a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461

General

Target

a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe
Size

232KB
MD5

aa001872e37dfa8d0f00bef6ad4e73c7
SHA1

879418032f98d1fce502472a97d7d21c840388c5
SHA256

a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461
SHA512

444bcdb29f6b67f4f4bac55f655d395002e6149c577bde5208e950979a78fd3aa7464d188d034c6ef8e9f6abdfdd80de46b55a8059d4c4ae30184f6e89414646
SSDEEP

6144:KME1nmg1tDbJ5621YNAUvAXiXdee4Q/flRX9MJy1W3NLqpMgK:LgnJqLXdee4GvX9XQdLmA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1124	RuijieSupplicant.exe
4596	8021x.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RuijieSupplicant.exe

Loads dropped DLL 1 IoCs

pid	Process
4596	8021x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1124	RuijieSupplicant.exe
4596	8021x.exe
4596	8021x.exe
4596	8021x.exe
4596	8021x.exe
4596	8021x.exe
4596	8021x.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1124	4600	a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe	81
PID 4600 wrote to memory of 1124	4600	a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe	81
PID 4600 wrote to memory of 1124	4600	a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe	81
PID 1124 wrote to memory of 4596	1124	RuijieSupplicant.exe	82
PID 1124 wrote to memory of 4596	1124	RuijieSupplicant.exe	82
PID 1124 wrote to memory of 4596	1124	RuijieSupplicant.exe	82

C:\Users\Admin\AppData\Local\Temp\a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe
"C:\Users\Admin\AppData\Local\Temp\a4160313562563fe02a2c7ad5860e6be274785271359322697218e2c1fd97461.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\Ruijie\RuijieSupplicant.exe
  "C:\Users\Admin\AppData\Local\Temp\Ruijie\RuijieSupplicant.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\Ruijie\8021x.exe
    "C:\Users\Admin\AppData\Local\Temp\Ruijie\8021x.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ruijie\8021x.exe

Filesize
180KB

MD5
abfddc810c5ec70c614cbd101b6baa8a

SHA1
8411fdbc67aa8b62acfbf1852dac5c94b436c20c

SHA256
2927b0d54c02ba90d68e61539d87f12339a338478fdbd111ae13e28c817677e2

SHA512
dbb4537ab5a0c850b2683ca7708a120e211b916ff14ee2230033b33aa4032b9e93355d98c08fe8e365ce40fdb5333cee2ca0761f8120e7f63d5282710766581d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\8021x.exe

Filesize
180KB

MD5
abfddc810c5ec70c614cbd101b6baa8a

SHA1
8411fdbc67aa8b62acfbf1852dac5c94b436c20c

SHA256
2927b0d54c02ba90d68e61539d87f12339a338478fdbd111ae13e28c817677e2

SHA512
dbb4537ab5a0c850b2683ca7708a120e211b916ff14ee2230033b33aa4032b9e93355d98c08fe8e365ce40fdb5333cee2ca0761f8120e7f63d5282710766581d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\RuijieSupplicant.exe

Filesize
24KB

MD5
9edff7cad88dc69b14f7f56ccd0a7a37

SHA1
55608b83bb6d7fe60ab0efac8390d3722ca93ef0

SHA256
fb486e9c258c980f5d0b7e157c5fedfdbc3cd19287672a4b860b8beb2e6d53ed

SHA512
bcdfab3bf799a4a96805e33db71911e5b3d138ad814faa8c9f84db112337e274de14b44db3d18e2e711cf92c640d7cea5c9913d1177d4dc21051d2d973ef20d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\RuijieSupplicant.exe

Filesize
24KB

MD5
9edff7cad88dc69b14f7f56ccd0a7a37

SHA1
55608b83bb6d7fe60ab0efac8390d3722ca93ef0

SHA256
fb486e9c258c980f5d0b7e157c5fedfdbc3cd19287672a4b860b8beb2e6d53ed

SHA512
bcdfab3bf799a4a96805e33db71911e5b3d138ad814faa8c9f84db112337e274de14b44db3d18e2e711cf92c640d7cea5c9913d1177d4dc21051d2d973ef20d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\SystemConfigure.ini

Filesize
284B

MD5
b488fb078dd50cacfce68e6da3dd7705

SHA1
6f38cd606a347d219e234516c2a3998f3738a7b5

SHA256
9cf3a101c35061eed47f1d8b422f95343949707dc1c23c4ec431507cfa70e5bf

SHA512
53dc7206316235588377ddd9ec4486b7af5c61e22a92d514c04ef61d5f6a511120f31e7c69869ba67079a41ca0ada911cd1e3b0578e577ebaf5676e3fcfb3b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\W32N50.DLL

Filesize
60KB

MD5
f3c722f1a5372e4c9b7e76d76619a3a0

SHA1
9217c2ed4669a7a9fa95bf766a9a403f20f371b9

SHA256
138029e51ea902db57770aba6d166baabb81459a35edc673e497350154426f4e

SHA512
162b63428fd027958ff661e4be2e2909c2e8ade30a3c1ba33b1b57b5edf975fb1455d5a9709f90aef014fcf472f28fa70c827e13cc565f5da5f9365787498459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\W32N50.dll

Filesize
60KB

MD5
f3c722f1a5372e4c9b7e76d76619a3a0

SHA1
9217c2ed4669a7a9fa95bf766a9a403f20f371b9

SHA256
138029e51ea902db57770aba6d166baabb81459a35edc673e497350154426f4e

SHA512
162b63428fd027958ff661e4be2e2909c2e8ade30a3c1ba33b1b57b5edf975fb1455d5a9709f90aef014fcf472f28fa70c827e13cc565f5da5f9365787498459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruijie\uiCHS.ini

Filesize
2KB

MD5
b051a7b25572c6556629ec35ce018d61

SHA1
fedf049910a1e17c164e8018b4452838937327e2

SHA256
66a85067c732f22dfeafeb016844d565f6dd47171bc7a0283009ca13be74e833

SHA512
376afa843f008a742468c3694280e69390e14ef11d9b527053fced93e58b6afd9a8513e54e65a422f087a5d711618ef7ad62638dd91fca0c00ccfc628c78e3f9

Download Submit
memory/4600-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4600-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing