20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe
Size

339KB
MD5

c7c06a6ffd8019df0ed20f5660fd620e
SHA1

9d1be5882e6d2b69cb9707732dc3acd326c72b20
SHA256

20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6
SHA512

662695e35a3875a5224afd8e6b98a0d1ba663d0d5ee22f0c7ac613801e1541aa146dd0822fdcca8f3366ed4bb03ee6d2ff85063adb867a17ae8bfb0ee5c012f4
SSDEEP

6144:/oBgKhZe4mX2Idx3GNNTRvb2FQc0exh8tdCtd6JVx+:/RKhI4mmYMNNT2mzR+

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2964	Rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	system.exe
1284	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
964	Rundll32.exe
2964	Rundll32.exe
2964	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe
File created	C:\Windows\SysWOW64\aoppngaa.dll	system.exe
File created	C:\Windows\SysWOW64\wxhaogaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3224	sc.exe
4300	sc.exe
5104	sc.exe
5096	sc.exe
3516	sc.exe
2956	sc.exe
1084	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3036	system.exe
3036	system.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
964	Rundll32.exe
2964	Rundll32.exe
2964	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3440	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3036	3440	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe	78
PID 3440 wrote to memory of 3036	3440	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe	78
PID 3440 wrote to memory of 3036	3440	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe	78
PID 3036 wrote to memory of 964	3036	system.exe	79
PID 3036 wrote to memory of 964	3036	system.exe	79
PID 3036 wrote to memory of 964	3036	system.exe	79
PID 964 wrote to memory of 3296	964	Rundll32.exe	80
PID 964 wrote to memory of 3296	964	Rundll32.exe	80
PID 964 wrote to memory of 3296	964	Rundll32.exe	80
PID 964 wrote to memory of 4480	964	Rundll32.exe	82
PID 964 wrote to memory of 4480	964	Rundll32.exe	82
PID 964 wrote to memory of 4480	964	Rundll32.exe	82
PID 964 wrote to memory of 1084	964	Rundll32.exe	84
PID 964 wrote to memory of 1084	964	Rundll32.exe	84
PID 964 wrote to memory of 1084	964	Rundll32.exe	84
PID 964 wrote to memory of 3224	964	Rundll32.exe	86
PID 964 wrote to memory of 3224	964	Rundll32.exe	86
PID 964 wrote to memory of 3224	964	Rundll32.exe	86
PID 3296 wrote to memory of 1676	3296	net.exe	89
PID 4480 wrote to memory of 2404	4480	net.exe	88
PID 3296 wrote to memory of 1676	3296	net.exe	89
PID 3296 wrote to memory of 1676	3296	net.exe	89
PID 4480 wrote to memory of 2404	4480	net.exe	88
PID 4480 wrote to memory of 2404	4480	net.exe	88
PID 964 wrote to memory of 4300	964	Rundll32.exe	90
PID 964 wrote to memory of 4300	964	Rundll32.exe	90
PID 964 wrote to memory of 4300	964	Rundll32.exe	90
PID 964 wrote to memory of 3516	964	Rundll32.exe	97
PID 964 wrote to memory of 3516	964	Rundll32.exe	97
PID 964 wrote to memory of 3516	964	Rundll32.exe	97
PID 964 wrote to memory of 5104	964	Rundll32.exe	92
PID 964 wrote to memory of 5104	964	Rundll32.exe	92
PID 964 wrote to memory of 5104	964	Rundll32.exe	92
PID 964 wrote to memory of 5096	964	Rundll32.exe	93
PID 964 wrote to memory of 5096	964	Rundll32.exe	93
PID 964 wrote to memory of 5096	964	Rundll32.exe	93
PID 964 wrote to memory of 3440	964	Rundll32.exe	77
PID 964 wrote to memory of 3440	964	Rundll32.exe	77
PID 964 wrote to memory of 3036	964	Rundll32.exe	78
PID 964 wrote to memory of 3036	964	Rundll32.exe	78
PID 964 wrote to memory of 3296	964	Rundll32.exe	80
PID 964 wrote to memory of 3296	964	Rundll32.exe	80
PID 964 wrote to memory of 4480	964	Rundll32.exe	82
PID 964 wrote to memory of 4480	964	Rundll32.exe	82
PID 964 wrote to memory of 1676	964	Rundll32.exe	89
PID 964 wrote to memory of 1676	964	Rundll32.exe	89
PID 964 wrote to memory of 2404	964	Rundll32.exe	88
PID 964 wrote to memory of 2404	964	Rundll32.exe	88
PID 964 wrote to memory of 4300	964	Rundll32.exe	90
PID 964 wrote to memory of 4300	964	Rundll32.exe	90
PID 964 wrote to memory of 3516	964	Rundll32.exe	97
PID 964 wrote to memory of 3516	964	Rundll32.exe	97
PID 964 wrote to memory of 5104	964	Rundll32.exe	92
PID 964 wrote to memory of 5104	964	Rundll32.exe	92
PID 964 wrote to memory of 5096	964	Rundll32.exe	93
PID 964 wrote to memory of 5096	964	Rundll32.exe	93
PID 964 wrote to memory of 2956	964	Rundll32.exe	98
PID 964 wrote to memory of 2956	964	Rundll32.exe	98
PID 964 wrote to memory of 2956	964	Rundll32.exe	98
PID 3036 wrote to memory of 2964	3036	system.exe	100
PID 3036 wrote to memory of 2964	3036	system.exe	100
PID 3036 wrote to memory of 2964	3036	system.exe	100
PID 3440 wrote to memory of 1284	3440	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe	109
PID 3440 wrote to memory of 1284	3440	20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe	109

