Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
兵河五四.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
兵河五四.exe
Resource
win10v2004-20220812-en
General
-
Target
兵河五四.exe
-
Size
83KB
-
MD5
d95807b22dc5cf5d323bf18172915159
-
SHA1
cdf4ca83655b8a695274f0f775e2bf0d50923b0f
-
SHA256
25d9443bf5cbec1449ec6bdee3c638ae3f1a61591af213d0c50e352010389538
-
SHA512
08a3d5833e0808bb6d1e851eb2a6a097b050c448d043acb1813bcff4da3ee5f23884ea6a0a4a30a60a38ce3a7663e44d309ed2048622d9ce3a3bb076949b6435
-
SSDEEP
1536:GAT7zA8QK45RlbKxGoy90tytopnpO5JXsEI:GATtQdtKKitaopnpmI
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\showsuperhidden = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
兵河五四.execmd.exemshta.exe兵河五四.execmd.execmd.exedescription pid process target process PID 1932 wrote to memory of 1928 1932 兵河五四.exe cmd.exe PID 1932 wrote to memory of 1928 1932 兵河五四.exe cmd.exe PID 1928 wrote to memory of 2512 1928 cmd.exe mode.com PID 1928 wrote to memory of 2512 1928 cmd.exe mode.com PID 1928 wrote to memory of 4912 1928 cmd.exe mshta.exe PID 1928 wrote to memory of 4912 1928 cmd.exe mshta.exe PID 4912 wrote to memory of 4792 4912 mshta.exe 兵河五四.exe PID 4912 wrote to memory of 4792 4912 mshta.exe 兵河五四.exe PID 4792 wrote to memory of 3540 4792 兵河五四.exe cmd.exe PID 4792 wrote to memory of 3540 4792 兵河五四.exe cmd.exe PID 3540 wrote to memory of 1708 3540 cmd.exe mode.com PID 3540 wrote to memory of 1708 3540 cmd.exe mode.com PID 3540 wrote to memory of 3432 3540 cmd.exe reg.exe PID 3540 wrote to memory of 3432 3540 cmd.exe reg.exe PID 3540 wrote to memory of 4744 3540 cmd.exe reg.exe PID 3540 wrote to memory of 4744 3540 cmd.exe reg.exe PID 3540 wrote to memory of 1344 3540 cmd.exe cmd.exe PID 3540 wrote to memory of 1344 3540 cmd.exe cmd.exe PID 1344 wrote to memory of 3836 1344 cmd.exe reg.exe PID 1344 wrote to memory of 3836 1344 cmd.exe reg.exe PID 1344 wrote to memory of 2064 1344 cmd.exe find.exe PID 1344 wrote to memory of 2064 1344 cmd.exe find.exe PID 3540 wrote to memory of 2596 3540 cmd.exe reg.exe PID 3540 wrote to memory of 2596 3540 cmd.exe reg.exe PID 3540 wrote to memory of 3136 3540 cmd.exe reg.exe PID 3540 wrote to memory of 3136 3540 cmd.exe reg.exe PID 3540 wrote to memory of 4112 3540 cmd.exe reg.exe PID 3540 wrote to memory of 4112 3540 cmd.exe reg.exe PID 3540 wrote to memory of 344 3540 cmd.exe reg.exe PID 3540 wrote to memory of 344 3540 cmd.exe reg.exe PID 3540 wrote to memory of 204 3540 cmd.exe reg.exe PID 3540 wrote to memory of 204 3540 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\兵河五四.exe"C:\Users\Admin\AppData\Local\Temp\兵河五四.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAL9H1AC.cmd" "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con: cols=65 lines=253⤵
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\兵河五四.exe""","::",,"runas",1)(window.close)3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\兵河五四.exe"C:\Users\Admin\AppData\Local\Temp\兵河五四.exe" ::4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8MEN1O3K.cmd" "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe" ::"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con: cols=65 lines=256⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v showsuperhidden /t REG_DWORD /d 0 /f6⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v hidden /t REG_DWORD /d 0 /f6⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_USERS"|find /i "\S-1-5-"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKEY_USERS"7⤵
-
C:\Windows\system32\find.exefind /i "\S-1-5-"7⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-19\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-20\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-18\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8MEN1O3K.cmdFilesize
1KB
MD54259ed610d43ff260feb6de379ceb836
SHA1797602b586e49a07653eb0977ad303f2250f3634
SHA256cd9004d399fc0bf8b987564cd94340fb8aba91c3d631e54cd2d6f9da82969f6c
SHA51279c835e25928cc2d4298d5c3ff27eda9156087cc169574d9b169a3ce2763e8abdda842851a3fd8657259ac8a153de250e0d3aa8ebb36f3315c37fd73e2141cf1
-
C:\Users\Admin\AppData\Local\Temp\CAL9H1AC.cmdFilesize
1KB
MD54259ed610d43ff260feb6de379ceb836
SHA1797602b586e49a07653eb0977ad303f2250f3634
SHA256cd9004d399fc0bf8b987564cd94340fb8aba91c3d631e54cd2d6f9da82969f6c
SHA51279c835e25928cc2d4298d5c3ff27eda9156087cc169574d9b169a3ce2763e8abdda842851a3fd8657259ac8a153de250e0d3aa8ebb36f3315c37fd73e2141cf1
-
memory/204-150-0x0000000000000000-mapping.dmp
-
memory/344-149-0x0000000000000000-mapping.dmp
-
memory/1344-143-0x0000000000000000-mapping.dmp
-
memory/1708-140-0x0000000000000000-mapping.dmp
-
memory/1928-132-0x0000000000000000-mapping.dmp
-
memory/2064-145-0x0000000000000000-mapping.dmp
-
memory/2512-134-0x0000000000000000-mapping.dmp
-
memory/2596-146-0x0000000000000000-mapping.dmp
-
memory/3136-147-0x0000000000000000-mapping.dmp
-
memory/3432-141-0x0000000000000000-mapping.dmp
-
memory/3540-138-0x0000000000000000-mapping.dmp
-
memory/3836-144-0x0000000000000000-mapping.dmp
-
memory/4112-148-0x0000000000000000-mapping.dmp
-
memory/4744-142-0x0000000000000000-mapping.dmp
-
memory/4792-137-0x0000000000000000-mapping.dmp
-
memory/4912-135-0x0000000000000000-mapping.dmp