Analysis
-
max time kernel
172s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe
Resource
win10v2004-20220812-en
General
-
Target
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe
-
Size
2.3MB
-
MD5
7d3e93fc091ccdd68e788d95b38039cf
-
SHA1
235208ce96c79edc705278fc2fe2108c1384b4b9
-
SHA256
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143
-
SHA512
8658c1f3d6dd093c0fc10aafca18d5aa351e6a76ba3bcab660deb9b3e8da74ee7ffa9cca313a452e09c1d5278afd032dd153d9365e0f62a4042c1428e3140a45
-
SSDEEP
49152:gQEquvUsXYCElzopHbfxtFiw5FGic2Ty1YOLPUN:g3qSUsXaoBxS8GipjO4N
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\360data\c601018a.z acprotect C:\Users\Admin\AppData\Local\360data\c601018a.z acprotect C:\Users\Admin\AppData\Local\360data\websyber.dll acprotect C:\Users\Admin\AppData\Local\360data\websyber.dll acprotect -
Executes dropped EXE 3 IoCs
Processes:
tlbb999.exe28F4.tmp多开器.exepid process 4856 tlbb999.exe 2252 28F4.tmp 1224 多开器.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\360data\c601018a.z upx C:\Users\Admin\AppData\Local\360data\c601018a.z upx behavioral2/memory/1412-148-0x0000000010000000-0x000000001002D000-memory.dmp upx C:\Users\Admin\AppData\Local\360data\websyber.dll upx C:\Users\Admin\AppData\Local\360data\websyber.dll upx behavioral2/memory/2200-154-0x0000000010000000-0x000000001002D000-memory.dmp upx behavioral2/memory/2200-155-0x0000000010000000-0x000000001002D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1412 rundll32.exe 2200 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360Update = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\360data\\websyber.dll\",_RunAs@16" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exedescription ioc process File opened for modification \??\PhysicalDrive0 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exepid process 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exerundll32.exerundll32.exepid process 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe 2200 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
多开器.exepid process 1224 多开器.exe 1224 多开器.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exetlbb999.exe28F4.tmprundll32.exedescription pid process target process PID 4616 wrote to memory of 4856 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe tlbb999.exe PID 4616 wrote to memory of 4856 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe tlbb999.exe PID 4616 wrote to memory of 4856 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe tlbb999.exe PID 4856 wrote to memory of 2252 4856 tlbb999.exe 28F4.tmp PID 4856 wrote to memory of 2252 4856 tlbb999.exe 28F4.tmp PID 4856 wrote to memory of 2252 4856 tlbb999.exe 28F4.tmp PID 4616 wrote to memory of 1224 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe 多开器.exe PID 4616 wrote to memory of 1224 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe 多开器.exe PID 4616 wrote to memory of 1224 4616 4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe 多开器.exe PID 2252 wrote to memory of 1412 2252 28F4.tmp rundll32.exe PID 2252 wrote to memory of 1412 2252 28F4.tmp rundll32.exe PID 2252 wrote to memory of 1412 2252 28F4.tmp rundll32.exe PID 1412 wrote to memory of 2200 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 2200 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 2200 1412 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe"C:\Users\Admin\AppData\Local\Temp\4643baa22a235eb03cae5d34721344252502e8afe694c45181a525959bf23143.exe"1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\tlbb999.exe"C:\Users\Admin\AppData\Local\Temp\tlbb999.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\28F4.tmp"C:\Users\Admin\AppData\Local\Temp\28F4.tmp" "C:\Users\Admin\AppData\Local\Temp\tlbb999.exe" "4856"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\360data\c601018a.z",_RunAs@164⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\360data\websyber.dll",_RunAs@165⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\多开器.exe"C:\Users\Admin\AppData\Local\Temp\多开器.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\360data\c601018a.zFilesize
49KB
MD5d895b53fa7c92b7d9efc7ca668e6fe69
SHA174c46220a419d143f89c82245185d013d2f9d26f
SHA2568f4044489c249d51ffdb6e2c0b4aa47879451bf79f7cfd4f2b6cbb3e3e704231
SHA512694a55f842402cc68cd77614a33df7b3633951424204127fdab038a10f684645da79d7d1212c56c887774f1b8620efe7b17d3ac30e1f8db9f5d191ee40142a8b
-
C:\Users\Admin\AppData\Local\360data\c601018a.zFilesize
49KB
MD5d895b53fa7c92b7d9efc7ca668e6fe69
SHA174c46220a419d143f89c82245185d013d2f9d26f
SHA2568f4044489c249d51ffdb6e2c0b4aa47879451bf79f7cfd4f2b6cbb3e3e704231
SHA512694a55f842402cc68cd77614a33df7b3633951424204127fdab038a10f684645da79d7d1212c56c887774f1b8620efe7b17d3ac30e1f8db9f5d191ee40142a8b
-
C:\Users\Admin\AppData\Local\360data\websyber.dllFilesize
49KB
MD5d895b53fa7c92b7d9efc7ca668e6fe69
SHA174c46220a419d143f89c82245185d013d2f9d26f
SHA2568f4044489c249d51ffdb6e2c0b4aa47879451bf79f7cfd4f2b6cbb3e3e704231
SHA512694a55f842402cc68cd77614a33df7b3633951424204127fdab038a10f684645da79d7d1212c56c887774f1b8620efe7b17d3ac30e1f8db9f5d191ee40142a8b
-
C:\Users\Admin\AppData\Local\360data\websyber.dllFilesize
49KB
MD5d895b53fa7c92b7d9efc7ca668e6fe69
SHA174c46220a419d143f89c82245185d013d2f9d26f
SHA2568f4044489c249d51ffdb6e2c0b4aa47879451bf79f7cfd4f2b6cbb3e3e704231
SHA512694a55f842402cc68cd77614a33df7b3633951424204127fdab038a10f684645da79d7d1212c56c887774f1b8620efe7b17d3ac30e1f8db9f5d191ee40142a8b
-
C:\Users\Admin\AppData\Local\Temp\28F4.tmpFilesize
56KB
MD5a6477baa52b0c9b78c319e3e3fea07a3
SHA1f0f2f519f666bed29809219b9499ce530ae5f212
SHA2560f1a0c0c183393d228a59316a29b7905ec65cf991fe4f16c65b90a68d31c9ade
SHA51242fcd200deecd8e616d131058815f58bb4a479ef56cec93663226bf9f47a964f4d68650f07f17032f502fad0fb9fd2fb9225c0dd4d78293717e9cdd6447e7ff7
-
C:\Users\Admin\AppData\Local\Temp\28F4.tmpFilesize
56KB
MD5a6477baa52b0c9b78c319e3e3fea07a3
SHA1f0f2f519f666bed29809219b9499ce530ae5f212
SHA2560f1a0c0c183393d228a59316a29b7905ec65cf991fe4f16c65b90a68d31c9ade
SHA51242fcd200deecd8e616d131058815f58bb4a479ef56cec93663226bf9f47a964f4d68650f07f17032f502fad0fb9fd2fb9225c0dd4d78293717e9cdd6447e7ff7
-
C:\Users\Admin\AppData\Local\Temp\tlbb999.exeFilesize
56KB
MD5a6477baa52b0c9b78c319e3e3fea07a3
SHA1f0f2f519f666bed29809219b9499ce530ae5f212
SHA2560f1a0c0c183393d228a59316a29b7905ec65cf991fe4f16c65b90a68d31c9ade
SHA51242fcd200deecd8e616d131058815f58bb4a479ef56cec93663226bf9f47a964f4d68650f07f17032f502fad0fb9fd2fb9225c0dd4d78293717e9cdd6447e7ff7
-
C:\Users\Admin\AppData\Local\Temp\tlbb999.exeFilesize
56KB
MD5a6477baa52b0c9b78c319e3e3fea07a3
SHA1f0f2f519f666bed29809219b9499ce530ae5f212
SHA2560f1a0c0c183393d228a59316a29b7905ec65cf991fe4f16c65b90a68d31c9ade
SHA51242fcd200deecd8e616d131058815f58bb4a479ef56cec93663226bf9f47a964f4d68650f07f17032f502fad0fb9fd2fb9225c0dd4d78293717e9cdd6447e7ff7
-
C:\Users\Admin\AppData\Local\Temp\多开器.exeFilesize
676KB
MD508f761c819282570de720c7893c6beda
SHA1df587d97dc70b60141202b228358b7ea3bdd2d88
SHA256e5a0c5d5b3c9b9c467addacda608dcfb79b33425908e1588a0ccb24a438b879e
SHA5127ee84f46a62e5ac9a6a60648017db43c31281a0366696e2ce99abff6b9564bfc3f5522e6a52ffe204af9614ea9b10e5894fe6be91f1ab3e6c7c6671553bc4eae
-
C:\Users\Admin\AppData\Local\Temp\多开器.exeFilesize
676KB
MD508f761c819282570de720c7893c6beda
SHA1df587d97dc70b60141202b228358b7ea3bdd2d88
SHA256e5a0c5d5b3c9b9c467addacda608dcfb79b33425908e1588a0ccb24a438b879e
SHA5127ee84f46a62e5ac9a6a60648017db43c31281a0366696e2ce99abff6b9564bfc3f5522e6a52ffe204af9614ea9b10e5894fe6be91f1ab3e6c7c6671553bc4eae
-
memory/1224-141-0x0000000000000000-mapping.dmp
-
memory/1412-148-0x0000000010000000-0x000000001002D000-memory.dmpFilesize
180KB
-
memory/1412-144-0x0000000000000000-mapping.dmp
-
memory/2200-151-0x0000000000000000-mapping.dmp
-
memory/2200-154-0x0000000010000000-0x000000001002D000-memory.dmpFilesize
180KB
-
memory/2200-155-0x0000000010000000-0x000000001002D000-memory.dmpFilesize
180KB
-
memory/2252-138-0x0000000000000000-mapping.dmp
-
memory/2252-150-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/4616-145-0x0000000000400000-0x0000000000A1D000-memory.dmpFilesize
6.1MB
-
memory/4616-132-0x0000000000400000-0x0000000000A1D000-memory.dmpFilesize
6.1MB
-
memory/4616-134-0x0000000000400000-0x0000000000A1D000-memory.dmpFilesize
6.1MB
-
memory/4616-133-0x0000000000400000-0x0000000000A1D000-memory.dmpFilesize
6.1MB
-
memory/4856-149-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/4856-135-0x0000000000000000-mapping.dmp