aa9fb8a9c3b2
SHA1

d8dfa5b7cdea4105f9b5ae5c8d78a4d47b5472c4
SHA256

d17de71fad23c19ea4e181c8fe33be0fc230d15be13e6d3c755c77e7ff1519d5
SHA512

afb6ab77e640ed37fa11fecdbfb79bdaef331d5dc58e27e73e04ac3d4668bb9d50bd1bfe72eef30dc04e757f61b3dd1b0d50dd1871b597ea08191bc64352c3dd

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1088 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

pid process

892 AKH8536375001TGz_仰贸易上海有限公司_dwg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

description pid process

Token: SeDebugPrivilege 892 AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

pid	process
1088	schtasks.exe

pid	process
892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

description	pid	process
Token: SeDebugPrivilege	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AKH8536375001TGz_仰贸易上海有限公司_dwg.exe

description	pid	process	target process
PID 892 wrote to memory of 1088	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	schtasks.exe
PID 892 wrote to memory of 1088	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	schtasks.exe
PID 892 wrote to memory of 1088	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	schtasks.exe
PID 892 wrote to memory of 1088	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	schtasks.exe
PID 892 wrote to memory of 2040	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	dw20.exe
PID 892 wrote to memory of 2040	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	dw20.exe
PID 892 wrote to memory of 2040	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	dw20.exe
PID 892 wrote to memory of 2040	892	AKH8536375001TGz_仰贸易上海有限公司_dwg.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\AKH8536375001TGz_仰贸易上海有限公司_dwg.exe
"C:\Users\Admin\AppData\Local\Temp\AKH8536375001TGz_仰贸易上海有限公司_dwg.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bDHTgfHETDQFVt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA7D.tmp"
2⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1076
2⤵
PID:2040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA7D.tmp
Filesize
1KB

MD5
69d5fafb56a94639e04eb0f77371c99b

SHA1
34928c36166f31b1af3fec51a7ea11bc1fafc7ca

SHA256
fbfb1623f7e6d37b152d5319daaf6485497e1d81680f4f428c6165456ff9c111

SHA512
3a2b370e28c26d18316cc5f8116b498cba31799904d84ee7ecf31c6cf7affd0f2df137e3a9010c0cd034c21622e2e4150578a8bc8570d9e123620506e24f405c

Download Submit
memory/892-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/892-55-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1088-56-0x0000000000000000-mapping.dmp

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads