282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823

Analysis

max time kernel
168s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Size

88KB
MD5

0da35354729d24d3f157caf2c047555c
SHA1

5db90c94a729991b71166eb3308bc8fa978a3bf3
SHA256

282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823
SHA512

bcd2a0fce1c8e5039942c15672610d721947a1563474deb57cbdae2071a50b5bdeaf392aaf30623d236fd6ffb83b03a20004f7dd174c1aa2924684301d7cea84
SSDEEP

1536:gWLIH+Su9iLghsK23oNV6XG4vyaXt2x0Wlxk+dr:gWLIH+m0hsK24NV6X1X00Wln

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
5004	taskkill.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\ = "????"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "@%SystemRoot%\\system32\\SHELL32.dll,-31754"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,-134"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%SystemRoot%\\SysWow64\\SHELL32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE\ = "IE"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\DefaultIcon	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\DefaultIcon\ = "shdoclc.dll,0"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE0\ = "IE0"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\shell\open	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "942747698"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://www.ku6789.com/"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\shell\open\command	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE0\shell	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Search Results Folder"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\ = "????"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE0	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "@%SystemRoot%\\system32\\SHELL32.dll,-30520"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1616	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3816	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
Token: SeDebugPrivilege	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 5004	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	79
PID 4664 wrote to memory of 5004	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	79
PID 4664 wrote to memory of 5004	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	79
PID 4664 wrote to memory of 4600	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	81
PID 4664 wrote to memory of 4600	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	81
PID 4664 wrote to memory of 4600	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	81
PID 4600 wrote to memory of 1616	4600	cmd.exe	83
PID 4600 wrote to memory of 1616	4600	cmd.exe	83
PID 4600 wrote to memory of 1616	4600	cmd.exe	83
PID 4664 wrote to memory of 1372	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	85
PID 4664 wrote to memory of 1372	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	85
PID 4664 wrote to memory of 1372	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	85
PID 4664 wrote to memory of 1344	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	88
PID 4664 wrote to memory of 1344	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	88
PID 4664 wrote to memory of 1344	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	88
PID 4664 wrote to memory of 4080	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	87
PID 4664 wrote to memory of 4080	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	87
PID 4664 wrote to memory of 4080	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	87
PID 4664 wrote to memory of 4216	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	89
PID 4664 wrote to memory of 4216	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	89
PID 4664 wrote to memory of 4216	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	89
PID 4664 wrote to memory of 4292	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	90
PID 4664 wrote to memory of 4292	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	90
PID 4664 wrote to memory of 4292	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	90
PID 4664 wrote to memory of 4212	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	95
PID 4664 wrote to memory of 4212	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	95
PID 4664 wrote to memory of 4212	4664	282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe	95
PID 4212 wrote to memory of 3816	4212	cmd.exe	98
PID 4212 wrote to memory of 3816	4212	cmd.exe	98
PID 4212 wrote to memory of 3816	4212	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe
"C:\Users\Admin\AppData\Local\Temp\282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ZhuDongFangyu.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\jia.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\jia.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\google chrome.lnk"
  2⤵
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\microsoft edge.lnk"
  2⤵
  PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\google chrome.lnk"
  2⤵
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk"
  2⤵
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk"
  2⤵
  PID:4292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 1 && del "C:\Users\Admin\AppData\Local\Temp\282f1e37dddd96c41f1441f26fa3f926591bf9ed6cf08ddf061a03dff5d17823.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jia.reg

Filesize
6KB

MD5
08af7403acc55b3f3116a77e976dabd5

SHA1
22836833bd04c4f3aa5b5eec02e218a210dc5105

SHA256
591aaa36ddf259dd29e9c040fc02779e4ac9471d88a5701a4dbfa19b030cd894

SHA512
4e8af17efaca7da484c5ef3ec27315b6fb294e5e81c7e5f069514bf3d616caec952437af0c20680ac48881fbe1ac098efc3b26da04db9cf88dcbe86ace7f27e4

Download Submit
memory/4664-134-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4664-145-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download