e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
Size

70KB
MD5

96faf5b0b616102056d3127597596f94
SHA1

b671905a6e781c43e68a79938d09b7d04e482dfe
SHA256

e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad
SHA512

d09bb9df617e9c45e17d2d26a75d650f0ae9fea41c1f8b56bb8c5926e6bd8d3f305fe612c1c3666e50980a2a1e6f8824a6f92035605680ccfa3a0ba5b8650204
SSDEEP

1536:QzUbJZ3+t5sUJoOf8YCyViC1ILv+J223xOHMGODGxquu1R:XZut3JEIMvs2243OYq33

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft Device Managersjrq\Parameters\ServiceDll	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe

Loads dropped DLL 1 IoCs

pid	Process
1432	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MyInformations.ini	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
File created	C:\Windows\FuckYou.txt	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
File created	C:\Windows\FuckYou.reg	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4980	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe
1432	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeBackupPrivilege	4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
Token: SeRestorePrivilege	4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4980	4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe	83
PID 4540 wrote to memory of 4980	4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe	83
PID 4540 wrote to memory of 4980	4540	e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe	83

C:\Users\Admin\AppData\Local\Temp\e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe
"C:\Users\Admin\AppData\Local\Temp\e7ddda2adddf4c5cec7ffbeb16c550e5de0a759be54904bfb609b556b12b65ad.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im ZhuDongFangYu.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windows.dll

Filesize
108KB

MD5
bb520b4bee39a39cd96747d2981882fc

SHA1
2aefa8297999af9690f73c6881dec627cfdcd09c

SHA256
87ecbb618236e80fabf14f51875631921b9f18d9197ccdfbd0b34b6439f785e0

SHA512
de28d047f25d7f93b3cf0066e8bf2a6ac50a26189159cb8dd11b40cc1b1768a66c28f9845ce44e7e3d46d91150cceecce8a8610b753567a904040ff0c7ccc59c

Download Submit
\??\c:\windows\SysWOW64\windows.dll

Filesize
108KB

MD5
bb520b4bee39a39cd96747d2981882fc

SHA1
2aefa8297999af9690f73c6881dec627cfdcd09c

SHA256
87ecbb618236e80fabf14f51875631921b9f18d9197ccdfbd0b34b6439f785e0

SHA512
de28d047f25d7f93b3cf0066e8bf2a6ac50a26189159cb8dd11b40cc1b1768a66c28f9845ce44e7e3d46d91150cceecce8a8610b753567a904040ff0c7ccc59c

Download Submit
memory/1432-141-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1432-142-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4540-135-0x0000000000400000-0x0000000000437991-memory.dmp

Filesize
222KB

Download
memory/4540-137-0x0000000000400000-0x0000000000437991-memory.dmp

Filesize
222KB

Download
memory/4540-139-0x0000000000400000-0x0000000000437991-memory.dmp

Filesize
222KB

Download
memory/4980-136-0x0000000000000000-mapping.dmp

Download