11d9073c7d3440aa6f325c78339924fa3b886514a1ec359d0d9a84c04e201090

General

Target

03143534.exe
Size

149.9MB
MD5

977e4c8eb63abf3949da2cfbff0a2879
SHA1

9e37ec2dfe85427e76bc56cae149bad9bf216bca
SHA256

11d9073c7d3440aa6f325c78339924fa3b886514a1ec359d0d9a84c04e201090
SHA512

963763e4cf04313fea911dc73ae3347506b03956d00fe32ee0754fb6b03d61cfab8145d94299e064dda1a31e88fc10195dd4c8e825790296af170c9123928657
SSDEEP

3145728:Qebj8nC2dOuJ+e1ua3xGpdGtHZ8jcXuuyk7I2teBt5h/BH86k8MY:xw7OK3u0gdG9ZSAyk7IQAt5hK6Zz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

Processes:

03143534.exe

pid process

912 03143534.exe
912 03143534.exe
912 03143534.exe
912 03143534.exe
912 03143534.exe
912 03143534.exe
912 03143534.exe

pid	process
912	03143534.exe
912	03143534.exe
912	03143534.exe
912	03143534.exe
912	03143534.exe
912	03143534.exe
912	03143534.exe

Drops file in Program Files directory 64 IoCs

Processes:

03143534.exe

description	ioc	process
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-HK\local_record_title.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_scrncap_finish_hot.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\course_record_tool_wnd_bk.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\full_pushed_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\record_close_btn_press.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\AreaSelectionForSmallClass.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\record_close_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-CN\UICourseRecordTipWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DuiLib-1.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_EN\UINotifyBoxWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\AreaTool.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_back_normal.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_reload_hover.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\record_start_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\region_hover_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\Updater.exe	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\gl3w.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\course_record_tip_wnd_bk.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\region_sel_wnd.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_EN\record_close_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\UIRecordBtnWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\close_pushed_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-HK\full_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-HK\record_start_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\plugins\DrSerialControl.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_course_record_pause_push.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_course_record_start_disable.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\watersign_174x80.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-CN\UIScrnCapToolWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\AVCapture.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\AVDeviceListener.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\glfw3.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\swscale-4.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-CN\chat_hover.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-CN\close_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\chrome_elf.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\client_icon.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ID\chat_new_hover.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\UINavBarWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\st_mobile.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_EN\record_start_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ID\region_pushed_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\chat_hover.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\chat_new.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-CN\region_pushed_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-HK\stop_share_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\locales\ja.pak	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\resources.pak	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_EN\LoadAnimWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ID\UIRecordFileWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_JA\AppSharePanel.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-CN\chat.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-HK\AreaTool.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_ZH-HK\Desktop.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\Recorder.exe	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\libGLESv2.dll	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_back_disable.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_COMMON\btn_course_record_pause_normal.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\UIRecordBtnWnd.xml	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\full_hover_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\DSRES_VI\stop_share_btn.png	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\html\error_cn.html	03143534.exe
File created	C:\Program Files (x86)\bjcloud\BJSLClient.ico	03143534.exe
File created	C:\Program Files (x86)\bjcloud\cloudclassroom_pro\activate_code.lic	03143534.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

03143534.exe

pid process

912 03143534.exe
912 03143534.exe

pid	process
912	03143534.exe
912	03143534.exe

C:\Users\Admin\AppData\Local\Temp\03143534.exe
"C:\Users\Admin\AppData\Local\Temp\03143534.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse531.tmp\InstallOptions.dll
Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse531.tmp\InstallOptions.dll
Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse531.tmp\LangDLL.dll
Filesize
5KB

MD5
e447e49175c0db1f27888aede301084f

SHA1
f5946c743265cd8e81f3e7b6376dada57f99877f

SHA256
fd26ef21d72797fedecd3d15f2001cea793383aceb3cee19a5ae2a3d30e197b6

SHA512
e6543bf81bedce94a58f48cd6f9daaec891775e01ff76b771c22d459a778490f9bba0bebbf111b1ca3091b3ca69bca806a9b5e68ce12df03abbaa6ce5c4b7cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse531.tmp\LangDLL.dll
Filesize
5KB

MD5
e447e49175c0db1f27888aede301084f

SHA1
f5946c743265cd8e81f3e7b6376dada57f99877f

SHA256
fd26ef21d72797fedecd3d15f2001cea793383aceb3cee19a5ae2a3d30e197b6

SHA512
e6543bf81bedce94a58f48cd6f9daaec891775e01ff76b771c22d459a778490f9bba0bebbf111b1ca3091b3ca69bca806a9b5e68ce12df03abbaa6ce5c4b7cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse531.tmp\System.dll
Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse531.tmp\processwork.dll
Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse531.tmp\processwork.dll
Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
memory/912-135-0x0000000002820000-0x0000000002861000-memory.dmp

Filesize
260KB

Download
memory/912-141-0x0000000002821000-0x0000000002823000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing