12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402

General

Target

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Size

22KB
MD5

51a1affc3405359fdd6b2caa9ad6b760
SHA1

26a1398fb4a34f12ce7280e182045b1ea201cef2
SHA256

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402
SHA512

db7f8374edfa72aa6dc445df57965e7d44c3f90adde1f96436f66abeca569af051e3677c3392a68392cb1149f65ec2a7336ffc674a5e5a7fdbfc82ee1d334f44
SSDEEP

384:Piv9NM67LuJP7xaQ0xh5K+BrIyucYetD++xh1iyzknYjc5SamYhNcngkiM:P0fMrL0xhNBBYetDxhY1Yjcw3vngu

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1816 taskkill.exe

pid	process
1816	taskkill.exe

Modifies registry class 11 IoCs

Processes:

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\ = "????"	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.IE\ = "IE"	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\NeverShowExt = "1"	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

216 PING.EXE

pid	process
216	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

pid	process
4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Token: SeDebugPrivilege	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Token: SeDebugPrivilege	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
Token: SeDebugPrivilege	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

pid process

4456 12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.execmd.exe

description	pid	process	target process
PID 4456 wrote to memory of 1816	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe	taskkill.exe
PID 4456 wrote to memory of 1816	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe	taskkill.exe
PID 4456 wrote to memory of 1816	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe	taskkill.exe
PID 4456 wrote to memory of 5080	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe	cmd.exe
PID 4456 wrote to memory of 5080	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe	cmd.exe
PID 4456 wrote to memory of 5080	4456	12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe	cmd.exe
PID 5080 wrote to memory of 216	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 216	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 216	5080	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe
"C:\Users\Admin\AppData\Local\Temp\12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ZhuDongFangyu.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 1 && del "C:\Users\Admin\AppData\Local\Temp\12277eb7b04f06740fe7c37e2385ccf6909712f5891e75fc98fcbd15016e7402.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
3⤵
- Runs ping.exe
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-138-0x0000000000000000-mapping.dmp

Download
memory/1816-135-0x0000000000000000-mapping.dmp

Download
memory/4456-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4456-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5080-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads