3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10

Analysis

max time kernel
248s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 18:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
Size

7.0MB
MD5

c677486454b1d3b844397faf390a5a54
SHA1

c5b916654364ac40ab42e15c980d2591a012fc68
SHA256

3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10
SHA512

d9cb1f9bbd51c8f47fc7cfdc2ed3e8b1097074b1d1d4994b4d0ea90aeb1e30c268c1d775087cd38a43c3e00e812ccdb17bc8b09d26fae620646259737b4399bd
SSDEEP

196608:l5ZBk6d/ruuHlEyBRNuXBQzveB2X4aH9Ri6N:l57k6dqs+yBRNuXizvesbjN

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1960	Aguowl-Lrc.exe
1532	WinRAR_6.11_x64_SC.exe
1272	Process not Found

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000133e2-55.dat	upx
behavioral1/files/0x00080000000133e2-56.dat	upx
behavioral1/files/0x00080000000133e2-60.dat	upx
behavioral1/files/0x00080000000133e2-62.dat	upx
behavioral1/memory/1960-63-0x000000013F1F0000-0x000000013F368000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
1272	Process not Found

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1960-63-0x000000013F1F0000-0x000000013F368000-memory.dmp	autoit_exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Bjityw.Com\Aguowl-Lrc.exe	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\comctl32.ocx	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\±±¾©ITÔËÎ¬Íø.url	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\·ÖÏí¿ìÀÖ.txt	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\ÖØÆôÈí¼þ.au3	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\Bjityw-Wx.jpg	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\Bjityw.ico	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\Bjityw01.bmp	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\Bjityw02.bmp	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\WinRAR_6.11_x86_SC.exe	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\wx.png	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\±±¾©ITÔËÎ¬ÍøËµÃ÷.TXT	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\Aguowl.exe	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\ÎÒµÄÎ¢²©.url	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
File created	C:\Windows\Bjityw.Com\Aguowl.png	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	WinRAR_6.11_x64_SC.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\LiRuchi\Icon = "%SystemRoot%\\\\System32\\\\shell32.dll,-14"	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Bjityw.Com	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Bjityw.Com\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE https://www.bjityw.com"	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\LiRuChi	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\LiRuChi\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE https://weibo.com/aguowl"	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\LiRuchi\ = "北京IT运维网微博"	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\LiRuChi\ = "北京IT运维网微博"	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\LiRuChi\Icon = "%SystemRoot%\\\\System32\\\\shell32.dll,-14"	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\LiRuchi	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Bjityw.Com	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Bjityw.Com\Icon = "%SystemRoot%\\\\System32\\\\shell32.dll,-18"	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Bjityw.Com\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe https://www.bjityw.com"	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Bjityw.Com\command	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\LiRuChi\command	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\LiRuchi\command	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Bjityw.Com\ = "北京IT运维网"	Aguowl-Lrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Bjityw.Com\command	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Bjityw.Com\ = "北京IT运维网"	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\Bjityw.Com\Icon = "%SystemRoot%\\\\System32\\\\shell32.dll,-18"	Aguowl-Lrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\LiRuchi\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe https://weibo.com/aguowl"	Aguowl-Lrc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1532	WinRAR_6.11_x64_SC.exe
1532	WinRAR_6.11_x64_SC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1960	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	28
PID 1308 wrote to memory of 1960	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	28
PID 1308 wrote to memory of 1960	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	28
PID 1308 wrote to memory of 1960	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	28
PID 1308 wrote to memory of 1532	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	29
PID 1308 wrote to memory of 1532	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	29
PID 1308 wrote to memory of 1532	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	29
PID 1308 wrote to memory of 1532	1308	3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe	29

C:\Users\Admin\AppData\Local\Temp\3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe
"C:\Users\Admin\AppData\Local\Temp\3f15cbffd9b79776a561eeafe38ef400c1421147bb06be176c6895b0ec865b10.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\Bjityw.Com\Aguowl-Lrc.exe
  C:\Windows\Bjityw.Com\Aguowl-Lrc.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1960
- C:\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe
  C:\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Bjityw.Com\Aguowl-Lrc.exe

Filesize
642KB

MD5
49e5f35d679836abf6727912eca5bc87

SHA1
63ca3668eb931f85e06b5ff7f8127985bb5b5f34

SHA256
0e44f7fda692dd1859ca3c118e54d8475e0460237d5280c1600eee06ebc622b1

SHA512
b4fa46908e9085f57ec4ac827c2fd7701d59516d81dee692901213660616f8e0c28c19d728749536a83ae83c9aa82ae4f8e51ee290d224283ff0f72f13662b3f

Download Submit
C:\Windows\Bjityw.Com\Aguowl-Lrc.exe

Filesize
642KB

MD5
49e5f35d679836abf6727912eca5bc87

SHA1
63ca3668eb931f85e06b5ff7f8127985bb5b5f34

SHA256
0e44f7fda692dd1859ca3c118e54d8475e0460237d5280c1600eee06ebc622b1

SHA512
b4fa46908e9085f57ec4ac827c2fd7701d59516d81dee692901213660616f8e0c28c19d728749536a83ae83c9aa82ae4f8e51ee290d224283ff0f72f13662b3f

Download Submit
C:\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe

Filesize
3.5MB

MD5
09957c5fba2a391481037e276a9af9b4

SHA1
57fb6a3f9b93241edcf4fe59970590af7a0c92fa

SHA256
d611e810a3b0abf2d35f68aa8e63000b3d3be7c4a1b087f299a41410d42ddc83

SHA512
caf43b57886ad1186e61d62f1623124360f05dbf58f593ef2d50827942bcd74ae3fdeac229e3ea443402f0f8ccdbdff054bb05a0fd63b67e6b825a0d84de1339

Download Submit
C:\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe

Filesize
3.5MB

MD5
09957c5fba2a391481037e276a9af9b4

SHA1
57fb6a3f9b93241edcf4fe59970590af7a0c92fa

SHA256
d611e810a3b0abf2d35f68aa8e63000b3d3be7c4a1b087f299a41410d42ddc83

SHA512
caf43b57886ad1186e61d62f1623124360f05dbf58f593ef2d50827942bcd74ae3fdeac229e3ea443402f0f8ccdbdff054bb05a0fd63b67e6b825a0d84de1339

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA1BE.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Windows\Bjityw.Com\Aguowl-Lrc.exe

Filesize
642KB

MD5
49e5f35d679836abf6727912eca5bc87

SHA1
63ca3668eb931f85e06b5ff7f8127985bb5b5f34

SHA256
0e44f7fda692dd1859ca3c118e54d8475e0460237d5280c1600eee06ebc622b1

SHA512
b4fa46908e9085f57ec4ac827c2fd7701d59516d81dee692901213660616f8e0c28c19d728749536a83ae83c9aa82ae4f8e51ee290d224283ff0f72f13662b3f

Download Submit
\Windows\Bjityw.Com\Aguowl-Lrc.exe

Filesize
642KB

MD5
49e5f35d679836abf6727912eca5bc87

SHA1
63ca3668eb931f85e06b5ff7f8127985bb5b5f34

SHA256
0e44f7fda692dd1859ca3c118e54d8475e0460237d5280c1600eee06ebc622b1

SHA512
b4fa46908e9085f57ec4ac827c2fd7701d59516d81dee692901213660616f8e0c28c19d728749536a83ae83c9aa82ae4f8e51ee290d224283ff0f72f13662b3f

Download Submit
\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe

Filesize
3.5MB

MD5
09957c5fba2a391481037e276a9af9b4

SHA1
57fb6a3f9b93241edcf4fe59970590af7a0c92fa

SHA256
d611e810a3b0abf2d35f68aa8e63000b3d3be7c4a1b087f299a41410d42ddc83

SHA512
caf43b57886ad1186e61d62f1623124360f05dbf58f593ef2d50827942bcd74ae3fdeac229e3ea443402f0f8ccdbdff054bb05a0fd63b67e6b825a0d84de1339

Download Submit
\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe

Filesize
3.5MB

MD5
09957c5fba2a391481037e276a9af9b4

SHA1
57fb6a3f9b93241edcf4fe59970590af7a0c92fa

SHA256
d611e810a3b0abf2d35f68aa8e63000b3d3be7c4a1b087f299a41410d42ddc83

SHA512
caf43b57886ad1186e61d62f1623124360f05dbf58f593ef2d50827942bcd74ae3fdeac229e3ea443402f0f8ccdbdff054bb05a0fd63b67e6b825a0d84de1339

Download Submit
\Windows\Bjityw.Com\WinRAR_6.11_x64_SC.exe

Filesize
3.5MB

MD5
09957c5fba2a391481037e276a9af9b4

SHA1
57fb6a3f9b93241edcf4fe59970590af7a0c92fa

SHA256
d611e810a3b0abf2d35f68aa8e63000b3d3be7c4a1b087f299a41410d42ddc83

SHA512
caf43b57886ad1186e61d62f1623124360f05dbf58f593ef2d50827942bcd74ae3fdeac229e3ea443402f0f8ccdbdff054bb05a0fd63b67e6b825a0d84de1339

Download Submit
memory/1308-58-0x0000000002D60000-0x0000000002ED8000-memory.dmp

Filesize
1.5MB

Download
memory/1308-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1308-57-0x0000000002D60000-0x0000000002ED8000-memory.dmp

Filesize
1.5MB

Download
memory/1308-80-0x0000000002D60000-0x0000000002ED8000-memory.dmp

Filesize
1.5MB

Download
memory/1960-63-0x000000013F1F0000-0x000000013F368000-memory.dmp

Filesize
1.5MB

Download
memory/1960-61-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

Filesize
8KB

Download