805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Size

32KB
MD5

36c26cf4c376eee2e9970c65a6bd82c1
SHA1

e8eaa54b31c1853410e6eb8a2a4e839d6d72d4c7
SHA256

805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04
SHA512

6d2b86636a43e21d9952040208607b116cf455aca222d352f1caf3ced41d01d48ab2979c41e3764b6645339775b54f9967942d76e43a1422785a3a4671acea1c
SSDEEP

192:p/33z1rWSUcVKbCBpLg1GqPQUS2b3z3ZuizSmiZBL/YfwDLXkUKfoa2hTbP4oynz:x7UcIbHDZxzSRLbHXvKfoa2d43KZZIl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1128	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41906A82-C6BE-4329-96D5-543B29A18BA9}\ = "IThunderMx"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "XunJie"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\DefaultIcon\ = ",0"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\Command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\ = "Ñ¸½ÝÓÎÀÀÆ÷"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\DefaultIcon	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\URL Protocol	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\ = "XunJie Document"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\ = "Ñ¸½ÝÓÎÀÀÆ÷"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = ",26"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\Command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "Ñ¸½Ý"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\ = "Ñ¸½ÝÓÎÀÀÆ÷"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\ = "Ñ¸½Ý"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{41906A82-C6BE-4329-96D5-543B29A18BA9}	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1128	1676	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	28
PID 1676 wrote to memory of 1128	1676	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	28
PID 1676 wrote to memory of 1128	1676	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	28
PID 1676 wrote to memory of 1128	1676	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	28

C:\Users\Admin\AppData\Local\Temp\805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
"C:\Users\Admin\AppData\Local\Temp\805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ydlem.bat
  2⤵
  - Deletes itself
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ydlem.bat

Filesize
516B

MD5
cb62715271b4289c4a56a0aa2c6dbd89

SHA1
3580fea473e727739070f580c5836b170b0da25d

SHA256
bd85007dd7d8edb274b0487bccda194891e033e856d7988e44c2e477d6c37b18

SHA512
1a9752d8ef1ae2a684813ea94225497e0ff03ac70315853338a3e331ce29e681f32897c9682b996d7c18851f6f92a07df829a5630f085279feba3fc07ffc5dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydlem.tmp

Filesize
32KB

MD5
f7b53b875beb48ffc530f862d63fe74b

SHA1
8887b2301ef4435e1ace7924d2b17358d10ad24c

SHA256
5fe53dd0d48d193c13dc5856c3c1251aa87bc9c503775fe3f355ce3bd78cb994

SHA512
02fe7e7b70e7e20cfc9081c286514110fe0abf85955a65cac227cd21872658cb7f98d1791f6bd4ae3ca9086854dd2a58277782a624a8ae362f38bb6e4059926c

Download Submit
memory/1676-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download