545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7

General

Target

545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe
Size

101KB
MD5

6df24c3f826f9c83bf5815c779a7e3ab
SHA1

b1f6e562ffe5e94cd67a10f40def21b1d94e8b73
SHA256

545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7
SHA512

a9248d53fc85f8c1be6b53fe0f41d74fcbc95527698b3c47c9c6c9e76507309586b0981326acc5e295837898cbf78aa7fef252bfc285b2d80ced5c532160bf11
SSDEEP

3072:aaHXHcFqMerHDQJhCGaD7QXAGFuGHg9SmDiBietr:aaHXYevrGg7tOHLBietr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

AnjieUpdate.exesvchost.exeGuarder.exe

pid process

4372 AnjieUpdate.exe
536 svchost.exe
3268 Guarder.exe

pid	process
4372	AnjieUpdate.exe
536	svchost.exe
3268	Guarder.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Drops file in Program Files directory 7 IoCs

Processes:

svchost.exe545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exeAnjieUpdate.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Shared\Guarder.exe	svchost.exe
File created	C:\Program Files (x86)\Common Files\Shared\Guarder.exe	svchost.exe
File created	C:\Program Files (x86)\MyCpa\AnjieUpdate.exe	545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\Record.dat	AnjieUpdate.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\svchost.exe	AnjieUpdate.exe
File created	C:\Program Files (x86)\Common Files\Shared\svchost.exe	AnjieUpdate.exe
File opened for modification	C:\Program Files (x86)\Common Files\Shared\RCXB105.tmp	AnjieUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnjieUpdate.exe

pid process

4372 AnjieUpdate.exe
4372 AnjieUpdate.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Guarder.exe

description pid process

Token: SeIncBasePriorityPrivilege 3268 Guarder.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AnjieUpdate.exesvchost.exeGuarder.exe

pid process

4372 AnjieUpdate.exe
536 svchost.exe
536 svchost.exe
3268 Guarder.exe
3268 Guarder.exe

pid	process
4372	AnjieUpdate.exe
4372	AnjieUpdate.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3268	Guarder.exe

pid	process
4372	AnjieUpdate.exe
536	svchost.exe
536	svchost.exe
3268	Guarder.exe
3268	Guarder.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exeAnjieUpdate.exesvchost.exe

description	pid	process	target process
PID 4996 wrote to memory of 4372	4996	545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe	AnjieUpdate.exe
PID 4996 wrote to memory of 4372	4996	545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe	AnjieUpdate.exe
PID 4996 wrote to memory of 4372	4996	545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe	AnjieUpdate.exe
PID 4372 wrote to memory of 536	4372	AnjieUpdate.exe	svchost.exe
PID 4372 wrote to memory of 536	4372	AnjieUpdate.exe	svchost.exe
PID 4372 wrote to memory of 536	4372	AnjieUpdate.exe	svchost.exe
PID 536 wrote to memory of 3268	536	svchost.exe	Guarder.exe
PID 536 wrote to memory of 3268	536	svchost.exe	Guarder.exe
PID 536 wrote to memory of 3268	536	svchost.exe	Guarder.exe

C:\Users\Admin\AppData\Local\Temp\545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe
"C:\Users\Admin\AppData\Local\Temp\545de4bac8161fcf4fc1417b3afcf867fd9c36befaa94662c4d8dd201efd87f7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files (x86)\MyCpa\AnjieUpdate.exe
  "C:\Program Files (x86)\MyCpa\AnjieUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Program Files (x86)\Common Files\Shared\svchost.exe
    "C:\Program Files (x86)\Common Files\Shared\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Program Files (x86)\Common Files\Shared\Guarder.exe
      536*C:\Program Files (x86)\Common Files\Shared\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Shared\Guarder.exe

Filesize
4.1MB

MD5
ccc7f185c60f18d1ef283b159ad191a1

SHA1
d0b9370d0429e1e72779715aa1f0fc36c2995576

SHA256
e9c1790b3c8cd5c2d8224a4d8d48564e65cbe64005be3db44be4398dfb00b303

SHA512
460e076b042356b7dba3732c0b712e31e16a2274b1f89054f51f79c04d26c41dfddb4c1a7b776cd8581b124d9f625e71ea2e3d3edbe9e76f45e9cc6da4442445

Download Submit
C:\Program Files (x86)\Common Files\Shared\Guarder.exe

Filesize
4.1MB

MD5
ccc7f185c60f18d1ef283b159ad191a1

SHA1
d0b9370d0429e1e72779715aa1f0fc36c2995576

SHA256
e9c1790b3c8cd5c2d8224a4d8d48564e65cbe64005be3db44be4398dfb00b303

SHA512
460e076b042356b7dba3732c0b712e31e16a2274b1f89054f51f79c04d26c41dfddb4c1a7b776cd8581b124d9f625e71ea2e3d3edbe9e76f45e9cc6da4442445

Download Submit
C:\Program Files (x86)\Common Files\Shared\Record.dat

Filesize
260B

MD5
ef88b718d732225bd280ea341e83ce55

SHA1
9cd463d30f96d3137cfc057d747cb11eb63ca42b

SHA256
ed28d7fee521ee231fc32d31c18e6bd8640238d374f7fb6905c27ad852bd2a5a

SHA512
f37a3b5cdecb89f8cb06b79d9db186cc22cac4a1fdb44e56abecf5c09931093154a0388143a2316e318ffc8c10bafe9a790fe49c5baa0c96756a97fc00a51e34

Download Submit
C:\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
ccc7f185c60f18d1ef283b159ad191a1

SHA1
d0b9370d0429e1e72779715aa1f0fc36c2995576

SHA256
e9c1790b3c8cd5c2d8224a4d8d48564e65cbe64005be3db44be4398dfb00b303

SHA512
460e076b042356b7dba3732c0b712e31e16a2274b1f89054f51f79c04d26c41dfddb4c1a7b776cd8581b124d9f625e71ea2e3d3edbe9e76f45e9cc6da4442445

Download Submit
C:\Program Files (x86)\Common Files\Shared\svchost.exe

Filesize
4.1MB

MD5
ccc7f185c60f18d1ef283b159ad191a1

SHA1
d0b9370d0429e1e72779715aa1f0fc36c2995576

SHA256
e9c1790b3c8cd5c2d8224a4d8d48564e65cbe64005be3db44be4398dfb00b303

SHA512
460e076b042356b7dba3732c0b712e31e16a2274b1f89054f51f79c04d26c41dfddb4c1a7b776cd8581b124d9f625e71ea2e3d3edbe9e76f45e9cc6da4442445

Download Submit
C:\Program Files (x86)\MyCpa\AnjieUpdate.exe

Filesize
97KB

MD5
714b0c392259658db7a9e50d1b9cdf12

SHA1
34f0ebb109b57c5a0e97250236ecf0032a956c13

SHA256
c1b30cb68bb9da5220783cb596caa036e421b90cd4b71eddafa9024f138d925a

SHA512
93bfb9ab209bcab398e136489139d1155ebec07597eac1900f9e93e2c251e6f3ec4e4925781d6edb013e2c7cd819a1939d175d9940e9f82a1074f201d37b8e05

Download Submit
C:\Program Files (x86)\MyCpa\AnjieUpdate.exe

Filesize
97KB

MD5
714b0c392259658db7a9e50d1b9cdf12

SHA1
34f0ebb109b57c5a0e97250236ecf0032a956c13

SHA256
c1b30cb68bb9da5220783cb596caa036e421b90cd4b71eddafa9024f138d925a

SHA512
93bfb9ab209bcab398e136489139d1155ebec07597eac1900f9e93e2c251e6f3ec4e4925781d6edb013e2c7cd819a1939d175d9940e9f82a1074f201d37b8e05

Download Submit
memory/536-135-0x0000000000000000-mapping.dmp

Download
memory/3268-139-0x0000000000000000-mapping.dmp

Download
memory/4372-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads