Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 13:08
Static task
static1
Behavioral task
behavioral1
Sample
点击安装(飞机)简体中文语言包_v34.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
点击安装(飞机)简体中文语言包_v34.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
英文客户基本聊天用语4d.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
英文客户基本聊天用语4d.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
话术大全@88.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
话术大全@88.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
资金盘切客前的裂变话术@.exe
Resource
win7-20220901-en
General
-
Target
英文客户基本聊天用语4d.exe
-
Size
288KB
-
MD5
6dd50e46cde774f81c2d9c2f1dd53286
-
SHA1
ed289db14f1ed2b49befbbde6d50d577c9f00270
-
SHA256
827a9591ae0e0c65c759b2f38aeea2d112bedf1317e2f577d4c4ff800f3468f1
-
SHA512
a759f889023cd730f6def0da96ff7eabf5c55565aff417327a96120dd52891ff771fabbc2fd70e298ab41cb4f84e1d63cbff941f02f2febc442265f841c39373
-
SSDEEP
6144:VFSaxPyF+czKRd6/fTZO4NHbjz7/7ssEPc:VF7xPe+c+ROTTNHblEPc
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
unzip.exepid process 2508 unzip.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
英文客户基本聊天用语4d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 英文客户基本聊天用语4d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
英文客户基本聊天用语4d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 英文客户基本聊天用语4d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
英文客户基本聊天用语4d.exepid process 1232 英文客户基本聊天用语4d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
英文客户基本聊天用语4d.exedescription pid process target process PID 1232 wrote to memory of 2508 1232 英文客户基本聊天用语4d.exe unzip.exe PID 1232 wrote to memory of 2508 1232 英文客户基本聊天用语4d.exe unzip.exe PID 1232 wrote to memory of 2508 1232 英文客户基本聊天用语4d.exe unzip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\英文客户基本聊天用语4d.exe"C:\Users\Admin\AppData\Local\Temp\英文客户基本聊天用语4d.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\unzip.exe"C:\Users\Public\Documents\unzip.exe" -o 1.zip2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\1.zipFilesize
2.2MB
MD5c376152b898dea84a4cd36c60b46abcc
SHA16794441e6c61caee63400a496cefef9211eedd3b
SHA256de8f45d56d0ff34705ec98918888af3f6b0f445ee0bb14d4791b15d8f8e3a561
SHA512430e8e1039a17cacfb5ad9f23d2fad6785dc34b08110961092d197d2a7e2439a898342e4cffe91fdc05a6861d187acc207a31848f68b8554d024972761ba5712
-
C:\Users\Public\Documents\unzip.exeFilesize
327KB
MD5de5892706deb04e581ca0c4f8ac965ca
SHA11f5e413ab776904880a66f19c2c06f4b0b0c0e6f
SHA25687c7ae15ed344aeb466f7bc10bbe3feadbe29531d44dc707aea9b293a16a153b
SHA5126f691da7d730ecca9041a8590658a3e616afe20376058c1ef5a118c7f539e35dc5b8df7c45971276075f7260e695f41ea8963aa9510f3e73b274df74186c5e43
-
C:\Users\Public\Documents\unzip.exeFilesize
327KB
MD5de5892706deb04e581ca0c4f8ac965ca
SHA11f5e413ab776904880a66f19c2c06f4b0b0c0e6f
SHA25687c7ae15ed344aeb466f7bc10bbe3feadbe29531d44dc707aea9b293a16a153b
SHA5126f691da7d730ecca9041a8590658a3e616afe20376058c1ef5a118c7f539e35dc5b8df7c45971276075f7260e695f41ea8963aa9510f3e73b274df74186c5e43
-
memory/2508-132-0x0000000000000000-mapping.dmp