8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf

General

Target

8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe
Size

115KB
MD5

673d8811ff6d0a03b8a8a3f90ef65b11
SHA1

23b16a0bb35110f1c33d145fb80f7e1b0702da5a
SHA256

8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf
SHA512

2d833bc5923f8831db8fe61cf9e9f13e8bfd8159aad1bd51b90e7a73ba96734ead68f224991c6fc7f2c336fd60ce92bd63b042ad39d9aa1e2868d14a8ebd9f11
SSDEEP

3072:M6LjR4WGuPPPPPPvvts6VfmlbthqCtfYc/3pg1s57d+Fd:DLZ9nnHPVultUoQe5gah8Fd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	BEIJIN~1.EXE

Loads dropped DLL 3 IoCs

pid	Process
1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe
1900	BEIJIN~1.EXE
1900	BEIJIN~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1976 wrote to memory of 1900	1976	8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe	28
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1900 wrote to memory of 1992	1900	BEIJIN~1.EXE	29
PID 1992 wrote to memory of 1224	1992	WScript.exe	30
PID 1992 wrote to memory of 1224	1992	WScript.exe	30
PID 1992 wrote to memory of 1224	1992	WScript.exe	30
PID 1992 wrote to memory of 1224	1992	WScript.exe	30
PID 1992 wrote to memory of 1224	1992	WScript.exe	30
PID 1992 wrote to memory of 1224	1992	WScript.exe	30
PID 1992 wrote to memory of 1224	1992	WScript.exe	30

C:\Users\Admin\AppData\Local\Temp\8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe
"C:\Users\Admin\AppData\Local\Temp\8b1231223335e1b73d99ff47d513c4cf330869a52e67f3b6a5497c1c87073fcf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BeiJingTime2088.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c date 2088.8.8
      4⤵
      PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE

Filesize
101KB

MD5
64542bf4642c6805112c4ef05d1437b2

SHA1
eb6565d277c21503e45568c0c77464e367571854

SHA256
f5aa2c5dc52d38b186258f37319d6c852649ce18cd4dfad3846145934d35a216

SHA512
cffce47f9faad78610b318f46385830e0a29e7ac2fe9e1186199be4525515bf4ba86efc6e6ca10cd5b11470f60c5f6350975148898d314fee4174b58066e599c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE

Filesize
101KB

MD5
64542bf4642c6805112c4ef05d1437b2

SHA1
eb6565d277c21503e45568c0c77464e367571854

SHA256
f5aa2c5dc52d38b186258f37319d6c852649ce18cd4dfad3846145934d35a216

SHA512
cffce47f9faad78610b318f46385830e0a29e7ac2fe9e1186199be4525515bf4ba86efc6e6ca10cd5b11470f60c5f6350975148898d314fee4174b58066e599c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BeiJingTime2088.vbs

Filesize
207B

MD5
0a8b7fefb30b0c403dba41bab8d89620

SHA1
c2a7e82ecbfe45bebd5dab7911bad95195a0e5ea

SHA256
b1a85df23ec597054cced3703296d5d29379b3796a0d3e21dcdfbde702619abb

SHA512
cba1379364e962f73a05a73c0ac2b1505ba223c641fbd68749c47e588a687e66f915d48a8203eb87d6024fc25ba1044bab204b5143874b240b35c82ef593b1fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE

Filesize
101KB

MD5
64542bf4642c6805112c4ef05d1437b2

SHA1
eb6565d277c21503e45568c0c77464e367571854

SHA256
f5aa2c5dc52d38b186258f37319d6c852649ce18cd4dfad3846145934d35a216

SHA512
cffce47f9faad78610b318f46385830e0a29e7ac2fe9e1186199be4525515bf4ba86efc6e6ca10cd5b11470f60c5f6350975148898d314fee4174b58066e599c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE

Filesize
101KB

MD5
64542bf4642c6805112c4ef05d1437b2

SHA1
eb6565d277c21503e45568c0c77464e367571854

SHA256
f5aa2c5dc52d38b186258f37319d6c852649ce18cd4dfad3846145934d35a216

SHA512
cffce47f9faad78610b318f46385830e0a29e7ac2fe9e1186199be4525515bf4ba86efc6e6ca10cd5b11470f60c5f6350975148898d314fee4174b58066e599c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\BEIJIN~1.EXE

Filesize
101KB

MD5
64542bf4642c6805112c4ef05d1437b2

SHA1
eb6565d277c21503e45568c0c77464e367571854

SHA256
f5aa2c5dc52d38b186258f37319d6c852649ce18cd4dfad3846145934d35a216

SHA512
cffce47f9faad78610b318f46385830e0a29e7ac2fe9e1186199be4525515bf4ba86efc6e6ca10cd5b11470f60c5f6350975148898d314fee4174b58066e599c

Download Submit
memory/1224-65-0x0000000000000000-mapping.dmp

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1976-67-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1976-68-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/1992-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing