Overview

overview

10

Static

static

兵河五四.exe

windows7-x64

10

兵河五四.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2022 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    兵河五四.exe

  • Size

    83KB

  • MD5

    d95807b22dc5cf5d323bf18172915159

  • SHA1

    cdf4ca83655b8a695274f0f775e2bf0d50923b0f

  • SHA256

    25d9443bf5cbec1449ec6bdee3c638ae3f1a61591af213d0c50e352010389538

  • SHA512

    08a3d5833e0808bb6d1e851eb2a6a097b050c448d043acb1813bcff4da3ee5f23884ea6a0a4a30a60a38ce3a7663e44d309ed2048622d9ce3a3bb076949b6435

  • SSDEEP

    1536:GAT7zA8QK45RlbKxGoy90tytopnpO5JXsEI:GATtQdtKKitaopnpmI

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\兵河五四.exe
    "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAL9H1AC.cmd" "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\mode.com
        mode con: cols=65 lines=25
        3⤵
          PID:2512
        • C:\Windows\system32\mshta.exe
          mshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\兵河五四.exe""","::",,"runas",1)(window.close)
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Users\Admin\AppData\Local\Temp\兵河五四.exe
            "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe" ::
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4792
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8MEN1O3K.cmd" "C:\Users\Admin\AppData\Local\Temp\兵河五四.exe" ::"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3540
              • C:\Windows\system32\mode.com
                mode con: cols=65 lines=25
                6⤵
                  PID:1708
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v showsuperhidden /t REG_DWORD /d 0 /f
                  6⤵
                  • Modifies visiblity of hidden/system files in Explorer
                  • Modifies registry key
                  PID:3432
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v hidden /t REG_DWORD /d 0 /f
                  6⤵
                  • Modifies registry key
                  PID:4744
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c reg query "HKEY_USERS"|find /i "\S-1-5-"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1344
                  • C:\Windows\system32\reg.exe
                    reg query "HKEY_USERS"
                    7⤵
                      PID:3836
                    • C:\Windows\system32\find.exe
                      find /i "\S-1-5-"
                      7⤵
                        PID:2064
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_USERS\S-1-5-19\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                      6⤵
                        PID:2596
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_USERS\S-1-5-20\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                        6⤵
                          PID:3136
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_USERS\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                          6⤵
                            PID:4112
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_USERS\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                            6⤵
                              PID:344
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_USERS\S-1-5-18\Software\Classes\Interface\{24C6680A-2378-200A-21BE-26C09F4CAAF5}" /f
                              6⤵
                                PID:204

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Hidden Files and Directories

                    1
                    T1158

                    Privilege Escalation

                    Defense Evasion

                    Hidden Files and Directories

                    1
                    T1158

                    Modify Registry

                    2
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\8MEN1O3K.cmd
                      Filesize

                      1KB

                      MD5

                      4259ed610d43ff260feb6de379ceb836

                      SHA1

                      797602b586e49a07653eb0977ad303f2250f3634

                      SHA256

                      cd9004d399fc0bf8b987564cd94340fb8aba91c3d631e54cd2d6f9da82969f6c

                      SHA512

                      79c835e25928cc2d4298d5c3ff27eda9156087cc169574d9b169a3ce2763e8abdda842851a3fd8657259ac8a153de250e0d3aa8ebb36f3315c37fd73e2141cf1

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\CAL9H1AC.cmd
                      Filesize

                      1KB

                      MD5

                      4259ed610d43ff260feb6de379ceb836

                      SHA1

                      797602b586e49a07653eb0977ad303f2250f3634

                      SHA256

                      cd9004d399fc0bf8b987564cd94340fb8aba91c3d631e54cd2d6f9da82969f6c

                      SHA512

                      79c835e25928cc2d4298d5c3ff27eda9156087cc169574d9b169a3ce2763e8abdda842851a3fd8657259ac8a153de250e0d3aa8ebb36f3315c37fd73e2141cf1

                      Download Submit
                    • memory/204-150-0x0000000000000000-mapping.dmp
                      Download
                    • memory/344-149-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1344-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1708-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1928-132-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2064-145-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2512-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2596-146-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3136-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3432-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3540-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3836-144-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4112-148-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4744-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4792-137-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4912-135-0x0000000000000000-mapping.dmp
                      Download