Analysis
-
max time kernel
154s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02/10/2022, 22:04
General
-
Target
0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe
-
Size
196KB
-
MD5
659aa7d6112b55a836a6af08b70423cc
-
SHA1
4b035149848517a47a07ebb2f055bb0daf21b0a6
-
SHA256
0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8
-
SHA512
50474498f8cc73ae7ee85bcb8c6f1949179f572d3d468498d369d054c06fec4a917a94df7b45f0eb1e84fae338858f47fbd7e7998774d2b5f7f2f23fd658da62
-
SSDEEP
1536:RvQJyBgIWoPwVXL0LzyFf4kbal/PnVPs9hO16RCpc8MiWVWv7tEOPd5/Frd9cqCH:q0gIWoUwLmLGPs9v3Wv7FPdvJVyl3lJ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 12 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe"C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\rqbjmw.dll Exxcute3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\oplwqx.dll Exucute3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exeC:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD51dbc417928fb253236d9c759662ddffc
SHA13207e750a7e813122d14e40e5d6250971be0213c
SHA25663f129eec6d284298420892776c41b6ad88c1c5a0cae79fa5ee6fa3ab1acc0f8
SHA5125e90fdb51b521cd6d6fadfe7fd2d0a6baf16691f680f138cda2f2e94b6ac847b53ad63322d58577ab963db1b66df4195891f9edb1b99047b5052365e9b202473
-
Filesize
22KB
MD5f12c28f2a2114ec3de5f8f8f3016d0e7
SHA1222cf179a1c166b9ac7edd1764cbf13ad2bbcff3
SHA25637ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b
SHA512975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf
-
Filesize
75KB
MD5d15bce781b57100f494bde31dd457b0d
SHA174cbb52c3a6158c1212fa768a976c4e37d8027c8
SHA256fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f
SHA51284d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a
-
Filesize
140KB
MD5573f07e84c503c1139a346d99d7ab876
SHA1a81a5477710cf93e67fc6cd46a2846f7c7290a0d
SHA256d2af0696b318e78b7cb7560ecfe99fce7efd7bd0e2568f439074431c34bb3ecf
SHA51262b9257693ea2d937c1d1bc6aeb8886e8471cdadbb2afd14118de248e39bef3f8315c3196178ea2a60b386bf0ff78f9bc971f54f3984938aca660eaa78797249
-
Filesize
140KB
MD5573f07e84c503c1139a346d99d7ab876
SHA1a81a5477710cf93e67fc6cd46a2846f7c7290a0d
SHA256d2af0696b318e78b7cb7560ecfe99fce7efd7bd0e2568f439074431c34bb3ecf
SHA51262b9257693ea2d937c1d1bc6aeb8886e8471cdadbb2afd14118de248e39bef3f8315c3196178ea2a60b386bf0ff78f9bc971f54f3984938aca660eaa78797249
-
Filesize
48KB
MD51dbc417928fb253236d9c759662ddffc
SHA13207e750a7e813122d14e40e5d6250971be0213c
SHA25663f129eec6d284298420892776c41b6ad88c1c5a0cae79fa5ee6fa3ab1acc0f8
SHA5125e90fdb51b521cd6d6fadfe7fd2d0a6baf16691f680f138cda2f2e94b6ac847b53ad63322d58577ab963db1b66df4195891f9edb1b99047b5052365e9b202473
-
Filesize
1.7MB
MD5b5eb5bd3066959611e1f7a80fd6cc172
SHA16fb1532059212c840737b3f923a9c0b152c0887a
SHA2561ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc
SHA5126c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6
-
Filesize
22KB
MD5f12c28f2a2114ec3de5f8f8f3016d0e7
SHA1222cf179a1c166b9ac7edd1764cbf13ad2bbcff3
SHA25637ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b
SHA512975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf
-
Filesize
22KB
MD5f12c28f2a2114ec3de5f8f8f3016d0e7
SHA1222cf179a1c166b9ac7edd1764cbf13ad2bbcff3
SHA25637ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b
SHA512975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf
-
Filesize
22KB
MD5f12c28f2a2114ec3de5f8f8f3016d0e7
SHA1222cf179a1c166b9ac7edd1764cbf13ad2bbcff3
SHA25637ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b
SHA512975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf
-
Filesize
22KB
MD5f12c28f2a2114ec3de5f8f8f3016d0e7
SHA1222cf179a1c166b9ac7edd1764cbf13ad2bbcff3
SHA25637ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b
SHA512975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf
-
Filesize
75KB
MD5d15bce781b57100f494bde31dd457b0d
SHA174cbb52c3a6158c1212fa768a976c4e37d8027c8
SHA256fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f
SHA51284d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a
-
Filesize
75KB
MD5d15bce781b57100f494bde31dd457b0d
SHA174cbb52c3a6158c1212fa768a976c4e37d8027c8
SHA256fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f
SHA51284d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a
-
Filesize
75KB
MD5d15bce781b57100f494bde31dd457b0d
SHA174cbb52c3a6158c1212fa768a976c4e37d8027c8
SHA256fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f
SHA51284d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a
-
Filesize
75KB
MD5d15bce781b57100f494bde31dd457b0d
SHA174cbb52c3a6158c1212fa768a976c4e37d8027c8
SHA256fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f
SHA51284d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a
-
Filesize
140KB
MD5573f07e84c503c1139a346d99d7ab876
SHA1a81a5477710cf93e67fc6cd46a2846f7c7290a0d
SHA256d2af0696b318e78b7cb7560ecfe99fce7efd7bd0e2568f439074431c34bb3ecf
SHA51262b9257693ea2d937c1d1bc6aeb8886e8471cdadbb2afd14118de248e39bef3f8315c3196178ea2a60b386bf0ff78f9bc971f54f3984938aca660eaa78797249
-
Filesize
140KB
MD5573f07e84c503c1139a346d99d7ab876
SHA1a81a5477710cf93e67fc6cd46a2846f7c7290a0d
SHA256d2af0696b318e78b7cb7560ecfe99fce7efd7bd0e2568f439074431c34bb3ecf
SHA51262b9257693ea2d937c1d1bc6aeb8886e8471cdadbb2afd14118de248e39bef3f8315c3196178ea2a60b386bf0ff78f9bc971f54f3984938aca660eaa78797249
-
Filesize
8KB
-
Filesize
200KB