a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8

Analysis

max time kernel
174s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe
Size

1.0MB
MD5

692a1d34cd7f7b145ef8d948c3cf42e6
SHA1

cdec60fd3babf50a42c73ce6f29b6708d60b6976
SHA256

a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8
SHA512

1fbe57b0b6658069d63f857665780cb2acb2020617d5812386ec8e82d94cf067a5feefee6d089ebc1add98294b64818bfcb1e4ae7f29f2b4903cc36f36af6b5b
SSDEEP

24576:FVTnu29GSh7tuvhonSlaHvp4xAGwzJPYQmXgeohZsv:FVTnu3vhxqvvz5FmvoTsv

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	4860	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
788	MicrosoftTe56eca7.exe
4124	WindowsUpdate.exe
216	RtlRightXUp.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Removable Storage_0x0001\Parameters\ServiceDll = "C:\\Windows\\system32\\tianyu.dll"	WindowsUpdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4056	svchost.exe
4860	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tianyu.dll	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
216	RtlRightXUp.exe
216	RtlRightXUp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4916	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4960	a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe
4960	a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe
788	MicrosoftTe56eca7.exe
788	MicrosoftTe56eca7.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 788	4960	a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe	82
PID 4960 wrote to memory of 788	4960	a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe	82
PID 4960 wrote to memory of 788	4960	a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe	82
PID 788 wrote to memory of 4916	788	MicrosoftTe56eca7.exe	83
PID 788 wrote to memory of 4916	788	MicrosoftTe56eca7.exe	83
PID 788 wrote to memory of 4916	788	MicrosoftTe56eca7.exe	83
PID 788 wrote to memory of 4124	788	MicrosoftTe56eca7.exe	87
PID 788 wrote to memory of 4124	788	MicrosoftTe56eca7.exe	87
PID 788 wrote to memory of 4124	788	MicrosoftTe56eca7.exe	87
PID 4124 wrote to memory of 216	4124	WindowsUpdate.exe	88
PID 4124 wrote to memory of 216	4124	WindowsUpdate.exe	88
PID 4124 wrote to memory of 216	4124	WindowsUpdate.exe	88
PID 4056 wrote to memory of 4860	4056	svchost.exe	90
PID 4056 wrote to memory of 4860	4056	svchost.exe	90
PID 4056 wrote to memory of 4860	4056	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe
"C:\Users\Admin\AppData\Local\Temp\a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Roaming\MicrosoftTe56eca7.exe
  "C:\Users\Admin\AppData\Roaming\MicrosoftTe56eca7.exe" dmedmedme "C:\Users\Admin\AppData\Local\Temp\a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe shimgvw.dll,ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.jpg
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4916
- - C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe
    3⤵
    - Executes dropped EXE
    - Sets DLL path for service in the registry
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\RtlRightXUp.exe
      C:\Users\Admin\AppData\Local\Temp\RtlRightXUp.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\tianyu.dll, win7ol
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nod31.24399.tmp

Filesize
140B

MD5
7512249cfa40d8215a6646cc1010ced2

SHA1
bcdc1cd2ebe16cda15db66c330552a63c191fa26

SHA256
30c2126a0946e86136a354d9b0e56e41d58a46cff59037237751cc88dc215aac

SHA512
e09740111c7845e46b474490b690d6a7850a958390296f0a4400d4de6fa85b3445000ec4ffa3125d49f28430e165532b10ba935daf9dcdd7888599b5e04cf138

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtlRightXUp.exe

Filesize
256KB

MD5
0c660dc079f914055fdf12432deb4bf5

SHA1
35ae7777e9825accbf48d31040f9e4e1b56ab35c

SHA256
ca7bd7c27db07b4b0fedd667bacd105594b42519fcfd7425711c1692362d2420

SHA512
8d74d7f63c75805b671dc19f45427a12eea9a6e3add2296741410e028e03866f9dfc893e89d4bc5b333ede24edcb36763f41bfe7a2405c7257818b460fe9c624

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtlRightXUp.exe

Filesize
256KB

MD5
0c660dc079f914055fdf12432deb4bf5

SHA1
35ae7777e9825accbf48d31040f9e4e1b56ab35c

SHA256
ca7bd7c27db07b4b0fedd667bacd105594b42519fcfd7425711c1692362d2420

SHA512
8d74d7f63c75805b671dc19f45427a12eea9a6e3add2296741410e028e03866f9dfc893e89d4bc5b333ede24edcb36763f41bfe7a2405c7257818b460fe9c624

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8.jpg

Filesize
77KB

MD5
5acfc65ec3d7e93fe9004d5a7ea6f5e1

SHA1
5c3de58f64c359abbf19ea050dafcc9a1e7eefaf

SHA256
6fa441e8bf3694e6c2716b89333eb1477989749a8601f5f2dbe1e342c9d61b34

SHA512
8dbd931ad5335b092f7faab3d0cfe059d2b93154482f96a35ca6f41f86032e9a4878458bcbed21cb4f37b685270e8440ad4295a82d36b6cf9772c67dcd173921

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftTe56eca7.exe

Filesize
1.0MB

MD5
692a1d34cd7f7b145ef8d948c3cf42e6

SHA1
cdec60fd3babf50a42c73ce6f29b6708d60b6976

SHA256
a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8

SHA512
1fbe57b0b6658069d63f857665780cb2acb2020617d5812386ec8e82d94cf067a5feefee6d089ebc1add98294b64818bfcb1e4ae7f29f2b4903cc36f36af6b5b

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftTe56eca7.exe

Filesize
1.0MB

MD5
692a1d34cd7f7b145ef8d948c3cf42e6

SHA1
cdec60fd3babf50a42c73ce6f29b6708d60b6976

SHA256
a3af6a68a32a5734493ac2ada8968fce49aeae4b22c9bee505b9d9fcf732afa8

SHA512
1fbe57b0b6658069d63f857665780cb2acb2020617d5812386ec8e82d94cf067a5feefee6d089ebc1add98294b64818bfcb1e4ae7f29f2b4903cc36f36af6b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
916KB

MD5
eadbebecc63fb1f20cdd898314251fee

SHA1
5c10acc868c04a226154f249c17ac435310e776a

SHA256
389336ac5ed76cada25990bad86b13d60e03ba3fcc23fc79ad2620c15e85629c

SHA512
80caa0033348411de670f3f5dfe62c01056bb5951348bdfb76f1d0bf016060270570539031532c938ef64f6dd947db51792a26eb5fb3dd76a8cb5760aef51391

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\WindowsUpdate.exe

Filesize
916KB

MD5
eadbebecc63fb1f20cdd898314251fee

SHA1
5c10acc868c04a226154f249c17ac435310e776a

SHA256
389336ac5ed76cada25990bad86b13d60e03ba3fcc23fc79ad2620c15e85629c

SHA512
80caa0033348411de670f3f5dfe62c01056bb5951348bdfb76f1d0bf016060270570539031532c938ef64f6dd947db51792a26eb5fb3dd76a8cb5760aef51391

Download Submit
C:\Windows\SysWOW64\tianyu.dll

Filesize
548KB

MD5
d993b607781102f2c7f3bc8ce0fc201b

SHA1
2913b00b19c66201f1ad6acca56c79f6349c46a6

SHA256
45ae33aac2cafae22a2ed9494b9ef54ce74985a96ffa09ddec73258333c729c5

SHA512
4b769ca361f0912d019b5943e5cdedf347938382dd39a6631f95e3b84eb9443fcc91ce2a086516ecf4317a3931ad59d821ca71f9f4d2e2457ecc79b3317a18bb

Download Submit
C:\Windows\SysWOW64\tianyu.dll

Filesize
548KB

MD5
d993b607781102f2c7f3bc8ce0fc201b

SHA1
2913b00b19c66201f1ad6acca56c79f6349c46a6

SHA256
45ae33aac2cafae22a2ed9494b9ef54ce74985a96ffa09ddec73258333c729c5

SHA512
4b769ca361f0912d019b5943e5cdedf347938382dd39a6631f95e3b84eb9443fcc91ce2a086516ecf4317a3931ad59d821ca71f9f4d2e2457ecc79b3317a18bb

Download Submit
\??\c:\windows\SysWOW64\tianyu.dll

Filesize
548KB

MD5
d993b607781102f2c7f3bc8ce0fc201b

SHA1
2913b00b19c66201f1ad6acca56c79f6349c46a6

SHA256
45ae33aac2cafae22a2ed9494b9ef54ce74985a96ffa09ddec73258333c729c5

SHA512
4b769ca361f0912d019b5943e5cdedf347938382dd39a6631f95e3b84eb9443fcc91ce2a086516ecf4317a3931ad59d821ca71f9f4d2e2457ecc79b3317a18bb

Download Submit
memory/216-140-0x0000000000000000-mapping.dmp

Download
memory/788-132-0x0000000000000000-mapping.dmp

Download
memory/4056-152-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4056-153-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4056-149-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4056-150-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4056-161-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4124-137-0x0000000000000000-mapping.dmp

Download
memory/4124-145-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/4124-147-0x00000000021F0000-0x0000000002244000-memory.dmp

Filesize
336KB

Download
memory/4124-148-0x0000000003390000-0x0000000003395000-memory.dmp

Filesize
20KB

Download
memory/4860-154-0x0000000000000000-mapping.dmp

Download
memory/4860-156-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4860-157-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4860-159-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4860-160-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4860-162-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4860-163-0x0000000010000000-0x000000001009C000-memory.dmp

Filesize
624KB

Download
memory/4916-135-0x0000000000000000-mapping.dmp

Download