c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403

General

Target

c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe
Size

181KB
MD5

bacec145e9d2df7ea5d954e06a9ac9f0
SHA1

d51904080f5c78d82f7899187dcc29614de6b56f
SHA256

c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403
SHA512

c45dede4589fc730f703f1ec79773dd98e70190e0c8e42decf558680ec1abb5b555612f37b245e3cb2b8a6068cd6fdfef9137bdf08145b389bd554802b1e5470
SSDEEP

3072:oU9NUisdPspohd5qfffVANIDYtuCBhezkH/43toUYNEI1lcOVVVVVVVVhVVVVVVS:p9NUisNbnqAc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XianHub.lnk	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3976 set thread context of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 2740 set thread context of 4888	2740	XianHub.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe
4888	XianHub.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3592	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3976 wrote to memory of 3592	3976	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	82
PID 3592 wrote to memory of 2740	3592	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	83
PID 3592 wrote to memory of 2740	3592	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	83
PID 3592 wrote to memory of 2740	3592	c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe	83
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84
PID 2740 wrote to memory of 4888	2740	XianHub.exe	84

C:\Users\Admin\AppData\Local\Temp\c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe
"C:\Users\Admin\AppData\Local\Temp\c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe
  "C:\Users\Admin\AppData\Local\Temp\c91d31f2acd2a4749358a9749143f09576c2f3162c62f773dcb4a2cd841bb403.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Roaming\XianHub\XianHub.exe
    "C:\Users\Admin\AppData\Roaming\XianHub\XianHub.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Roaming\XianHub\XianHub.exe
      "C:\Users\Admin\AppData\Roaming\XianHub\XianHub.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2740-143-0x0000000000FE8000-0x0000000001000000-memory.dmp

Filesize
96KB

Download
memory/3592-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3592-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3592-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3592-134-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3592-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3976-136-0x00000000008C9000-0x00000000008E1000-memory.dmp

Filesize
96KB

Download
memory/3976-132-0x00000000008C9000-0x00000000008E1000-memory.dmp

Filesize
96KB

Download
memory/4888-144-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4888-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4888-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing