Analysis
-
max time kernel
179s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-10-2022 21:57
General
-
Target
fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01.exe
-
Size
59KB
-
MD5
695edd78423b0707179148f2ce0c7ca0
-
SHA1
a34db5ad4bf9f14cebd091353bff9f84f3286770
-
SHA256
fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01
-
SHA512
46b895657e44fc8d9af21903c30d054eb6728a252c28e347d1300dc49b7745d507196dfb91d60d307bc8cd2b7de7e4c329525c9f8d0f62e545afaec6e0937fd3
-
SSDEEP
1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEd:gS9sfuwqBU1B4TrmBOA+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01.exe"C:\Users\Admin\AppData\Local\Temp\fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\jni.mp3,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl2822.tmpC:\Users\Admin\AppData\Local\Temp\inl2822.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FD8295~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56cbd1848e570354769fb56efd38f3594
SHA1d17d48036cdbd6a928729a16a34babc2bd49708a
SHA256cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d
SHA512ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
5.8MB
MD571a1e9c26bc0d7f094ce7fcdd7829357
SHA127c86db86208ec1d156a69bc417490d2882790cd
SHA256f256bce09c5543cded018eee02f3cfec5cac14f429268f8c1dd03e3d4a314573
SHA512b6444ae61680cd5595c1e9ddbea68e928046ec656834aeb10d9c54b7b38676a9bbcaa9c959db282ce8c3caa70d088b0d92854db4bd76d82c5f8d0ed744228a5c
-
Filesize
57.2MB
MD50a021484b4432258a6c315998741d6d6
SHA1a95e381a71171b033a7d136eabfddb9d8a856655
SHA25662057f7750020c259308b91378cc2c31c44cf9548c6558a525d2836ce9ca8daa
SHA51286b0a2a790c82755b8684577468cb4adf32d0ebe958dd5fdba8aca9e915a144a0276c1c66e9d77724c1116cb0c98154d68388197cd37d1cf9e1228a29f7e40cc
-
Filesize
57.2MB
MD50a021484b4432258a6c315998741d6d6
SHA1a95e381a71171b033a7d136eabfddb9d8a856655
SHA25662057f7750020c259308b91378cc2c31c44cf9548c6558a525d2836ce9ca8daa
SHA51286b0a2a790c82755b8684577468cb4adf32d0ebe958dd5fdba8aca9e915a144a0276c1c66e9d77724c1116cb0c98154d68388197cd37d1cf9e1228a29f7e40cc
-
Filesize
629B
MD57c51a3cd196c154af76f7d57a475487d
SHA1f2067dc3665cf3c7269eaec7022642bdc4a6a375
SHA256ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937
SHA512efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
36KB