cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a

Analysis

max time kernel
140s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
Size

687KB
MD5

55518a860fc98bc805c6e295c21b07cb
SHA1

d019b7c7f1862641fd75ca0e22129eedabb58389
SHA256

cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a
SHA512

bb7c86ad66075bf494b7665e70856131cb229fa77b0de1bf99079f6f81084b01ee0fb293fd7f210dff4c2f7300a36cf76ad0b52ce3c5811ad5ce52105fb139bd
SSDEEP

12288:dZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6QcGuA:dafIiy4NwdLpQr

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4244	baidu.exe
4708	遨游下载.exe
1340	酷我下载.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022df8-133.dat	upx
behavioral2/files/0x000a000000022df8-134.dat	upx
behavioral2/files/0x000b000000022e0b-136.dat	upx
behavioral2/files/0x000b000000022e0b-138.dat	upx
behavioral2/files/0x0008000000022e0f-139.dat	upx
behavioral2/files/0x0008000000022e0f-140.dat	upx
behavioral2/memory/4244-147-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/4708-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1340-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1340-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4244-154-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/4708-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4708-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4244-158-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	baidu.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tk.reg	baidu.exe
File opened for modification	C:\Program Files\WinRAR\hzrtxefvp.tk	baidu.exe
File created	C:\Program Files\WinRAR\hzrtxefvp.tk	baidu.exe
File created	C:\Program Files (x86)\WinRAR\READ.TXT	WScript.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\tb.ico	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
File opened for modification	C:\WINDOWS\tb.ico	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
File created	C:\WINDOWS\dy.ico	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
File opened for modification	C:\WINDOWS\dy.ico	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
File opened for modification	C:\Windows\My.ini	baidu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tk	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Print\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe /p %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\PropertySheetHandlers\WSHProps\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "WScript.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	baidu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "????"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptHostEncode\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "Open"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers\WSHProps	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\WScript.exe,3"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\IconHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\ = "Open &with Command Prompt"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\Command\ = "C:\\Windows\\SysWow64\\CScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\DropHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tk\ = "tkfile"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "open"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4804"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptEngine	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptHostEncode	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\MUIVerb = "@C:\\Windows\\System32\\wshext.dll,-4511"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2128	regedit.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4708	遨游下载.exe
1340	酷我下载.exe
4244	baidu.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4244	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	79
PID 2240 wrote to memory of 4244	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	79
PID 2240 wrote to memory of 4244	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	79
PID 2240 wrote to memory of 4708	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	80
PID 2240 wrote to memory of 4708	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	80
PID 2240 wrote to memory of 4708	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	80
PID 2240 wrote to memory of 1340	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	81
PID 2240 wrote to memory of 1340	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	81
PID 2240 wrote to memory of 1340	2240	cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe	81
PID 4244 wrote to memory of 4660	4244	baidu.exe	82
PID 4244 wrote to memory of 4660	4244	baidu.exe	82
PID 4244 wrote to memory of 4660	4244	baidu.exe	82
PID 4660 wrote to memory of 2128	4660	cmd.exe	84
PID 4660 wrote to memory of 2128	4660	cmd.exe	84
PID 4660 wrote to memory of 2128	4660	cmd.exe	84
PID 4244 wrote to memory of 5056	4244	baidu.exe	89
PID 4244 wrote to memory of 5056	4244	baidu.exe	89
PID 4244 wrote to memory of 5056	4244	baidu.exe	89

C:\Users\Admin\AppData\Local\Temp\cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe
"C:\Users\Admin\AppData\Local\Temp\cab3c86eb20e3d67da897032e3415576e59af7f95b570a554ad44a5d8160930a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240
- C:\baidu.exe
  C:\baidu.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "C:\Program Files\Common Files\tk.reg"
      4⤵
      Modifies registry class
      Runs .reg file with regedit
      PID:2128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\SysWow64\WScript.exe" "C:\program files\winrar\hzrtxefvp.tk"
    3⤵
    - Drops file in Program Files directory
    PID:5056
- C:\遨游下载.exe
  C:\遨游下载.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4708
- C:\酷我下载.exe
  C:\酷我下载.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
ad9792973a4abb08339cbd25c008139e

