Analysis
-
max time kernel
16s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe
Resource
win10v2004-20221111-en
General
-
Target
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe
-
Size
88KB
-
MD5
5351b27edbb6bbf53a203b6f6e82c259
-
SHA1
0f67890e0cb30eb06a27746a5e0825275c8376b0
-
SHA256
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67
-
SHA512
2973bfaedfb480bce2b9f14e3ae3e517d7d38330c672f1dc2a8c65a75af6dc0c3ccb6eee3047d828a300121590ace0672c4c057bd318b78100394ea254d8acb3
-
SSDEEP
1536:JzIbMeD0MjCC45sBTHzzCaPZlJd9KvhY+wdb:JzIbMeykvdPpdc4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 756 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1708 taskkill.exe -
Modifies registry class 11 IoCs
Processes:
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE " a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0" a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.IE a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IE a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE\NeverShowExt = "1" a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.IE\ = "IE" a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE\ = "????" a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exepid process 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Token: SeDebugPrivilege 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Token: SeDebugPrivilege 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe Token: SeDebugPrivilege 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exepid process 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.execmd.exedescription pid process target process PID 1264 wrote to memory of 1708 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe taskkill.exe PID 1264 wrote to memory of 1708 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe taskkill.exe PID 1264 wrote to memory of 1708 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe taskkill.exe PID 1264 wrote to memory of 1708 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe taskkill.exe PID 1264 wrote to memory of 756 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe cmd.exe PID 1264 wrote to memory of 756 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe cmd.exe PID 1264 wrote to memory of 756 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe cmd.exe PID 1264 wrote to memory of 756 1264 a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe cmd.exe PID 756 wrote to memory of 892 756 cmd.exe PING.EXE PID 756 wrote to memory of 892 756 cmd.exe PING.EXE PID 756 wrote to memory of 892 756 cmd.exe PING.EXE PID 756 wrote to memory of 892 756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe"C:\Users\Admin\AppData\Local\Temp\a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ZhuDongFangyu.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 1 && del "C:\Users\Admin\AppData\Local\Temp\a8c1a65d0bc90e59d2cece467987d91c43e76d483184a2f9ffd8f26a8499cc67.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-58-0x0000000000000000-mapping.dmp
-
memory/892-60-0x0000000000000000-mapping.dmp
-
memory/1264-57-0x0000000074E01000-0x0000000074E03000-memory.dmpFilesize
8KB
-
memory/1264-59-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1708-56-0x0000000000000000-mapping.dmp