7e2f1d93829b1368d18c7f6124aadca29787617fc14a80bfcba8b6bc5db03a32

Analysis

max time kernel
152s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

512KB
MD5

6de847035e6f6a62500b1286f9943d40
SHA1

1009a11ca81d9c1bdb55bc0ea5d2a780bfd03b60
SHA256

7e2f1d93829b1368d18c7f6124aadca29787617fc14a80bfcba8b6bc5db03a32
SHA512

362350d5784691966c433dd4cf9474d680139776c0eaff26887b31c4892447caa01b4cd5f49ddad8018b7e4547d10faadf192323059d4d186d4cc9ccbd6804f5
SSDEEP

6144:nJgGMI8kr+rvblQlVkMNPWkzlyjFi7ehxoem71oy1ps:JXj8w+5QnzxzIFi7ehqem71o3

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tiya240583718AI\Parameters\ServiceDll = "C:\\Windows\\system32\\Tiya240583718AI.psl"	Trojan-Ransom.Win32.Blocker.exe

Loads dropped DLL 1 IoCs

pid	Process
3780	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Tiya240583718AI.psl	Trojan-Ransom.Win32.Blocker.exe
File opened for modification	C:\Windows\SysWOW64\windows.tdl	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3796	Trojan-Ransom.Win32.Blocker.exe
3796	Trojan-Ransom.Win32.Blocker.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Kernels
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Tiya240583718AI.psl

Filesize
50.4MB

MD5
80147cf662edbcf89ef587751cabe4d2

SHA1
e36a2f2b239de358e353131921b52ef1c226a608

SHA256
f43c8c868c14efc6c3e0a6ab3c15329a4eb6a75e6bb491b85ec21c63679564a5

SHA512
19e78ccd94a45285a76a5c18521cdd45c1a431e3f1d9a138f1e3d389bee0f465747bd9c44467b1af5c8a6b30c7ff0678f6694afff6c65409f340d054259207a3

Download Submit
\??\c:\windows\SysWOW64\tiya240583718ai.psl

Filesize
50.4MB

MD5
80147cf662edbcf89ef587751cabe4d2

SHA1
e36a2f2b239de358e353131921b52ef1c226a608

SHA256
f43c8c868c14efc6c3e0a6ab3c15329a4eb6a75e6bb491b85ec21c63679564a5

SHA512
19e78ccd94a45285a76a5c18521cdd45c1a431e3f1d9a138f1e3d389bee0f465747bd9c44467b1af5c8a6b30c7ff0678f6694afff6c65409f340d054259207a3

Download Submit