630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
Size

388KB
MD5

66d80e9a14fc25dcc2e0973053c41380
SHA1

bb0f2a226a47a042b9cac18d7a85b5133cb9094c
SHA256

630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6
SHA512

04e60b3b2576543a9a82cd9b501455e2199bf77f936992c9262aa527278193bda34d3915ab0e619049cbd7ad01c8acbc7a016870b2de275c6361fd976e3ad447
SSDEEP

3072:HQRCawi04RcJQPf+CtfOCQCJH1kaYZDAZ7CzeMQQ2GX4GsC6/vbgV3VqKPIktlAd:HwiwfYZ47Me0TxsCeveQKsN0pLXJVQt

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1812	system.exe
1692	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 12 IoCs

pid	Process
1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1380	Rundll32.exe
1380	Rundll32.exe
1380	Rundll32.exe
1380	Rundll32.exe
1380	Rundll32.exe
1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
File created	C:\Windows\SysWOW64\kuxeox.dll	system.exe
File created	C:\Windows\SysWOW64\qqxjpx.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2040	sc.exe
904	sc.exe
860	sc.exe
1992	sc.exe
1204	sc.exe
1092	sc.exe
2004	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1868	Rundll32.exe
1380	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1692	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1812	1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	26
PID 1612 wrote to memory of 1812	1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	26
PID 1612 wrote to memory of 1812	1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	26
PID 1612 wrote to memory of 1812	1612	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	26
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1812 wrote to memory of 1868	1812	system.exe	27
PID 1868 wrote to memory of 1528	1868	Rundll32.exe	28
PID 1868 wrote to memory of 1528	1868	Rundll32.exe	28
PID 1868 wrote to memory of 1528	1868	Rundll32.exe	28
PID 1868 wrote to memory of 1528	1868	Rundll32.exe	28
PID 1868 wrote to memory of 940	1868	Rundll32.exe	29
PID 1868 wrote to memory of 940	1868	Rundll32.exe	29
PID 1868 wrote to memory of 940	1868	Rundll32.exe	29
PID 1868 wrote to memory of 940	1868	Rundll32.exe	29
PID 1868 wrote to memory of 1204	1868	Rundll32.exe	32
PID 1868 wrote to memory of 1204	1868	Rundll32.exe	32
PID 1868 wrote to memory of 1204	1868	Rundll32.exe	32
PID 1868 wrote to memory of 1204	1868	Rundll32.exe	32
PID 1868 wrote to memory of 1092	1868	Rundll32.exe	34
PID 1868 wrote to memory of 1092	1868	Rundll32.exe	34
PID 1868 wrote to memory of 1092	1868	Rundll32.exe	34
PID 1868 wrote to memory of 1092	1868	Rundll32.exe	34
PID 1868 wrote to memory of 2004	1868	Rundll32.exe	36
PID 1868 wrote to memory of 2004	1868	Rundll32.exe	36
PID 1868 wrote to memory of 2004	1868	Rundll32.exe	36
PID 1868 wrote to memory of 2004	1868	Rundll32.exe	36
PID 1868 wrote to memory of 860	1868	Rundll32.exe	42
PID 1868 wrote to memory of 860	1868	Rundll32.exe	42
PID 1868 wrote to memory of 860	1868	Rundll32.exe	42
PID 1868 wrote to memory of 860	1868	Rundll32.exe	42
PID 1868 wrote to memory of 904	1868	Rundll32.exe	41
PID 1868 wrote to memory of 904	1868	Rundll32.exe	41
PID 1868 wrote to memory of 904	1868	Rundll32.exe	41
PID 1868 wrote to memory of 904	1868	Rundll32.exe	41
PID 1868 wrote to memory of 2040	1868	Rundll32.exe	39
PID 1868 wrote to memory of 2040	1868	Rundll32.exe	39
PID 1868 wrote to memory of 2040	1868	Rundll32.exe	39
PID 1868 wrote to memory of 2040	1868	Rundll32.exe	39
PID 1868 wrote to memory of 1612	1868	Rundll32.exe	25
PID 1868 wrote to memory of 1612	1868	Rundll32.exe	25
PID 1868 wrote to memory of 1812	1868	Rundll32.exe	26
PID 1868 wrote to memory of 1812	1868	Rundll32.exe	26
PID 1868 wrote to memory of 1528	1868	Rundll32.exe	28
PID 1868 wrote to memory of 1528	1868	Rundll32.exe	28
PID 1868 wrote to memory of 940	1868	Rundll32.exe	29
PID 1868 wrote to memory of 940	1868	Rundll32.exe	29
PID 1868 wrote to memory of 1204	1868	Rundll32.exe	32
PID 1868 wrote to memory of 1204	1868	Rundll32.exe	32
PID 1868 wrote to memory of 1092	1868	Rundll32.exe	34
PID 1868 wrote to memory of 1092	1868	Rundll32.exe	34
PID 1868 wrote to memory of 2004	1868	Rundll32.exe	36
PID 1868 wrote to memory of 2004	1868	Rundll32.exe	36
PID 1868 wrote to memory of 860	1868	Rundll32.exe	42
PID 1868 wrote to memory of 860	1868	Rundll32.exe	42
PID 1868 wrote to memory of 2040	1868	Rundll32.exe	39
PID 1868 wrote to memory of 2040	1868	Rundll32.exe	39
PID 940 wrote to memory of 1408	940	net.exe	44
PID 940 wrote to memory of 1408	940	net.exe	44
PID 940 wrote to memory of 1408	940	net.exe	44

C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
"C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\kuxeox.dll Exbcute
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:1232
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:1204
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:1092
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:2004
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360rp
      4⤵
      Launches sc.exe
      PID:2040
  - - C:\Windows\SysWOW64\sc.exe
      sc stop 360rp
      4⤵
      Launches sc.exe
      PID:904
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:860
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:1992
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\qqxjpx.dll Exbcute
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:1380
- C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
  C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Filesize
236KB

MD5
d3f68a63420e039f1c2bbf745b728657

SHA1
84336e472aca29e3ee9abc503488ed14c303ec76

SHA256
9eb2f6e8085318bf96b28bcf6e66ed342dcf06d0d38cf39b562b24b1c175a154

SHA512
23dc998cad93a1a32888e2d2bf235f18d0609133f0acc13e5caa5c0ce671c466cb2bce3540f37e0b5008089e2f1a3bf003ea941144f692452d1041eaad4af258

Download Submit
C:\Windows\SysWOW64\kuxeox.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
C:\Windows\SysWOW64\qqxjpx.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
144KB

MD5
58348b85711250c0af2176f5dc7257bf

SHA1
1a224e41faff19a5e91ed0a75d9bf85fdcef4b40

SHA256
002b5aaaa2c08b770db90a99062a47197eafcdd0d32c1358a23b8b0c4e4e981d

SHA512
beb254eebfb9321b568e8a3c6da0c55e7132e7d64f27d98f5064c5e88c57fc7d57a961149a6959b61e4dca1348caef157d90b758db57e35fa205d2a63c10af4f

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
144KB

MD5
58348b85711250c0af2176f5dc7257bf

SHA1
1a224e41faff19a5e91ed0a75d9bf85fdcef4b40

SHA256
002b5aaaa2c08b770db90a99062a47197eafcdd0d32c1358a23b8b0c4e4e981d

SHA512
beb254eebfb9321b568e8a3c6da0c55e7132e7d64f27d98f5064c5e88c57fc7d57a961149a6959b61e4dca1348caef157d90b758db57e35fa205d2a63c10af4f

Download Submit
\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Filesize
236KB

MD5
d3f68a63420e039f1c2bbf745b728657

SHA1
84336e472aca29e3ee9abc503488ed14c303ec76

SHA256
9eb2f6e8085318bf96b28bcf6e66ed342dcf06d0d38cf39b562b24b1c175a154

SHA512
23dc998cad93a1a32888e2d2bf235f18d0609133f0acc13e5caa5c0ce671c466cb2bce3540f37e0b5008089e2f1a3bf003ea941144f692452d1041eaad4af258

Download Submit
\Users\Admin\AppData\Local\Temp\8B6F.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\kuxeox.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
\Windows\SysWOW64\kuxeox.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
\Windows\SysWOW64\kuxeox.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
\Windows\SysWOW64\kuxeox.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
\Windows\SysWOW64\qqxjpx.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
\Windows\SysWOW64\qqxjpx.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
\Windows\SysWOW64\qqxjpx.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
\Windows\SysWOW64\qqxjpx.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
\Windows\SysWOW64\system.exe

Filesize
144KB

MD5
58348b85711250c0af2176f5dc7257bf

SHA1
1a224e41faff19a5e91ed0a75d9bf85fdcef4b40

SHA256
002b5aaaa2c08b770db90a99062a47197eafcdd0d32c1358a23b8b0c4e4e981d

SHA512
beb254eebfb9321b568e8a3c6da0c55e7132e7d64f27d98f5064c5e88c57fc7d57a961149a6959b61e4dca1348caef157d90b758db57e35fa205d2a63c10af4f

Download Submit
\Windows\SysWOW64\system.exe

Filesize
144KB

MD5
58348b85711250c0af2176f5dc7257bf

SHA1
1a224e41faff19a5e91ed0a75d9bf85fdcef4b40

SHA256
002b5aaaa2c08b770db90a99062a47197eafcdd0d32c1358a23b8b0c4e4e981d

SHA512
beb254eebfb9321b568e8a3c6da0c55e7132e7d64f27d98f5064c5e88c57fc7d57a961149a6959b61e4dca1348caef157d90b758db57e35fa205d2a63c10af4f

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download