630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
Size

388KB
MD5

66d80e9a14fc25dcc2e0973053c41380
SHA1

bb0f2a226a47a042b9cac18d7a85b5133cb9094c
SHA256

630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6
SHA512

04e60b3b2576543a9a82cd9b501455e2199bf77f936992c9262aa527278193bda34d3915ab0e619049cbd7ad01c8acbc7a016870b2de275c6361fd976e3ad447
SSDEEP

3072:HQRCawi04RcJQPf+CtfOCQCJH1kaYZDAZ7CzeMQQ2GX4GsC6/vbgV3VqKPIktlAd:HwiwfYZ47Me0TxsCeveQKsN0pLXJVQt

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
628	system.exe
4380	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
3304	Rundll32.exe
3860	Rundll32.exe
3860	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
File created	C:\Windows\SysWOW64\jusekfaa.dll	system.exe
File created	C:\Windows\SysWOW64\onbjkfaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4052	sc.exe
1864	sc.exe
1572	sc.exe
3704	sc.exe
5036	sc.exe
3624	sc.exe
4988	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3304	Rundll32.exe
3860	Rundll32.exe
3860	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4808	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 628	4808	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	83
PID 4808 wrote to memory of 628	4808	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	83
PID 4808 wrote to memory of 628	4808	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	83
PID 628 wrote to memory of 3304	628	system.exe	84
PID 628 wrote to memory of 3304	628	system.exe	84
PID 628 wrote to memory of 3304	628	system.exe	84
PID 3304 wrote to memory of 1784	3304	Rundll32.exe	85
PID 3304 wrote to memory of 1784	3304	Rundll32.exe	85
PID 3304 wrote to memory of 1784	3304	Rundll32.exe	85
PID 3304 wrote to memory of 2224	3304	Rundll32.exe	86
PID 3304 wrote to memory of 2224	3304	Rundll32.exe	86
PID 3304 wrote to memory of 2224	3304	Rundll32.exe	86
PID 3304 wrote to memory of 4052	3304	Rundll32.exe	89
PID 3304 wrote to memory of 4052	3304	Rundll32.exe	89
PID 3304 wrote to memory of 4052	3304	Rundll32.exe	89
PID 3304 wrote to memory of 1864	3304	Rundll32.exe	91
PID 3304 wrote to memory of 1864	3304	Rundll32.exe	91
PID 3304 wrote to memory of 1864	3304	Rundll32.exe	91
PID 3304 wrote to memory of 1572	3304	Rundll32.exe	93
PID 3304 wrote to memory of 1572	3304	Rundll32.exe	93
PID 3304 wrote to memory of 1572	3304	Rundll32.exe	93
PID 3304 wrote to memory of 3704	3304	Rundll32.exe	94
PID 3304 wrote to memory of 3704	3304	Rundll32.exe	94
PID 3304 wrote to memory of 3704	3304	Rundll32.exe	94
PID 1784 wrote to memory of 3744	1784	net.exe	99
PID 1784 wrote to memory of 3744	1784	net.exe	99
PID 1784 wrote to memory of 3744	1784	net.exe	99
PID 2224 wrote to memory of 5012	2224	net.exe	95
PID 2224 wrote to memory of 5012	2224	net.exe	95
PID 2224 wrote to memory of 5012	2224	net.exe	95
PID 3304 wrote to memory of 5036	3304	Rundll32.exe	98
PID 3304 wrote to memory of 5036	3304	Rundll32.exe	98
PID 3304 wrote to memory of 5036	3304	Rundll32.exe	98
PID 3304 wrote to memory of 3624	3304	Rundll32.exe	100
PID 3304 wrote to memory of 3624	3304	Rundll32.exe	100
PID 3304 wrote to memory of 3624	3304	Rundll32.exe	100
PID 3304 wrote to memory of 4808	3304	Rundll32.exe	82
PID 3304 wrote to memory of 4808	3304	Rundll32.exe	82
PID 3304 wrote to memory of 628	3304	Rundll32.exe	83
PID 3304 wrote to memory of 628	3304	Rundll32.exe	83
PID 3304 wrote to memory of 1784	3304	Rundll32.exe	85
PID 3304 wrote to memory of 1784	3304	Rundll32.exe	85
PID 3304 wrote to memory of 2224	3304	Rundll32.exe	86
PID 3304 wrote to memory of 2224	3304	Rundll32.exe	86
PID 3304 wrote to memory of 1572	3304	Rundll32.exe	93
PID 3304 wrote to memory of 1572	3304	Rundll32.exe	93
PID 3304 wrote to memory of 3704	3304	Rundll32.exe	94
PID 3304 wrote to memory of 3704	3304	Rundll32.exe	94
PID 3304 wrote to memory of 3744	3304	Rundll32.exe	99
PID 3304 wrote to memory of 3744	3304	Rundll32.exe	99
PID 3304 wrote to memory of 5012	3304	Rundll32.exe	95
PID 3304 wrote to memory of 5012	3304	Rundll32.exe	95
PID 3304 wrote to memory of 5036	3304	Rundll32.exe	98
PID 3304 wrote to memory of 5036	3304	Rundll32.exe	98
PID 3304 wrote to memory of 3624	3304	Rundll32.exe	100
PID 3304 wrote to memory of 3624	3304	Rundll32.exe	100
PID 3304 wrote to memory of 4988	3304	Rundll32.exe	103
PID 3304 wrote to memory of 4988	3304	Rundll32.exe	103
PID 3304 wrote to memory of 4988	3304	Rundll32.exe	103
PID 628 wrote to memory of 3860	628	system.exe	105
PID 628 wrote to memory of 3860	628	system.exe	105
PID 628 wrote to memory of 3860	628	system.exe	105
PID 4808 wrote to memory of 4380	4808	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	114
PID 4808 wrote to memory of 4380	4808	630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe	114

C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
"C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\jusekfaa.dll Exbcute
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:3744
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:4052
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:1864
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:1572
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:3704
  - - C:\Windows\SysWOW64\sc.exe
      sc stop 360rp
      4⤵
      Launches sc.exe
      PID:5036
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360rp
      4⤵
      Launches sc.exe
      PID:3624
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:4988
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\onbjkfaa.dll Exbcute
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:3860
- C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
  C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\630d07b4ac989145ad123809ef4ba4271e82b8076e9143f75bd467c232bdfbb6.exe

Filesize
236KB

MD5
d3f68a63420e039f1c2bbf745b728657

SHA1
84336e472aca29e3ee9abc503488ed14c303ec76

SHA256
9eb2f6e8085318bf96b28bcf6e66ed342dcf06d0d38cf39b562b24b1c175a154

SHA512
23dc998cad93a1a32888e2d2bf235f18d0609133f0acc13e5caa5c0ce671c466cb2bce3540f37e0b5008089e2f1a3bf003ea941144f692452d1041eaad4af258

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC1.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\jusekfaa.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
C:\Windows\SysWOW64\jusekfaa.dll

Filesize
76KB

MD5
ca776bc0819d2b0f881a9b7604179b95

SHA1
9e5b4780724f21ff37a304b32160e22c5a2ec07c

SHA256
630eeb664f38a4e6c9ec48e94306d76db364222ba003b89a42a84ee85dec86b5

SHA512
bd18126d4fb75b96ef412d6a87b33fa90e4053fd2b2b6e644a45c136c72163d38c8cd4086ac5bf47fd814cdec1046dc6d2cc300af2d8f69b339fc216e0705031

Download Submit
C:\Windows\SysWOW64\onbjkfaa.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
C:\Windows\SysWOW64\onbjkfaa.dll

Filesize
23KB

MD5
2466c49d6177df75c3abf241561047e6

SHA1
5a6926f977ef390efa3b51fe6ce41ce9a9f36d51

SHA256
bdc5a2378da7ee275161ca3433f966445ab519b49bb2b7f9ee5ecef80b8affaa

SHA512
b830aac9e85e8c96d59e7efdb43994c5197e9fa76b1809dd6cd832748e11cf77be198ef4362c94d0652d7ca833227e7e2c1017559ede5673ca65e85e46e42e11

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
144KB

MD5
58348b85711250c0af2176f5dc7257bf

SHA1
1a224e41faff19a5e91ed0a75d9bf85fdcef4b40

SHA256
002b5aaaa2c08b770db90a99062a47197eafcdd0d32c1358a23b8b0c4e4e981d

SHA512
beb254eebfb9321b568e8a3c6da0c55e7132e7d64f27d98f5064c5e88c57fc7d57a961149a6959b61e4dca1348caef157d90b758db57e35fa205d2a63c10af4f

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
144KB

MD5
58348b85711250c0af2176f5dc7257bf

SHA1
1a224e41faff19a5e91ed0a75d9bf85fdcef4b40

SHA256
002b5aaaa2c08b770db90a99062a47197eafcdd0d32c1358a23b8b0c4e4e981d

SHA512
beb254eebfb9321b568e8a3c6da0c55e7132e7d64f27d98f5064c5e88c57fc7d57a961149a6959b61e4dca1348caef157d90b758db57e35fa205d2a63c10af4f

Download Submit
memory/4808-149-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4808-132-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download