C:\Users\Admin\AppData\Local\Temp\20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe
"C:\Users\Admin\AppData\Local\Temp\20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\aoppngaa.dll Exxcute
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:1676
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:1084
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:3224
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:4300
  - - C:\Windows\SysWOW64\sc.exe
      sc stop 360rp
      4⤵
      Launches sc.exe
      PID:5104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360rp
      4⤵
      Launches sc.exe
      PID:5096
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:3516
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:2956
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\wxhaogaa.dll Exucute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe
  C:\Users\Admin\AppData\Local\Temp\20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe
  2⤵
  - Executes dropped EXE
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20c28cbf290106577b5d8754f385aa4f70cf8623ab3e6f5365ea46b84f86eea6.exe

Filesize
189KB

MD5
5590053d5b7f9ba90dac1432f3b95f2c

SHA1
2d83c739606edf2262bdf3d887bd615a9a4bb0df

SHA256
d1a546bbc0c5cbc6f7d18165c2cac2188807502cd59c80467e0e40e691a8ea43

SHA512
26decafd99bc7ab70811231f096dcb8be23030c51692392aad6c770467b5b7bbed732dec00817345a69183e1d66ae45b5496f98d9188b7d67ad8d9093afa4412

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4AC.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\aoppngaa.dll

Filesize
78KB

MD5
eedc0d1a5c758e1d224f39e9ab08f484

SHA1
ec3229d30a4ad020fd1e2a71af7e648b413a34ca

SHA256
0972f8c346db99042185797f09094e23f947152b72e58e2a2895423dd8f23ac1

SHA512
24183ad857c5b3d920b2c8a511a0847dc4cc5deca5581913bfa47dd5d146f90573c5a3ea55479e038849d2b3da72e7e4d34a5f50ec2e8049b29e201ed0b43bc6

Download Submit
C:\Windows\SysWOW64\aoppngaa.dll

Filesize
78KB

MD5
eedc0d1a5c758e1d224f39e9ab08f484

SHA1
ec3229d30a4ad020fd1e2a71af7e648b413a34ca

SHA256
0972f8c346db99042185797f09094e23f947152b72e58e2a2895423dd8f23ac1

SHA512
24183ad857c5b3d920b2c8a511a0847dc4cc5deca5581913bfa47dd5d146f90573c5a3ea55479e038849d2b3da72e7e4d34a5f50ec2e8049b29e201ed0b43bc6

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
145KB

MD5
4c3944adb49e5be053cc27f5b6c461a8

SHA1
e2fe57502eac168fe27a406ec5b86727c1be721b

SHA256
e2e32ba264dca0a0d4e1388871c39df529c432f733ec83da2b5699a77b88a270

SHA512
cfa31e6245cef41bc28877a82e74d8fb5c9bb3e1d938a4f12d561bd72ca12877aaf1062dc8438461b0bbeabe086b6ce028c8fa4eb090a47dd3df0ad61582d257

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
145KB

MD5
4c3944adb49e5be053cc27f5b6c461a8

SHA1
e2fe57502eac168fe27a406ec5b86727c1be721b

SHA256
e2e32ba264dca0a0d4e1388871c39df529c432f733ec83da2b5699a77b88a270

SHA512
cfa31e6245cef41bc28877a82e74d8fb5c9bb3e1d938a4f12d561bd72ca12877aaf1062dc8438461b0bbeabe086b6ce028c8fa4eb090a47dd3df0ad61582d257

Download Submit
C:\Windows\SysWOW64\wxhaogaa.dll

Filesize
22KB

MD5
a457952d720764b67b169d8a4c5f88c7

SHA1
a75185a97c810b923c3caddac190ce6967e4d1a9

SHA256
df62a7994a62e015d4770cb5e48a0bc23e3d1bd74c5c9908175b3f0673f4cbb1

SHA512
9605466bb7b10297b3e46f0cb1b02d07b7203e277e3344ab3e9e2e8d7e86953f69cb593cea785c1e60ad6aabcb832f318d6dd6384f46b2fb8023df41d6c11d39

Download Submit
C:\Windows\SysWOW64\wxhaogaa.dll

Filesize
22KB

MD5
a457952d720764b67b169d8a4c5f88c7

SHA1
a75185a97c810b923c3caddac190ce6967e4d1a9

SHA256
df62a7994a62e015d4770cb5e48a0bc23e3d1bd74c5c9908175b3f0673f4cbb1

SHA512
9605466bb7b10297b3e46f0cb1b02d07b7203e277e3344ab3e9e2e8d7e86953f69cb593cea785c1e60ad6aabcb832f318d6dd6384f46b2fb8023df41d6c11d39

Download Submit
memory/1284-157-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3440-132-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3440-145-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download