183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6

Analysis

max time kernel
160s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe
Size

808KB
MD5

1214f7494f01fed4351ccaae1e794d15
SHA1

b311c63d748ffce8f359ca542fb0ed36c7a02f84
SHA256

183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6
SHA512

cfb314f6a4d5fc455ad23a163dd9ac1a98bfcc7fee05095670b644b90e39fff7b1f768fbdb03e0468580c42e2dbc3a627ab697e62b5682da2575924264fb9f02
SSDEEP

12288:5tlYXUn6EYEhM6opSUog3xncGFpbu49YH9Mo4ZJu501OzBAHUqM23kXQBTfU:5zYXUnz5DWoWpb4H9MRw5DBAHU43kghM

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4948	Rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
3716	system.exe
4456	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe
3296	DPInst.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe

Loads dropped DLL 3 IoCs

pid	Process
3792	Rundll32.exe
4948	Rundll32.exe
4948	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe
File created	C:\Windows\SysWOW64\mwemifaa.dll	system.exe
File created	C:\Windows\SysWOW64\sjwoifaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DPINST.LOG	DPInst.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5032	sc.exe
4852	sc.exe
1484	sc.exe
1952	sc.exe
2224	sc.exe
2860	sc.exe
4284	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
3792	Rundll32.exe
4948	Rundll32.exe
4948	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
640	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4088	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3716	4088	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe	79
PID 4088 wrote to memory of 3716	4088	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe	79
PID 4088 wrote to memory of 3716	4088	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe	79
PID 3716 wrote to memory of 3792	3716	system.exe	80
PID 3716 wrote to memory of 3792	3716	system.exe	80
PID 3716 wrote to memory of 3792	3716	system.exe	80
PID 3792 wrote to memory of 2736	3792	Rundll32.exe	81
PID 3792 wrote to memory of 2736	3792	Rundll32.exe	81
PID 3792 wrote to memory of 2736	3792	Rundll32.exe	81
PID 3792 wrote to memory of 4768	3792	Rundll32.exe	82
PID 3792 wrote to memory of 4768	3792	Rundll32.exe	82
PID 3792 wrote to memory of 4768	3792	Rundll32.exe	82
PID 3792 wrote to memory of 4284	3792	Rundll32.exe	88
PID 3792 wrote to memory of 4284	3792	Rundll32.exe	88
PID 3792 wrote to memory of 4284	3792	Rundll32.exe	88
PID 3792 wrote to memory of 2224	3792	Rundll32.exe	84
PID 3792 wrote to memory of 2224	3792	Rundll32.exe	84
PID 3792 wrote to memory of 2224	3792	Rundll32.exe	84
PID 3792 wrote to memory of 2860	3792	Rundll32.exe	87
PID 3792 wrote to memory of 2860	3792	Rundll32.exe	87
PID 3792 wrote to memory of 2860	3792	Rundll32.exe	87
PID 3792 wrote to memory of 5032	3792	Rundll32.exe	90
PID 3792 wrote to memory of 5032	3792	Rundll32.exe	90
PID 3792 wrote to memory of 5032	3792	Rundll32.exe	90
PID 3792 wrote to memory of 4852	3792	Rundll32.exe	93
PID 3792 wrote to memory of 4852	3792	Rundll32.exe	93
PID 3792 wrote to memory of 4852	3792	Rundll32.exe	93
PID 3792 wrote to memory of 1484	3792	Rundll32.exe	95
PID 3792 wrote to memory of 1484	3792	Rundll32.exe	95
PID 3792 wrote to memory of 1484	3792	Rundll32.exe	95
PID 3792 wrote to memory of 4088	3792	Rundll32.exe	78
PID 3792 wrote to memory of 4088	3792	Rundll32.exe	78
PID 2736 wrote to memory of 1256	2736	net.exe	97
PID 2736 wrote to memory of 1256	2736	net.exe	97
PID 2736 wrote to memory of 1256	2736	net.exe	97
PID 3792 wrote to memory of 3716	3792	Rundll32.exe	79
PID 3792 wrote to memory of 3716	3792	Rundll32.exe	79
PID 3792 wrote to memory of 2736	3792	Rundll32.exe	81
PID 3792 wrote to memory of 2736	3792	Rundll32.exe	81
PID 3792 wrote to memory of 4768	3792	Rundll32.exe	82
PID 3792 wrote to memory of 4768	3792	Rundll32.exe	82
PID 3792 wrote to memory of 4284	3792	Rundll32.exe	88
PID 3792 wrote to memory of 4284	3792	Rundll32.exe	88
PID 3792 wrote to memory of 2224	3792	Rundll32.exe	84
PID 3792 wrote to memory of 2224	3792	Rundll32.exe	84
PID 3792 wrote to memory of 2860	3792	Rundll32.exe	87
PID 3792 wrote to memory of 2860	3792	Rundll32.exe	87
PID 3792 wrote to memory of 5032	3792	Rundll32.exe	90
PID 3792 wrote to memory of 5032	3792	Rundll32.exe	90
PID 3792 wrote to memory of 4852	3792	Rundll32.exe	93
PID 3792 wrote to memory of 4852	3792	Rundll32.exe	93
PID 3792 wrote to memory of 1484	3792	Rundll32.exe	95
PID 3792 wrote to memory of 1484	3792	Rundll32.exe	95
PID 4768 wrote to memory of 4596	4768	net.exe	98
PID 4768 wrote to memory of 4596	4768	net.exe	98
PID 4768 wrote to memory of 4596	4768	net.exe	98
PID 3792 wrote to memory of 1952	3792	Rundll32.exe	99
PID 3792 wrote to memory of 1952	3792	Rundll32.exe	99
PID 3792 wrote to memory of 1952	3792	Rundll32.exe	99
PID 3716 wrote to memory of 4948	3716	system.exe	101
PID 3716 wrote to memory of 4948	3716	system.exe	101
PID 3716 wrote to memory of 4948	3716	system.exe	101
PID 4088 wrote to memory of 4456	4088	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe	104
PID 4088 wrote to memory of 4456	4088	183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe	104

C:\Users\Admin\AppData\Local\Temp\183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe
"C:\Users\Admin\AppData\Local\Temp\183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\mwemifaa.dll Exbcute
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:1256
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:4596
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:2224
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:2860
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:4284
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:5032
  - - C:\Windows\SysWOW64\sc.exe
      sc stop 360rp
      4⤵
      Launches sc.exe
      PID:4852
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360rp
      4⤵
      Launches sc.exe
      PID:1484
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:1952
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\sjwoifaa.dll Exbcute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- C:\Users\Admin\AppData\Local\Temp\183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe
  C:\Users\Admin\AppData\Local\Temp\183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe

Filesize
661KB

MD5
66c2a5f0527f97096455f247e99baba8

SHA1
60d6bc8cec054f9de06f6c34445d8223205192eb

SHA256
518c01c0b4f1a408eaccc01c8b5650f491e3910d29f9af01ee604c12d99cad56

SHA512
1da808d5f18175dbaa29c26d2dae1d1488904f12b316d834e5f540849987e0ec898a2d685517a02ddd549a7df7fb64c57caac954238145c2309c493037f6eeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\183ec65c1a5a663e162f4d4badc967cb9492183f71a2649b27078eb5f1f6a0c6.exe

Filesize
661KB

MD5
66c2a5f0527f97096455f247e99baba8

SHA1
60d6bc8cec054f9de06f6c34445d8223205192eb

SHA256
518c01c0b4f1a408eaccc01c8b5650f491e3910d29f9af01ee604c12d99cad56

SHA512
1da808d5f18175dbaa29c26d2dae1d1488904f12b316d834e5f540849987e0ec898a2d685517a02ddd549a7df7fb64c57caac954238145c2309c493037f6eeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C028.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst.exe

Filesize
1023KB

MD5
aa0a91227631a09cd075d315646fb7a9

SHA1
c0b86c4d6f1e05b842573081bcc7754fcbcaf5bb

SHA256
c20a5d3f5be543a8e73cd25f9dbf14aa0fc4ba1fdc249ee4ff91d159d174d0ea

SHA512
685ae6a514128eefe8fee6cb9e456ea584b91358090dffb41205ab2a2f37e91b4007e6745ccb1e29bc42d191cdb651337c7ca3cf29ef31e8d1aeea56af34c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst.exe

Filesize
1023KB

MD5
aa0a91227631a09cd075d315646fb7a9

SHA1
c0b86c4d6f1e05b842573081bcc7754fcbcaf5bb

SHA256
c20a5d3f5be543a8e73cd25f9dbf14aa0fc4ba1fdc249ee4ff91d159d174d0ea

SHA512
685ae6a514128eefe8fee6cb9e456ea584b91358090dffb41205ab2a2f37e91b4007e6745ccb1e29bc42d191cdb651337c7ca3cf29ef31e8d1aeea56af34c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\EnglishLicense.txt

Filesize
13KB

MD5
cd7eb5ec0636786751bb1f4cd08e3c0f

SHA1
df492035cccd34a62be97a789006f3c836993fa1

SHA256
f7a16f2aac1d0e2880fac222bdfeac63b34fec0383809dc440f6ed2c57c46321

SHA512
fb2b672be3d91e62e20b394a1877ab3896d95b8c4d86d2dca6ca8ff1252fc3cbd4e3eb1e5cbf77bd0fec454d6b7386a29bb403c765b6149c35d44ba81875a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dpinst.xml

