7a625dae2c144a4f0a4ac7ec7a0b2f5565a66d53a520fde6a0603eabd74ec15b

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_rPDgtVNv.exe
Size

104KB
MD5

ef1f98c1f03a67b6e1ae3daccd8b47b8
SHA1

b62eeb097bf11dea4b05a12a13fe974578875284
SHA256

63503a564e42c8371e658942e1c6ca64b93079473bc83ff9d5f4199339b63e0c
SHA512

8fc07de48c3f90887545bdad24efc993ee079f0567edcc7523c227868f6ba090dd40b993cd3b754903f66451f0c5d504e04770b10f1e02adc46b273860104c6e
SSDEEP

1536:m0MzXa0A6ZJDQ43we4B5jyLs0EjHEX6AfHKhIEB1/IY25DmQI:tQK9CM470JyaHEX6AfKKEBWJDmQI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1832	WScript.Exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\d.ico	setup_rPDgtVNv.exe
File opened for modification	\??\c:\Program Files\Common Files\t.ico	setup_rPDgtVNv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1121"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1121"	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1121"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.35yes.com/?1121"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1121"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1121"	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	setup_rPDgtVNv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	setup_rPDgtVNv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	setup_rPDgtVNv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	setup_rPDgtVNv.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30
PID 1652 wrote to memory of 1832	1652	setup_rPDgtVNv.exe	30

C:\Users\Admin\AppData\Local\Temp\setup_rPDgtVNv.exe
"C:\Users\Admin\AppData\Local\Temp\setup_rPDgtVNv.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
386B

MD5
ca40654b10bc8da9d856556e8a3904cc

SHA1
192d4d2f1f7f9980645a72a6e362f597a90b0abf

SHA256
99f8fc55bea81acf8a2fc454ede9d6536f7dd110a0e3ec7b5db3a1acc1dbdbb2

SHA512
067e8161ff81a4b4dec12c07d64b58034988f8d0dccc0d99103db5e130bd6773dd09cbc4c82a959804e3c2f56074af0cee9d9d0a2cd743f73e5b2f7c366eb39a

Download Submit
memory/1652-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1832-57-0x0000000000000000-mapping.dmp

Download