503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
Size

6.4MB
MD5

9703cd46017b9e58d149b310a9769bf4
SHA1

111899150647f348b710d3afba7b401a26a32005
SHA256

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9
SHA512

b3c70f08bce0b7cce6c198d630cd8a13ffc256c9e12456e9306594da7a4805ccc456a1d859c9daaea7de0f63fe35d297cb5d326e482af483cbcf4de8e67352f1

Score

9^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\md5dll.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\md5dll.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

SGWallPaper.exeSGDynamicWp.exe

pid process

2360 SGWallPaper.exe
4464 SGDynamicWp.exe

pid	process
2360	SGWallPaper.exe
4464	SGDynamicWp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\md5dll.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\md5dll.dll	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SGWallPaper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SGWallPaper.exe

Loads dropped DLL 8 IoCs

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exeSGWallPaper.exe

pid	process
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
2360	SGWallPaper.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XiaoChouBZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\xiaochouWallPaper\\1.0.0.0000\\SGWallPaper.exe\" -hideframe"	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exeSGWallPaper.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
File opened for modification	\??\PhysicalDrive0	SGWallPaper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

pid	process
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SGWallPaper.exe

pid process

2360 SGWallPaper.exe
2360 SGWallPaper.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SGWallPaper.exe

pid process

2360 SGWallPaper.exe
2360 SGWallPaper.exe

pid	process
2360	SGWallPaper.exe
2360	SGWallPaper.exe

pid	process
2360	SGWallPaper.exe
2360	SGWallPaper.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exeSGWallPaper.exe

description	pid	process	target process
PID 4840 wrote to memory of 2360	4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 4840 wrote to memory of 2360	4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 4840 wrote to memory of 2360	4840	503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe	SGWallPaper.exe
PID 2360 wrote to memory of 4464	2360	SGWallPaper.exe	SGDynamicWp.exe
PID 2360 wrote to memory of 4464	2360	SGWallPaper.exe	SGDynamicWp.exe
PID 2360 wrote to memory of 4464	2360	SGWallPaper.exe	SGDynamicWp.exe

C:\Users\Admin\AppData\Local\Temp\503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe
"C:\Users\Admin\AppData\Local\Temp\503d1d7af2c9ffa6d7d12e67e6be98c5b004cdd0192784a2eb26c667111e43e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe
"C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe" -actd
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
"C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe"
3⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\xiaochouWP\ASConfig.json
Filesize
57B

MD5
2c5ebc79aed490957039e2c5db3ce29c

SHA1
2b2e31aba5770b738312194740db6f788e7d1429

SHA256
f5c59503a0d57979cf5d4e2ab7c75ddc003a806870966077ea8c72d0b123f8c2

SHA512
79a67d110f8145d5f7cecdbcd2b464e8fa0611fbe82d6b935d1980ba0a321c88ceb6dbd036d345e989f4b37f41363411c1553cd4f787842ca11fd7fbab090ace

Download Submit
C:\Users\Admin\AppData\LocalLow\xiaochouWP\Config.ini
Filesize
86B

MD5
a629188b0143d6e9e8d85168dcb314fd

SHA1
000284c43ede4b1e8e8efc5fdeb4f7db799350d4

SHA256
4ab3d689cc667bb3594d724d75a8a6c8313d3488856e1e5b325f30db6d66b58d

SHA512
f4ea078410aee7805a7c6d3cbddbfab21a13811c3c854bad890cef1e2e3c46d5e495d3c23753aefa855f6253dfe0506af4afd870a2a7db87157bf39e5f9b334c

Download Submit
C:\Users\Admin\AppData\LocalLow\xiaochouWP\Config.ini
Filesize
1KB

MD5
e4b02d62e040b6e0d19ed4a6bb760bc5

SHA1
1aa0dd2ba9e9f4ae45dfc41ec37229e495803d1f

SHA256
8fc44d00593703ad90b7b713cab53666402b192403efde24e14634082cee14cf

SHA512
f314c6f6c6b51e35136a4caf91a9f0f007ea371343ab7f34f1e1f1f76165cb8711696628f915eadcf6c7144bcee277d2a9655926c510159c5cb39b12e483f468

Download Submit
C:\Users\Admin\AppData\LocalLow\xiaochouWP\FirstExecute.ini
Filesize
20B

MD5
086e2ea36165237bc4f11f9bcdbc8735

SHA1
319b385c639b275b030f6057548544045936f723

SHA256
6cd16556688a60117012f61db6b9d1731e8e99fa5834ba2498f965e35d842854

SHA512
a488d4debf0e933bf8decf92a4df9bf1d677edc3d6bd38c72a4593d66ad02a5f842493accc199b899117e78840709269a2a1ba1df20e4e87f53c582e133d46ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\SetupLib.dll
Filesize
3.0MB

MD5
753b46e41f84b392bb07139a4f9fdb26

SHA1
5939ad9ec82a64aad7ebaf2c4b60a0f2041ded41

SHA256
96d5f58800c2fe23a47f080b46126cf90b6d3011aa51d0054ce1877d5b0f8745

SHA512
e9f2c6cb26a3aae5ece3306f6dca6a6b7f2b2017d19dd7f98a1c88d87cf76df8866f4c7ad17278a509650d3a2b657ff25acb8e48d9239417992c7f8e550ed933

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\SetupLib.dll
Filesize
3.0MB

MD5
753b46e41f84b392bb07139a4f9fdb26

SHA1
5939ad9ec82a64aad7ebaf2c4b60a0f2041ded41

SHA256
96d5f58800c2fe23a47f080b46126cf90b6d3011aa51d0054ce1877d5b0f8745

SHA512
e9f2c6cb26a3aae5ece3306f6dca6a6b7f2b2017d19dd7f98a1c88d87cf76df8866f4c7ad17278a509650d3a2b657ff25acb8e48d9239417992c7f8e550ed933

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7CE7.tmp\md5dll.dll
Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\HWSignature.dll
Filesize
359KB

MD5
77a78b4957a2f348cac8e07e1c500b62

SHA1
764b8400b98f02a9c2c1dafa32c983b2db3cb372

SHA256
c8cfc8a0c5f47cc8a0221dc424676fe5353fdf01efd7617c72dde92a2b4f97c6

SHA512
fc1e38c0e1a40d90e929c9ac969989b1c159cc49e220244b7dff523b3a121a8044d4087acbc474443cdb91dd811d3597e83ac23945f25256c14644a7c805dfb9

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\Recommend_Big.gz
Filesize
7KB

MD5
f59326d605d4d9bb5d6a199d9503be64

SHA1
5935be81b94fe795c1c7f645fa2642908cf67a92

SHA256
8f27f3df247be5249927fa74d94a7694f6b60d346cd4cc25250ff57652b49dd2

SHA512
49e06ac7f0c114421a0b69469dcbcd7c398bd64659f722c12511c59f49bed26c57f12deb200d0186d13350bb8c4a74d467ca2dfed616b99cbdcaf715bf30e82c

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
Filesize
2.7MB

MD5
730f339bdd9dd9a0d0a109d04b875466

SHA1
4e937b36514762542e1c4f1c1365431d06b308fa

SHA256
2869a0d01511184e6cfe15a650bbea20edc5c6ce02b8b4bd01a563daf38f2488

SHA512
e78cef4ceebbea241191046463e053b4ec83e28e36339c35a72e1c96e3a45f3587bbbb482348160f805845a7cc920a88c94fff5f4a91343fb2f7f0aaa83c77bd

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGDynamicWp.exe
Filesize
2.7MB

MD5
730f339bdd9dd9a0d0a109d04b875466

SHA1
4e937b36514762542e1c4f1c1365431d06b308fa

SHA256
2869a0d01511184e6cfe15a650bbea20edc5c6ce02b8b4bd01a563daf38f2488

SHA512
e78cef4ceebbea241191046463e053b4ec83e28e36339c35a72e1c96e3a45f3587bbbb482348160f805845a7cc920a88c94fff5f4a91343fb2f7f0aaa83c77bd

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe
Filesize
6.7MB

MD5
ac2c6f6fa80522167167e893c96a54e2

SHA1
5d644135444ec47c70103a4e5010114d716837fd

SHA256
bc130ba9a075cd04e5bb4e92eeeb053ddc50b1d853a621e965bba098a3aa16cd

SHA512
4807a80e77556da583583d8a48554a555d5acfb9c8afe139b384d2336625c011ceeeba51a7087c6b0ea1c8f38c389426aad64d2bc07b30bbdb87ddd4a992c113

Download Submit
C:\Users\Admin\AppData\Roaming\XiaoChouWallPaper\1.0.0.0000\SGWallPaper.exe
Filesize
6.7MB

MD5
ac2c6f6fa80522167167e893c96a54e2

SHA1
5d644135444ec47c70103a4e5010114d716837fd

SHA256
bc130ba9a075cd04e5bb4e92eeeb053ddc50b1d853a621e965bba098a3aa16cd

SHA512
4807a80e77556da583583d8a48554a555d5acfb9c8afe139b384d2336625c011ceeeba51a7087c6b0ea1c8f38c389426aad64d2bc07b30bbdb87ddd4a992c113

Download Submit
C:\Users\Admin\Desktop\小丑壁纸.lnk
Filesize
1KB

MD5
6d86d99a75fded84d4769569165412c2

SHA1
e25d60622f4f5a31a49a3722df0708aaec8c1d96

SHA256
34b2a713bdceb2a1b425466257bf5e722f7167ef41717e690d1caa669312070c

SHA512
e9ca5b988ed473eb4f3fdfef4003b665843203a9361f76c3fa336a6280f73ad211125d9d82de50872b81cdd4edf605af1111acbb1a217de5cb5740f96951050e

Download Submit
memory/2360-141-0x0000000000000000-mapping.dmp

Download
memory/2360-147-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4464-153-0x0000000000000000-mapping.dmp

Download
memory/4840-137-0x00000000037A0000-0x00000000037FF000-memory.dmp

Filesize
380KB

Download
memory/4840-134-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4840-133-0x0000000003230000-0x000000000367D000-memory.dmp

Filesize
4.3MB

Download