73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f

General

Target

73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe
Size

76KB
MD5

bd059ea6f22085065a58cfb82f355660
SHA1

3d841bf080f2c7d372095283149be6decbcbfed9
SHA256

73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f
SHA512

83075c683c6bb2efbc683c0f47a53d1470446910636734d63d785c0e2460aab2e1a435c780cf621242041121562e8d21910fcbfe908715a3911e312506ba06c0
SSDEEP

1536:K6mQHHvp0FAHcbY2xJu/H8JEUim6mQaKB:vHHvpXc3U/H8JEdBB

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,c:\\windows\\system32\\RsTray.exe"	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe

Executes dropped EXE 1 IoCs

pid	Process
3852	360Setup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1944-137-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x0003000000022de7-139.dat	upx
behavioral2/files/0x0003000000022de7-140.dat	upx
behavioral2/memory/1944-144-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3852-146-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\360Setup.exe	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe
File opened for modification	C:\Windows\SysWOW64\RsTray.exe	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe
3852	360Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3852	1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe	84
PID 1944 wrote to memory of 3852	1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe	84
PID 1944 wrote to memory of 3852	1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe	84
PID 1944 wrote to memory of 3436	1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe	85
PID 1944 wrote to memory of 3436	1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe	85
PID 1944 wrote to memory of 3436	1944	73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe	85

C:\Users\Admin\AppData\Local\Temp\73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe
"C:\Users\Admin\AppData\Local\Temp\73f33614742a79bd70ec6b3bbf7a2def17b95ea7b88d399a1db31d95125e415f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\360Setup.exe
  "C:\Windows\system32\360Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat""
  2⤵
  PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat

Filesize
254B

MD5
e0586ac964c82e2bed78ca641339f48e

SHA1
a3969150f8270bb0fa22ffb8e56b4225d19e94ea

SHA256
3314560ce8d947691b7c8185fa47a2d92414f815b7111d5745ab7f589097ab8a

SHA512
d79d02f14ecaf754cb70808a9913b7c43738e720949dc9387d7058b415c565c05fea6ef6de41dd74c03d71b27340470a39de303e80457e0594e901821fcdac0a

Download Submit
C:\Windows\SysWOW64\360Setup.exe

Filesize
10KB

MD5
b344a226ff5984ab7b1cbbd6f2cf896c

SHA1
b03fc74643a2a92b75a4245d80396909d4a7b97c

SHA256
515ee5e36192a8b14af5c2c01226536e8e279de4b70c9ac73ef7827764336f5a

SHA512
53ab74b1a0edc9d5b85a12e333f1e8d52a833e9af952804b48101ddeebc5e58bba3a62243bf9ef908104e3e35d69c86cf4e800fab6c1217ede1a75699697531c

Download Submit
C:\Windows\SysWOW64\360Setup.exe

Filesize
10KB

MD5
b344a226ff5984ab7b1cbbd6f2cf896c

SHA1
b03fc74643a2a92b75a4245d80396909d4a7b97c

SHA256
515ee5e36192a8b14af5c2c01226536e8e279de4b70c9ac73ef7827764336f5a

SHA512
53ab74b1a0edc9d5b85a12e333f1e8d52a833e9af952804b48101ddeebc5e58bba3a62243bf9ef908104e3e35d69c86cf4e800fab6c1217ede1a75699697531c

Download Submit
memory/1944-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1944-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3852-146-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing