3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe
Size

12.2MB
MD5

ee7bc5e3ce6b6542e086c35b8e4f327c
SHA1

7745dda2c333ed29b92ba1630828deb6a5374b71
SHA256

3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2
SHA512

be658b4e9e77633adfe250df475bdb18bf69468e1d29f092cff05e4ec7755c52ef20d5da955d6b91f8d245da4ce8d780c4b8eed2a2a6b8c7728075c82f080fbd
SSDEEP

196608:9GW7q8424qJ0b/o16NTMEdLQR/dpHCKtmCY9BqzWnzlvENqDcifG3Q+WBmYicd0:v284EJ0bjawQR/Hw3pcQG37cG

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
672	授权-20221001.exe
964	GProtector.lib

Loads dropped DLL 5 IoCs

pid	Process
1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe
608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
672	授权-20221001.exe
672	授权-20221001.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\我的程序\授权-20221001.exe	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File created	C:\Program Files (x86)\我的程序\unins000.dat	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File created	C:\Program Files (x86)\我的程序\is-ECAHE.tmp	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File opened for modification	C:\Program Files (x86)\我的程序\is-ECAHE.tmp	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File created	C:\Program Files (x86)\我的程序\is-ROUND.tmp	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
File opened for modification	C:\Program Files (x86)\我的程序\unins000.dat	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
964	GProtector.lib

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	GProtector.lib

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 1408 wrote to memory of 608	1408	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe	26
PID 608 wrote to memory of 672	608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	27
PID 608 wrote to memory of 672	608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	27
PID 608 wrote to memory of 672	608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	27
PID 608 wrote to memory of 672	608	3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp	27
PID 672 wrote to memory of 964	672	授权-20221001.exe	28
PID 672 wrote to memory of 964	672	授权-20221001.exe	28
PID 672 wrote to memory of 964	672	授权-20221001.exe	28
PID 672 wrote to memory of 964	672	授权-20221001.exe	28

C:\Users\Admin\AppData\Local\Temp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe
"C:\Users\Admin\AppData\Local\Temp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\is-0LTFB.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0LTFB.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp" /SL5="$9012A,12091770,718848,C:\Users\Admin\AppData\Local\Temp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Program Files (x86)\我的程序\授权-20221001.exe
    "C:\Program Files (x86)\我的程序\授权-20221001.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\GProtector\GProtector.lib
      C:\GProtector\GProtector.lib
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GProtector\GProtector.lib

Filesize
1.8MB

MD5
6674d5000f63d4d22851daa40e5d8621

SHA1
8ddd2682a604d238e0549e00750fe45b82c1d222

SHA256
3a6e4927ccbb671373cd758c572b592a358ee5dfd97d50e2eece02abd626e3f1

SHA512
83922a4aef59813dbe1edd36c86c82ca24132cc943bef3563e4048e4f3d25e0a097ee0bc122113843ecb997af43d4f38e84dff31284cc7af1b26aa442f7d55f5

Download Submit
C:\Program Files (x86)\我的程序\授权-20221001.exe

Filesize
18.3MB

MD5
dd61179ce217d0ea35b68b4c41e3f8d1

SHA1
0fbbbc129329376d90982b344bf93cfdad4949fa

SHA256
62de854303da3cce18ff0023233fbc4013ac9e0df1ef564fdc3649978b9c0c2f

SHA512
5a58fde474d1c105125988053d9b5bcae106b6a72a7f714ea553863f9c5542fd10ef793158ef08f7f3467a863d69c2fb08866e63d5eb15fe567df8b7ab4a1b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0LTFB.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Filesize
2.4MB

MD5
afcb0ce52f3275932bbe693168cbec61

SHA1
aaaaa41948d3984112f6e488c3be447069dc516d

SHA256
09e32653389d6b965db754a9edd5f45e782fdb4f19e25a23209e5aac71598e68

SHA512
a10416d6825f8a5db60cccc04cfa3de08f64e309d25078a4ec3c42a626d6b1575666cf965f1cc40a645f332d00bbafff522dcbea1851d09aea444f6ca60d0416

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0LTFB.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Filesize
2.4MB

MD5
afcb0ce52f3275932bbe693168cbec61

SHA1
aaaaa41948d3984112f6e488c3be447069dc516d

SHA256
09e32653389d6b965db754a9edd5f45e782fdb4f19e25a23209e5aac71598e68

SHA512
a10416d6825f8a5db60cccc04cfa3de08f64e309d25078a4ec3c42a626d6b1575666cf965f1cc40a645f332d00bbafff522dcbea1851d09aea444f6ca60d0416

Download Submit
\GProtector\GProtector.lib

Filesize
1.8MB

MD5
6674d5000f63d4d22851daa40e5d8621

SHA1
8ddd2682a604d238e0549e00750fe45b82c1d222

SHA256
3a6e4927ccbb671373cd758c572b592a358ee5dfd97d50e2eece02abd626e3f1

SHA512
83922a4aef59813dbe1edd36c86c82ca24132cc943bef3563e4048e4f3d25e0a097ee0bc122113843ecb997af43d4f38e84dff31284cc7af1b26aa442f7d55f5

Download Submit
\GProtector\GProtector.lib

Filesize
1.8MB

MD5
6674d5000f63d4d22851daa40e5d8621

SHA1
8ddd2682a604d238e0549e00750fe45b82c1d222

SHA256
3a6e4927ccbb671373cd758c572b592a358ee5dfd97d50e2eece02abd626e3f1

SHA512
83922a4aef59813dbe1edd36c86c82ca24132cc943bef3563e4048e4f3d25e0a097ee0bc122113843ecb997af43d4f38e84dff31284cc7af1b26aa442f7d55f5

Download Submit
\Program Files (x86)\我的程序\授权-20221001.exe

Filesize
18.3MB

MD5
dd61179ce217d0ea35b68b4c41e3f8d1

SHA1
0fbbbc129329376d90982b344bf93cfdad4949fa

SHA256
62de854303da3cce18ff0023233fbc4013ac9e0df1ef564fdc3649978b9c0c2f

SHA512
5a58fde474d1c105125988053d9b5bcae106b6a72a7f714ea553863f9c5542fd10ef793158ef08f7f3467a863d69c2fb08866e63d5eb15fe567df8b7ab4a1b63

Download Submit
\Program Files (x86)\我的程序\授权-20221001.exe

Filesize
18.3MB

MD5
dd61179ce217d0ea35b68b4c41e3f8d1

SHA1
0fbbbc129329376d90982b344bf93cfdad4949fa

SHA256
62de854303da3cce18ff0023233fbc4013ac9e0df1ef564fdc3649978b9c0c2f

SHA512
5a58fde474d1c105125988053d9b5bcae106b6a72a7f714ea553863f9c5542fd10ef793158ef08f7f3467a863d69c2fb08866e63d5eb15fe567df8b7ab4a1b63

Download Submit
\Users\Admin\AppData\Local\Temp\is-0LTFB.tmp\3fa0616a51d211112aec8d5fb269f054b432ca65989296f56a119e3cbc0b58e2.tmp

Filesize
2.4MB

MD5
afcb0ce52f3275932bbe693168cbec61

SHA1
aaaaa41948d3984112f6e488c3be447069dc516d

SHA256
09e32653389d6b965db754a9edd5f45e782fdb4f19e25a23209e5aac71598e68

SHA512
a10416d6825f8a5db60cccc04cfa3de08f64e309d25078a4ec3c42a626d6b1575666cf965f1cc40a645f332d00bbafff522dcbea1851d09aea444f6ca60d0416

Download Submit
memory/608-62-0x0000000074471000-0x0000000074473000-memory.dmp

Filesize
8KB

Download
memory/672-74-0x00000000030C0000-0x000000000314B000-memory.dmp

Filesize
556KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-61-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1408-72-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1408-55-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download