805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Size

32KB
MD5

36c26cf4c376eee2e9970c65a6bd82c1
SHA1

e8eaa54b31c1853410e6eb8a2a4e839d6d72d4c7
SHA256

805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04
SHA512

6d2b86636a43e21d9952040208607b116cf455aca222d352f1caf3ced41d01d48ab2979c41e3764b6645339775b54f9967942d76e43a1422785a3a4671acea1c
SSDEEP

192:p/33z1rWSUcVKbCBpLg1GqPQUS2b3z3ZuizSmiZBL/YfwDLXkUKfoa2hTbP4oynz:x7UcIbHDZxzSRLbHXvKfoa2d43KZZIl

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "Ñ¸½Ý"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\DefaultIcon	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\XunJie\ = "Ñ¸½ÝÓÎÀÀÆ÷"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\DefaultIcon\ = ",0"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "Ñ¸½Ý"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\URL Protocol	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\ = "Ñ¸½ÝÓÎÀÀÆ÷"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = ",26"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41906A82-C6BE-4329-96D5-543B29A18BA9}	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "XunJie.Association.HTML"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\ = "Ñ¸½ÝÓÎÀÀÆ÷"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\XunJie\command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\Command	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell\Open\Command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\XunJie	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41906A82-C6BE-4329-96D5-543B29A18BA9}\ = "IThunderMx"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\ = "XunJie Document"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XunJie.Association.HTML\Shell	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "XunJie"	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\XunJie\command\ = "\"\" \"%1\""	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\XunJie\	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4200	3180	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	79
PID 3180 wrote to memory of 4200	3180	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	79
PID 3180 wrote to memory of 4200	3180	805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe	79

C:\Users\Admin\AppData\Local\Temp\805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe
"C:\Users\Admin\AppData\Local\Temp\805996ea2acc0bbde8caeccf56129913c0819f6dd07242b073b4c7d69225ae04.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ydlem.bat
  2⤵
  PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ydlem.bat

Filesize
512B

MD5
c2218281b28f4c8bc11c6901138174f2

SHA1
96300145a94be4e2f6bc131ad94fa950d08e3e1a

SHA256
a328e798bcad2ce9e39ed47fdcc9836ab2fdddba88ad4debbef91c6c3d0d7c21

SHA512
f0a487de0ef4c045832dc8d0aa344e990bb2f0da09482ed7e2bb7c80998890f292701fec3b92fa8184e1ec33af6ae986a6c81272b09d069bad567e00376f90ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydlem.tmp

Filesize
32KB

MD5
2407b3e6b045e71c67c93268ea02038a

SHA1
856c4e148029a2d55c205e3589929972112c1d36

SHA256
ba3243be56fe34e2bdd0ab66b1e6804eb56a5a6537934bbcfc56aac5fa5cf0e6

SHA512
58d5c3846900ff98c41e6c4c5f2e8586ad246fab5a267c1350f822f11a15a1517fd180a4e2cdc16afbfc9f8b23a2658f8c54a89ab9ee32d75b62f4d07e4f627d

Download Submit