Overview

overview

10

Static

static

兵河五四.exe

windows7-x64

10

兵河五四.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2022 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    兵河五四.exe

  • Size

    83KB

  • MD5

    d95807b22dc5cf5d323bf18172915159

  • SHA1

    cdf4ca83655b8a695274f0f775e2bf0d50923b0f

  • SHA256

    25d9443bf5cbec1449ec6bdee3c638ae3f1a61591af213d0c50e352010389538

  • SHA512

    08a3d5833e0808bb6d1e851eb2a6a097b050c448d043acb1813bcff4da3ee5f23884ea6a0a4a30a60a38ce3a7663e44d309ed2048622d9ce3a3bb076949b6435

  • SSDEEP

    1536:GAT7zA8QK45RlbKxGoy90tytopnpO5JXsEI:GATtQdtKKitaopnpmI

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\兵河五四.exe
    "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Y7795XX.cmd" "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\mode.com
        mode con: cols=65 lines=25
        3⤵
          PID:1456
        • C:\Windows\system32\mshta.exe
          mshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\兵河五四.exe""","::",,"runas",1)(window.close)
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Users\Admin\AppData\Local\Temp\兵河五四.exe
            "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe" ::
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\system32\cmd.exe
              cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\455H0QTV.cmd" "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe" ::"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1048
              • C:\Windows\system32\mode.com
                mode con: cols=65 lines=25
                6⤵
                  PID:2000
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v showsuperhidden /t REG_DWORD /d 0 /f
                  6⤵
                  • Modifies visiblity of hidden/system files in Explorer
                  • Modifies registry key
                  PID:1256
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v hidden /t REG_DWORD /d 0 /f
                  6⤵
                  • Modifies registry key
                  PID:684
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c reg query "HKEY_USERS"|find /i "\S-1-5-"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:652
                  • C:\Windows\system32\reg.exe
                    reg query "HKEY_USERS"
                    7⤵
                      PID:1844
                    • C:\Windows\system32\find.exe
                      find /i "\S-1-5-"
                      7⤵
                        PID:1044
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_USERS\S-1-5-19\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                      6⤵
                        PID:812
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_USERS\S-1-5-20\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                        6⤵
                          PID:1596
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_USERS\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                          6⤵
                            PID:528
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_USERS\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                            6⤵
                              PID:1756
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_USERS\S-1-5-18\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                              6⤵
                                PID:968

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Hidden Files and Directories

                    1
                    T1158

                    Privilege Escalation

                    Defense Evasion

                    Hidden Files and Directories

                    1
                    T1158

                    Modify Registry

                    3
                    T1112

                    Credential Access

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\0Y7795XX.cmd
                      Filesize

                      1KB

                      MD5

                      4259ed610d43ff260feb6de379ceb836

                      SHA1

                      797602b586e49a07653eb0977ad303f2250f3634

                      SHA256

                      cd9004d399fc0bf8b987564cd94340fb8aba91c3d631e54cd2d6f9da82969f6c

                      SHA512

                      79c835e25928cc2d4298d5c3ff27eda9156087cc169574d9b169a3ce2763e8abdda842851a3fd8657259ac8a153de250e0d3aa8ebb36f3315c37fd73e2141cf1

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\455H0QTV.cmd
                      Filesize

                      1KB

                      MD5

                      4259ed610d43ff260feb6de379ceb836

                      SHA1

                      797602b586e49a07653eb0977ad303f2250f3634

                      SHA256

                      cd9004d399fc0bf8b987564cd94340fb8aba91c3d631e54cd2d6f9da82969f6c

                      SHA512

                      79c835e25928cc2d4298d5c3ff27eda9156087cc169574d9b169a3ce2763e8abdda842851a3fd8657259ac8a153de250e0d3aa8ebb36f3315c37fd73e2141cf1

                      Download Submit
                    • memory/528-70-0x0000000000000000-mapping.dmp
                      Download
                    • memory/652-65-0x0000000000000000-mapping.dmp
                      Download
                    • memory/668-54-0x0000000000000000-mapping.dmp
                      Download
                    • memory/684-64-0x0000000000000000-mapping.dmp
                      Download
                    • memory/812-68-0x0000000000000000-mapping.dmp
                      Download
                    • memory/968-72-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1044-67-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1048-60-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1256-63-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1456-56-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1596-69-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1756-71-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1844-66-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1928-58-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1928-57-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2000-62-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2036-59-0x0000000000000000-mapping.dmp
                      Download