SHA1
177a0b9883fa26127dac9b213cceb626d5a289e6

SHA256
dc3e37b68398faa05cd30eaf0ead9de7b32e75a5a4e7aa7c864efdd2fd42886a

SHA512
b619a6e97646eefddca1b02be9ed47133d91975bf113d2eead95bc2bdb5f64ac711cc0a12e7de5ce048816612a7e9084454eacc474624f80b2ca93cc80a6eb10

Download Submit
C:\baidu.exe

Filesize
44KB

MD5
bd03e090a9121c50b4080a7b86effbc7

SHA1
1497ee530c53cb9c055fb013b5c11a5e9203e112

SHA256
4c1db3ae2de0f74b8fb1af1b493af1c4a78779330b14e1f27df2aad6e407b199

SHA512
704ce7f3f6be8876d032cbf6986c5764ecaa66481b8a0ce49e89ad7ebd035ca72dbf6b9c16667edbb2a8122b33021409dc496c3a99b9588cc17fb9cf86718ab8

Download Submit
C:\baidu.exe

Filesize
44KB

MD5
bd03e090a9121c50b4080a7b86effbc7

SHA1
1497ee530c53cb9c055fb013b5c11a5e9203e112

SHA256
4c1db3ae2de0f74b8fb1af1b493af1c4a78779330b14e1f27df2aad6e407b199

SHA512
704ce7f3f6be8876d032cbf6986c5764ecaa66481b8a0ce49e89ad7ebd035ca72dbf6b9c16667edbb2a8122b33021409dc496c3a99b9588cc17fb9cf86718ab8

Download Submit
C:\program files\winrar\hzrtxefvp.tk

Filesize
30KB

MD5
81388ba3bc033c93d6dc1c089c05b981

SHA1
33872a01a879f6e40c778febf0f1627edb68661c

SHA256
298f1b3bbdab067ac5af70984a51f143d89b0dc6eb9e2dd60572091a07fa1fd8

SHA512
c0c5d0faf3e84c39a4e1fa605eb52cd247428e11a5cd3cdfbbde56004582fd895abfa71237532ec958f9c4996f033eeecd87440990c2f8f0a6631bfcbbb91de7

Download Submit
C:\遨游下载.exe

Filesize
6KB

MD5
fafe0ba6bf117f0233219dad1cb8d95c

SHA1
02e7810788ea56ddee13c53eba6cd3dec1b3735d

SHA256
340fde09372e9d1df55363ebac8ff8a6152a0fc6bcfabad49b5281db98e74a70

SHA512
d3aa0adb7933b782a02ff15c879dca4d6afe7a53805d9ac5e760f266850ff239d1af107b441721b2daeb1b9708ca127a0c8d3ce8f81df43a10008a941b72bcb8

Download Submit
C:\遨游下载.exe

Filesize
6KB

MD5
fafe0ba6bf117f0233219dad1cb8d95c

SHA1
02e7810788ea56ddee13c53eba6cd3dec1b3735d

SHA256
340fde09372e9d1df55363ebac8ff8a6152a0fc6bcfabad49b5281db98e74a70

SHA512
d3aa0adb7933b782a02ff15c879dca4d6afe7a53805d9ac5e760f266850ff239d1af107b441721b2daeb1b9708ca127a0c8d3ce8f81df43a10008a941b72bcb8

Download Submit
C:\酷我下载.exe

Filesize
6KB

MD5
abdc11d0bbe3c10554bd8f245cd06cea

SHA1
d4154fc99c3e2928b6462984fbbe6e635702cbd0

SHA256
19dbe0d9f59c5b838076110befbddb7ed7ef870927e66d96bbdb6020ad845ac8

SHA512
3873d87bd76c197f1a0e5b29a1e6629256231a028fc9550f8d197cba8310d794a2f7abcb66f7f96dffd2d854632a4a306ec7e9cb375ea41ed8378dd6abdb014c

Download Submit
C:\酷我下载.exe

Filesize
6KB

MD5
abdc11d0bbe3c10554bd8f245cd06cea

SHA1
d4154fc99c3e2928b6462984fbbe6e635702cbd0

SHA256
19dbe0d9f59c5b838076110befbddb7ed7ef870927e66d96bbdb6020ad845ac8

SHA512
3873d87bd76c197f1a0e5b29a1e6629256231a028fc9550f8d197cba8310d794a2f7abcb66f7f96dffd2d854632a4a306ec7e9cb375ea41ed8378dd6abdb014c

Download Submit
memory/1340-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1340-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4244-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4708-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4708-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4708-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download