Filesize
17KB

MD5
63c1510c0401c18f262a49dd283ede49

SHA1
a7ecbd144b54fa1a2a33450fa296d587bb64545c

SHA256
920877c4b0a1e444d0ab7e8833952d07d371de37550f2f393c428f6ca964cdd6

SHA512
71d2dd0e66003d998c99bfb4dd61355a76b41505dd952cb8385ca1d29247a867c0be1393ebaa8b1a66678354fc64e602cc6ceff2fca275196c0341560ff1ff87

Download Submit
C:\Windows\SysWOW64\mwemifaa.dll

Filesize
76KB

MD5
d6dbfb326d0dc3591675b09ee7ad5f83

SHA1
3b422e8be6f9a61b01c59db9611835f80d647c34

SHA256
4086a147b96e6072e723c8a81ddc90ed7215ee4a5940854b096a928f8e9d0808

SHA512
c574a2a07bea1e2648dc936fb1f7e89efddf474b58a7eae76984c64cb0439a9389e871b04c99e4f6b747e98da5105e1430273e3cd2ab594d83cc45e8f08d6afd

Download Submit
C:\Windows\SysWOW64\mwemifaa.dll

Filesize
76KB

MD5
d6dbfb326d0dc3591675b09ee7ad5f83

SHA1
3b422e8be6f9a61b01c59db9611835f80d647c34

SHA256
4086a147b96e6072e723c8a81ddc90ed7215ee4a5940854b096a928f8e9d0808

SHA512
c574a2a07bea1e2648dc936fb1f7e89efddf474b58a7eae76984c64cb0439a9389e871b04c99e4f6b747e98da5105e1430273e3cd2ab594d83cc45e8f08d6afd

Download Submit
C:\Windows\SysWOW64\sjwoifaa.dll

Filesize
23KB

MD5
35f519f0f70994b3778acac00a42c948

SHA1
b2123bef906dbe73f66b2ac2148e5798bf95d904

SHA256
d85f9001abdf4bc35b26ef42e56d762b3e7fc92b146b2a8b116ebcd3b7797261

SHA512
5238d5978967f73b1025064361c62b20186b792e731fe72a7620219c37a0f38d6c9083989edabe62bd4b59b25f000135d90f574741dcbb4c85f2dd91229ec8a7

Download Submit
C:\Windows\SysWOW64\sjwoifaa.dll

Filesize
23KB

MD5
35f519f0f70994b3778acac00a42c948

SHA1
b2123bef906dbe73f66b2ac2148e5798bf95d904

SHA256
d85f9001abdf4bc35b26ef42e56d762b3e7fc92b146b2a8b116ebcd3b7797261

SHA512
5238d5978967f73b1025064361c62b20186b792e731fe72a7620219c37a0f38d6c9083989edabe62bd4b59b25f000135d90f574741dcbb4c85f2dd91229ec8a7

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
142KB

MD5
7546ef149abfd2d1f67370db4e4d51ee

SHA1
49d80249ca4186376f7987f16a1383a8a6b57008

SHA256
cb4c752f35e1c8a34a884fd056025440dc9af8d7c53f0d157736703c6b67c444

SHA512
b0d95ff480c54a6bd183aaaa7d182d1fa55ab272b272fb0d94133537578220a1aa225f1f3df325c0e6b8eade5602b20a29ab9b0bd9b2783155cca1718fcd154e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
142KB

MD5
7546ef149abfd2d1f67370db4e4d51ee

SHA1
49d80249ca4186376f7987f16a1383a8a6b57008

SHA256
cb4c752f35e1c8a34a884fd056025440dc9af8d7c53f0d157736703c6b67c444

SHA512
b0d95ff480c54a6bd183aaaa7d182d1fa55ab272b272fb0d94133537578220a1aa225f1f3df325c0e6b8eade5602b20a29ab9b0bd9b2783155cca1718fcd154e

Download Submit
memory/1256-147-0x0000000000000000-mapping.dmp

Download
memory/1484-146-0x0000000000000000-mapping.dmp

Download
memory/1952-149-0x0000000000000000-mapping.dmp

Download
memory/2224-142-0x0000000000000000-mapping.dmp

Download
memory/2736-139-0x0000000000000000-mapping.dmp

Download
memory/2860-143-0x0000000000000000-mapping.dmp

Download
memory/3296-157-0x0000000000000000-mapping.dmp

Download
memory/3716-132-0x0000000000000000-mapping.dmp

Download
memory/3792-136-0x0000000000000000-mapping.dmp

Download
memory/4088-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4284-141-0x0000000000000000-mapping.dmp

Download
memory/4456-154-0x0000000000000000-mapping.dmp

Download
memory/4596-148-0x0000000000000000-mapping.dmp

Download
memory/4768-140-0x0000000000000000-mapping.dmp

Download
memory/4852-145-0x0000000000000000-mapping.dmp

Download
memory/4948-150-0x0000000000000000-mapping.dmp

Download
memory/5032-144-0x0000000000000000-mapping.dmp

Download