a44f2bb54122176ed127df624275aa523446d509662da9bb961c664a417cbe9d

General

Target

ppaa1101sp1/跑跑艾艾1101sp1.exe
Size

2.4MB
MD5

998f77aeeafe948afd2332dc3813b0d0
SHA1

873ca6cb898f720a41315f42c359a5b3755116c5
SHA256

ade6caef83a8173516177690439852cfdc92e20bbcf741a9f6f851e9c8aacbe2
SHA512

12fae2c27b87d4e22b965fac8bd75b425fc2d0c803dfd2f006957a30ddb4e20edd6fc5024269cbe076005497e307cc8f7a1a60d0e2a76fc3341db94277c61ec0
SSDEEP

24576:lMOO6fBzJuMiuaU6hhkX54k5nvVeBeCQiqElvMQKVNsDr+ClG82Zkw3BOTvEeEZx:Cn6xnvVeBKSMnVNqlG6VTceWrQA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

empty.exe

pid process

612 empty.exe
Drops file in Windows directory 1 IoCs

Processes:

跑跑艾艾1101sp1.exe

description ioc process

File created C:\Windows\empty.exe 跑跑艾艾1101sp1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
612	empty.exe

description	ioc	process
File created	C:\Windows\empty.exe	跑跑艾艾1101sp1.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

跑跑艾艾1101sp1.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\Total = "63"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com\ = "189"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\Total = "189"	跑跑艾艾1101sp1.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	跑跑艾艾1101sp1.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com\ = "63"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "252"	跑跑艾艾1101sp1.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com\ = "126"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\Total = "126"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\NumberOfSubdomains = "1"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	跑跑艾艾1101sp1.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	跑跑艾艾1101sp1.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com	跑跑艾艾1101sp1.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.it1686.com\ = "252"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\it1686.com\Total = "252"	跑跑艾艾1101sp1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	跑跑艾艾1101sp1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	跑跑艾艾1101sp1.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

跑跑艾艾1101sp1.exeempty.exeAUDIODG.EXE

description	pid	process
Token: 1	2016	跑跑艾艾1101sp1.exe
Token: SeCreateTokenPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeAssignPrimaryTokenPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeLockMemoryPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeIncreaseQuotaPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeMachineAccountPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeTcbPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeSecurityPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeTakeOwnershipPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeLoadDriverPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeSystemProfilePrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeSystemtimePrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeProfSingleProcessPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeIncBasePriorityPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeCreatePagefilePrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeCreatePermanentPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeBackupPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeRestorePrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeShutdownPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeDebugPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeAuditPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeSystemEnvironmentPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeChangeNotifyPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeRemoteShutdownPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeUndockPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeSyncAgentPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeEnableDelegationPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeManageVolumePrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeImpersonatePrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeCreateGlobalPrivilege	2016	跑跑艾艾1101sp1.exe
Token: 31	2016	跑跑艾艾1101sp1.exe
Token: 32	2016	跑跑艾艾1101sp1.exe
Token: 33	2016	跑跑艾艾1101sp1.exe
Token: 34	2016	跑跑艾艾1101sp1.exe
Token: 35	2016	跑跑艾艾1101sp1.exe
Token: SeDebugPrivilege	2016	跑跑艾艾1101sp1.exe
Token: SeDebugPrivilege	612	empty.exe
Token: 33	612	empty.exe
Token: SeIncBasePriorityPrivilege	612	empty.exe
Token: 33	516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	516	AUDIODG.EXE
Token: 33	516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	516	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

跑跑艾艾1101sp1.exe

pid process

2016 跑跑艾艾1101sp1.exe
2016 跑跑艾艾1101sp1.exe
2016 跑跑艾艾1101sp1.exe
2016 跑跑艾艾1101sp1.exe

pid	process
2016	跑跑艾艾1101sp1.exe
2016	跑跑艾艾1101sp1.exe
2016	跑跑艾艾1101sp1.exe
2016	跑跑艾艾1101sp1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

跑跑艾艾1101sp1.exe

description	pid	process	target process
PID 2016 wrote to memory of 612	2016	跑跑艾艾1101sp1.exe	empty.exe
PID 2016 wrote to memory of 612	2016	跑跑艾艾1101sp1.exe	empty.exe
PID 2016 wrote to memory of 612	2016	跑跑艾艾1101sp1.exe	empty.exe
PID 2016 wrote to memory of 612	2016	跑跑艾艾1101sp1.exe	empty.exe

C:\Users\Admin\AppData\Local\Temp\ppaa1101sp1\跑跑艾艾1101sp1.exe
"C:\Users\Admin\AppData\Local\Temp\ppaa1101sp1\跑跑艾艾1101sp1.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\empty.exe
C:\Windows\empty.exe 2016
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x448
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/612-57-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads