b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5

Analysis

max time kernel
143s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Size

100KB
MD5

6acb14ae4bf361e208413633dadbc79d
SHA1

d25582848d1ca699c6e2dcf8925ae8effbec9311
SHA256

b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5
SHA512

300d7db59f32fab86cf14722b65f4074d58b731110a77990be9e24cdef1a4fc4a686f6939287f8b88e9a553d9435c10dadc82ac282d75a4b059629eaeca6b03c
SSDEEP

1536:hEHUqQWrI0Sc6YDX/c3FnbM7gCPVYzQxpfROiso25DmQ7:qXhsXZYrcFbMMVzQxX3sZDmQ7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4084	Program FilesQQX1R8.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1121"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1121"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1121"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.35yes.com/?1121"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1121"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1121"	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4084	3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe	82
PID 3968 wrote to memory of 4084	3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe	82
PID 3968 wrote to memory of 4084	3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe	82
PID 3968 wrote to memory of 5024	3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe	86
PID 3968 wrote to memory of 5024	3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe	86
PID 3968 wrote to memory of 5024	3968	b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe	86

C:\Users\Admin\AppData\Local\Temp\b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe
"C:\Users\Admin\AppData\Local\Temp\b4a8fd9b2e065de34bbb2010559218c4e41f851e789e1b81cfed7641ed17fdb5.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968
- \??\c:\Program FilesQQX1R8.exe
  "c:\Program FilesQQX1R8.exe"
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesQQX1R8.exe

Filesize
9KB

MD5
13f7743dd13dfaf1ed2c0be0f74cd532

SHA1
35041e3f69b672a7f48d7fe9988f9b5541b4e920

SHA256
52784cd1b17edbb605f91be276fcec739fde1b98d047d2481fec0e304be69ec5

SHA512
4cc8c563bace20cb0be485cde6351028df37addd35deebbefce84df0b3763680a8b09dab6f5125fbcf8884da696d0e9ec5bb5f63de7e70ac89031fafb7341b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
486B

MD5
dc28b044ddff518159d63ab97b6caeb0

SHA1
146fc93f8803ea8d909419b5b1cc9a1e4bddd275

SHA256
03cc2a1e298b2c8fad11a9266776706b8e2662cab42af412e77582b9db70fd0c

SHA512
079046edc8d5fe87b0a70321492d033039265b3ea23ade8c1e89639a1c304fa5a91380b1b0cea76ba4eb8c37d169a27e529a8cb36f01e622c43ace8690134f55

Download Submit