503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
Size

6.4MB
MD5

9703cd46017b9e58d149b310a9769bf4
SHA1

111899150647f348b710d3afba7b401a26a32005
SHA256

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9
SHA512

b3c70f08bce0b7cce6c198d630cd8a13ffc256c9e12456e9306594da7a4805ccc456a1d859c9daaea7de0f63fe35d297cb5d326e482af483cbcf4de8e67352f1

Score

9^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsoF200.tmp\md5dll.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

SGWallPaper.exeSGDynamicWp.exe

pid process

1224 SGWallPaper.exe
1016 SGDynamicWp.exe

pid	process
1224	SGWallPaper.exe
1016	SGDynamicWp.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsoF200.tmp\md5dll.dll	upx

Loads dropped DLL 10 IoCs

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exeSGWallPaper.exe

pid	process
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
1224	SGWallPaper.exe
1224	SGWallPaper.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\XiaoChouBZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\xiaochouWallPaper\\1.0.0.0000\\SGWallPaper.exe\" -hideframe"	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exeSGWallPaper.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
File opened for modification	\??\PhysicalDrive0	SGWallPaper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

pid process

1948 503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SGWallPaper.exe

pid process

1224 SGWallPaper.exe
1224 SGWallPaper.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SGWallPaper.exe

pid process

1224 SGWallPaper.exe
1224 SGWallPaper.exe

pid	process
1224	SGWallPaper.exe
1224	SGWallPaper.exe

pid	process
1224	SGWallPaper.exe
1224	SGWallPaper.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exeSGWallPaper.exe

description	pid	process	target process
PID 1948 wrote to memory of 1224	1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 1948 wrote to memory of 1224	1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 1948 wrote to memory of 1224	1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 1948 wrote to memory of 1224	1948	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 1224 wrote to memory of 1016	1224	SGWallPaper.exe	SGDynamicWp.exe
PID 1224 wrote to memory of 1016	1224	SGWallPaper.exe	SGDynamicWp.exe
PID 1224 wrote to memory of 1016	1224	SGWallPaper.exe	SGDynamicWp.exe
PID 1224 wrote to memory of 1016	1224	SGWallPaper.exe	SGDynamicWp.exe

C:\Users\Admin\AppData\Local\Temp\503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
"C:\Users\Admin\AppData\Local\Temp\503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe
"C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe" -actd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
"C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe"
3⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\xiaochouWP\ASConfig.json
Filesize
57B

MD5
2c5ebc79aed490957039e2c5db3ce29c

SHA1
2b2e31aba5770b738312194740db6f788e7d1429

SHA256
f5c59503a0d57979cf5d4e2ab7c75ddc003a806870966077ea8c72d0b123f8c2

SHA512
79a67d110f8145d5f7cecdbcd2b464e8fa0611fbe82d6b935d1980ba0a321c88ceb6dbd036d345e989f4b37f41363411c1553cd4f787842ca11fd7fbab090ace

Download Submit
C:\Users\Admin\AppData\LocalLow\xiaochouWP\Config.ini
Filesize
1KB

MD5
2ce60a789f562d0e128e9ec82497da6f

SHA1
6182a9804b442f3fcd00d8bf8c3e1677cd71c3ab

SHA256
c5fd0c9a3924f2a0a3d22ff1bd3955f84b0b404807c8d86feb4deba16ecb3953

SHA512
30910052a066c8b05e64bcabc2341d2978e876fb165ff2a18627ad51572e22abf5959abe6200fe4a5f421c1e8287f76f9f9562f5c91dd7694ad9303d05ba5c13

Download Submit
C:\Users\Admin\AppData\LocalLow\xiaochouWP\Config.ini
Filesize
1KB

MD5
ac536990277dd97b5a6c40c4512ea2d8

SHA1
343b57c9fd894e3d4ad5a21f340750a22736bd4f

SHA256
718e0568fc46f40bccdeae5eed9410ce4d5e59c20602277f77cdf8020b23a7e5

SHA512
72857057b4e63ebbae01a99491f39aa0f84fd1ca5d179cf84230de0059348360f5d72ef2f96d7f405ef5c6c4b85e0bdb8db0b10576af10180c30b08a6b2ed71c

Download Submit
C:\Users\Admin\AppData\LocalLow\xiaochouWP\FirstExecute.ini
Filesize
20B

MD5
086e2ea36165237bc4f11f9bcdbc8735

SHA1
319b385c639b275b030f6057548544045936f723

SHA256
6cd16556688a60117012f61db6b9d1731e8e99fa5834ba2498f965e35d842854

SHA512
a488d4debf0e933bf8decf92a4df9bf1d677edc3d6bd38c72a4593d66ad02a5f842493accc199b899117e78840709269a2a1ba1df20e4e87f53c582e133d46ed

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\Recommend_Big.gz
Filesize
7KB

MD5
f59326d605d4d9bb5d6a199d9503be64

SHA1
5935be81b94fe795c1c7f645fa2642908cf67a92

SHA256
8f27f3df247be5249927fa74d94a7694f6b60d346cd4cc25250ff57652b49dd2

SHA512
49e06ac7f0c114421a0b69469dcbcd7c398bd64659f722c12511c59f49bed26c57f12deb200d0186d13350bb8c4a74d467ca2dfed616b99cbdcaf715bf30e82c

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
Filesize
2.7MB

MD5
730f339bdd9dd9a0d0a109d04b875466

SHA1
4e937b36514762542e1c4f1c1365431d06b308fa

SHA256
2869a0d01511184e6cfe15a650bbea20edc5c6ce02b8b4bd01a563daf38f2488

SHA512
e78cef4ceebbea241191046463e053b4ec83e28e36339c35a72e1c96e3a45f3587bbbb482348160f805845a7cc920a88c94fff5f4a91343fb2f7f0aaa83c77bd

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
Filesize
2.7MB

MD5
730f339bdd9dd9a0d0a109d04b875466

SHA1
4e937b36514762542e1c4f1c1365431d06b308fa

SHA256
2869a0d01511184e6cfe15a650bbea20edc5c6ce02b8b4bd01a563daf38f2488

SHA512
e78cef4ceebbea241191046463e053b4ec83e28e36339c35a72e1c96e3a45f3587bbbb482348160f805845a7cc920a88c94fff5f4a91343fb2f7f0aaa83c77bd

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe
Filesize
6.7MB

MD5
ac2c6f6fa80522167167e893c96a54e2

SHA1
5d644135444ec47c70103a4e5010114d716837fd

SHA256
bc130ba9a075cd04e5bb4e92eeeb053ddc50b1d853a621e965bba098a3aa16cd

SHA512
4807a80e77556da583583d8a48554a555d5acfb9c8afe139b384d2336625c011ceeeba51a7087c6b0ea1c8f38c389426aad64d2bc07b30bbdb87ddd4a992c113

Download Submit
C:\Users\Admin\Desktop\小丑壁纸.lnk
Filesize
995B

MD5
92a2432320830a3705c29e17fb960e97

SHA1
418b0d3768c7d8f371c247ee005cbc2a3287620d

SHA256
66df6d6c64f0e79f417e5b04a53b9bb796629d7617642e357955c0368f09c896

SHA512
eb58ec54777ac843eb5fff5ea39bc286c11b4e537ea9cd3b586237165a782417e852c749e199b032df454c695ab61da8f2e4dac435161822b71ae762d2c7775b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF200.tmp\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF200.tmp\SetupLib.dll
Filesize
3.0MB

MD5
753b46e41f84b392bb07139a4f9fdb26

SHA1
5939ad9ec82a64aad7ebaf2c4b60a0f2041ded41

SHA256
96d5f58800c2fe23a47f080b46126cf90b6d3011aa51d0054ce1877d5b0f8745

SHA512
e9f2c6cb26a3aae5ece3306f6dca6a6b7f2b2017d19dd7f98a1c88d87cf76df8866f4c7ad17278a509650d3a2b657ff25acb8e48d9239417992c7f8e550ed933

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF200.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF200.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
Filesize
2.7MB

MD5
730f339bdd9dd9a0d0a109d04b875466

SHA1
4e937b36514762542e1c4f1c1365431d06b308fa

SHA256
2869a0d01511184e6cfe15a650bbea20edc5c6ce02b8b4bd01a563daf38f2488

SHA512
e78cef4ceebbea241191046463e053b4ec83e28e36339c35a72e1c96e3a45f3587bbbb482348160f805845a7cc920a88c94fff5f4a91343fb2f7f0aaa83c77bd

Download Submit
\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe
Filesize
6.7MB

MD5
ac2c6f6fa80522167167e893c96a54e2

SHA1
5d644135444ec47c70103a4e5010114d716837fd

SHA256
bc130ba9a075cd04e5bb4e92eeeb053ddc50b1d853a621e965bba098a3aa16cd

SHA512
4807a80e77556da583583d8a48554a555d5acfb9c8afe139b384d2336625c011ceeeba51a7087c6b0ea1c8f38c389426aad64d2bc07b30bbdb87ddd4a992c113

Download Submit
\Users\Admin\AppData\Roaming\XiaoChouWallPaper\SGWPBoot.exe
Filesize
617KB

MD5
5f36547c69450eaef60d526967aa8dec

SHA1
24eabab4eaa6a078dbe727579c2041aed51e32cb

SHA256
f10caff3ca0f8c7f55de2c600b7a78a4a27a79411d0cfaad539e4513021e9a7c

SHA512
2bd1e0eb133ad1b3a24d350059d28f0c373fba7c3b5cdc900f05a4661a876f81868d1867a5127b58e36858f2fb19fa81798945613f3d63b0bbcb6a7d5aa6dfc7

Download Submit
\Users\Admin\AppData\Roaming\XiaoChouWallPaper\SGWPBoot.exe
Filesize
617KB

MD5
5f36547c69450eaef60d526967aa8dec

SHA1
24eabab4eaa6a078dbe727579c2041aed51e32cb

SHA256
f10caff3ca0f8c7f55de2c600b7a78a4a27a79411d0cfaad539e4513021e9a7c

SHA512
2bd1e0eb133ad1b3a24d350059d28f0c373fba7c3b5cdc900f05a4661a876f81868d1867a5127b58e36858f2fb19fa81798945613f3d63b0bbcb6a7d5aa6dfc7

Download Submit
\Users\Admin\AppData\Roaming\XiaoChouWallPaper\Uninstall.exe
Filesize
1.1MB

MD5
2bc92d79bbf28f21a3bc0c63101be1bc

SHA1
61975fe576e9dbb17b1275054c8d7582d9d039ba

SHA256
2ddd553754952fbc7d9fca1e7149fc3b26c3d17f94ac041345a3c741126959c7

SHA512
9f9bda9e0173deaa114ea844677c4ce4e40e134f86bfb0a62f645a1a844a25dcbcc71f4aeb042a7d7404f0e1b8b1331390af800f1c91f2e87d1d1873745b841d

Download Submit
memory/1016-80-0x0000000000000000-mapping.dmp

Download
memory/1224-73-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1224-67-0x0000000000000000-mapping.dmp

Download
memory/1948-60-0x00000000030E0000-0x000000000313F000-memory.dmp

Filesize
380KB

Download
memory/1948-58-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1948-54-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download