5f2d2046c126e49e308b4e452aabf04b6201edcf6a6bcdb9e0a927110434196c

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

英文客户基本聊天用语4d.exe
Size

288KB
MD5

6dd50e46cde774f81c2d9c2f1dd53286
SHA1

ed289db14f1ed2b49befbbde6d50d577c9f00270
SHA256

827a9591ae0e0c65c759b2f38aeea2d112bedf1317e2f577d4c4ff800f3468f1
SHA512

a759f889023cd730f6def0da96ff7eabf5c55565aff417327a96120dd52891ff771fabbc2fd70e298ab41cb4f84e1d63cbff941f02f2febc442265f841c39373
SSDEEP

6144:VFSaxPyF+czKRd6/fTZO4NHbjz7/7ssEPc:VF7xPe+c+ROTTNHblEPc

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

unzip.exe

pid process

2508 unzip.exe

pid	process
2508	unzip.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

英文客户基本聊天用语4d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	英文客户基本聊天用语4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

英文客户基本聊天用语4d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	英文客户基本聊天用语4d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

英文客户基本聊天用语4d.exe

pid process

1232 英文客户基本聊天用语4d.exe

pid	process
1232	英文客户基本聊天用语4d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

英文客户基本聊天用语4d.exe

description	pid	process	target process
PID 1232 wrote to memory of 2508	1232	英文客户基本聊天用语4d.exe	unzip.exe
PID 1232 wrote to memory of 2508	1232	英文客户基本聊天用语4d.exe	unzip.exe
PID 1232 wrote to memory of 2508	1232	英文客户基本聊天用语4d.exe	unzip.exe

C:\Users\Admin\AppData\Local\Temp\英文客户基本聊天用语4d.exe
"C:\Users\Admin\AppData\Local\Temp\英文客户基本聊天用语4d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Public\Documents\unzip.exe
"C:\Users\Public\Documents\unzip.exe" -o 1.zip
2⤵
- Executes dropped EXE
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\1.zip
Filesize
2.2MB

MD5
c376152b898dea84a4cd36c60b46abcc

SHA1
6794441e6c61caee63400a496cefef9211eedd3b

SHA256
de8f45d56d0ff34705ec98918888af3f6b0f445ee0bb14d4791b15d8f8e3a561

SHA512
430e8e1039a17cacfb5ad9f23d2fad6785dc34b08110961092d197d2a7e2439a898342e4cffe91fdc05a6861d187acc207a31848f68b8554d024972761ba5712

Download Submit
C:\Users\Public\Documents\unzip.exe
Filesize
327KB

MD5
de5892706deb04e581ca0c4f8ac965ca

SHA1
1f5e413ab776904880a66f19c2c06f4b0b0c0e6f

SHA256
87c7ae15ed344aeb466f7bc10bbe3feadbe29531d44dc707aea9b293a16a153b

SHA512
6f691da7d730ecca9041a8590658a3e616afe20376058c1ef5a118c7f539e35dc5b8df7c45971276075f7260e695f41ea8963aa9510f3e73b274df74186c5e43

Download Submit
C:\Users\Public\Documents\unzip.exe
Filesize
327KB

MD5
de5892706deb04e581ca0c4f8ac965ca

SHA1
1f5e413ab776904880a66f19c2c06f4b0b0c0e6f

SHA256
87c7ae15ed344aeb466f7bc10bbe3feadbe29531d44dc707aea9b293a16a153b

SHA512
6f691da7d730ecca9041a8590658a3e616afe20376058c1ef5a118c7f539e35dc5b8df7c45971276075f7260e695f41ea8963aa9510f3e73b274df74186c5e43

Download Submit
memory/2508-132-0x0000000000000000-mapping.dmp

Download