Overview

overview

8

Static

static

0d6474856e...e8.exe

windows7-x64

8

0d6474856e...e8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 22:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe

  • Size

    196KB

  • MD5

    659aa7d6112b55a836a6af08b70423cc

  • SHA1

    4b035149848517a47a07ebb2f055bb0daf21b0a6

  • SHA256

    0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8

  • SHA512

    50474498f8cc73ae7ee85bcb8c6f1949179f572d3d468498d369d054c06fec4a917a94df7b45f0eb1e84fae338858f47fbd7e7998774d2b5f7f2f23fd658da62

  • SSDEEP

    1536:RvQJyBgIWoPwVXL0LzyFf4kbal/PnVPs9hO16RCpc8MiWVWv7tEOPd5/Frd9cqCH:q0gIWoUwLmLGPs9v3Wv7FPdvJVyl3lJ

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe
    "C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\Rundll32.exe
        Rundll32 C:\Windows\system32\lueoifaa.dll Exxcute
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\SysWOW64\net.exe
          net stop WinDefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop WinDefend
            5⤵
              PID:628
          • C:\Windows\SysWOW64\net.exe
            net stop MpsSvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4928
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MpsSvc
              5⤵
                PID:2732
            • C:\Windows\SysWOW64\sc.exe
              sc config WinDefend start= disabled
              4⤵
              • Launches sc.exe
              PID:732
            • C:\Windows\SysWOW64\sc.exe
              sc stop ZhuDongFangYu
              4⤵
              • Launches sc.exe
              PID:808
            • C:\Windows\SysWOW64\sc.exe
              sc delete ZhuDongFangYu
              4⤵
              • Launches sc.exe
              PID:3556
            • C:\Windows\SysWOW64\sc.exe
              sc stop 360rp
              4⤵
              • Launches sc.exe
              PID:2076
            • C:\Windows\SysWOW64\sc.exe
              sc config MpsSvc start= disabled
              4⤵
              • Launches sc.exe
              PID:4784
            • C:\Windows\SysWOW64\sc.exe
              sc delete 360rp
              4⤵
              • Launches sc.exe
              PID:4568
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" stop PolicyAgent
              4⤵
              • Launches sc.exe
              PID:4488
          • C:\Windows\SysWOW64\Rundll32.exe
            Rundll32 C:\Windows\system32\mgrqifaa.dll Exucute
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Adds Run key to start application
            • Enumerates connected drives
            • Suspicious behavior: EnumeratesProcesses
            PID:2492
        • C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe
          C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe
          2⤵
          • Executes dropped EXE
          PID:3984

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\0d6474856eebb3ec9eb9f184f478a8aefd555518a3b4ea289a61405d89b0dbe8.exe
              Filesize

              48KB

              MD5

              1dbc417928fb253236d9c759662ddffc

              SHA1

              3207e750a7e813122d14e40e5d6250971be0213c

              SHA256

              63f129eec6d284298420892776c41b6ad88c1c5a0cae79fa5ee6fa3ab1acc0f8

              SHA512

              5e90fdb51b521cd6d6fadfe7fd2d0a6baf16691f680f138cda2f2e94b6ac847b53ad63322d58577ab963db1b66df4195891f9edb1b99047b5052365e9b202473

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\C76B.tmp
              Filesize

              4.3MB

              MD5

              6c7cdd25c2cb0073306eb22aebfc663f

              SHA1

              a1eba8ab49272b9852fe6a543677e8af36271248

              SHA256

              58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

              SHA512

              17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

              Download Submit

            • C:\Windows\SysWOW64\lueoifaa.dll
              Filesize

              75KB

              MD5

              d15bce781b57100f494bde31dd457b0d

              SHA1

              74cbb52c3a6158c1212fa768a976c4e37d8027c8

              SHA256

              fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f

              SHA512

              84d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a

              Download Submit

            • C:\Windows\SysWOW64\lueoifaa.dll
              Filesize

              75KB

              MD5

              d15bce781b57100f494bde31dd457b0d

              SHA1

              74cbb52c3a6158c1212fa768a976c4e37d8027c8

              SHA256

              fe79071c980d755d6fb1d920cb6502285b452fecedafddded7fba078fd849d0f

              SHA512

              84d98b3b74de99bf2e169dd8d117427cb4fc783b509f3ec53e68b01cea7d98029359243a8b31947a0676af480aba3169a1ff1e25ff031815b710579b7411229a

              Download Submit

            • C:\Windows\SysWOW64\mgrqifaa.dll
              Filesize

              22KB

              MD5

              f12c28f2a2114ec3de5f8f8f3016d0e7

              SHA1

              222cf179a1c166b9ac7edd1764cbf13ad2bbcff3

              SHA256

              37ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b

              SHA512

              975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf

              Download Submit

            • C:\Windows\SysWOW64\mgrqifaa.dll
              Filesize

              22KB

              MD5

              f12c28f2a2114ec3de5f8f8f3016d0e7

              SHA1

              222cf179a1c166b9ac7edd1764cbf13ad2bbcff3

              SHA256

              37ce328a0c04a5de1606a55088abf71abc0c86fcd113bdc3f1956b3d1882130b

              SHA512

              975c5eeb1ceca48cac01d05649991c5b4160c6970a93f1c8c3a38c3f29345023ffa5b95c4f0f86be6fa431ab98ce25116234dd7eeda5f80bd7e035317eba32cf

              Download Submit

            • C:\Windows\SysWOW64\system.exe
              Filesize

              140KB

              MD5

              573f07e84c503c1139a346d99d7ab876

              SHA1

              a81a5477710cf93e67fc6cd46a2846f7c7290a0d

              SHA256

              d2af0696b318e78b7cb7560ecfe99fce7efd7bd0e2568f439074431c34bb3ecf

              SHA512

              62b9257693ea2d937c1d1bc6aeb8886e8471cdadbb2afd14118de248e39bef3f8315c3196178ea2a60b386bf0ff78f9bc971f54f3984938aca660eaa78797249

              Download Submit

            • C:\Windows\SysWOW64\system.exe
              Filesize

              140KB

              MD5

              573f07e84c503c1139a346d99d7ab876

              SHA1

              a81a5477710cf93e67fc6cd46a2846f7c7290a0d

              SHA256

              d2af0696b318e78b7cb7560ecfe99fce7efd7bd0e2568f439074431c34bb3ecf

              SHA512

              62b9257693ea2d937c1d1bc6aeb8886e8471cdadbb2afd14118de248e39bef3f8315c3196178ea2a60b386bf0ff78f9bc971f54f3984938aca660eaa78797249

              Download Submit

            • memory/3752-140-0x0000000000400000-0x0000000000432000-memory.dmp

              Filesize

              200KB

              Download