Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
傲世中变.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
傲世中变.exe
Resource
win10v2004-20220812-en
General
-
Target
傲世中变.exe
-
Size
3.2MB
-
MD5
a87419a7b8cd42c04abc321896475347
-
SHA1
6849c85576f911e7b4db746ceefa74845f4d7bdc
-
SHA256
761c471e80d3c44febc76a8f7108744fd1aa07b646d5f37c7608714c1a8c42d6
-
SHA512
47082bc2fe9aacb2dcce925c775a939c6f57cdba202dd07d7a160e5401d42e650e46c3d46d0d85aceb05d6249f1f652b16d2cd06fbfaba9eb7343676cecb1a8a
-
SSDEEP
98304:Gc//////ArnXSjOFrpgpu4iBM2YlLatY3gb4qXzDuxTyqm:WrnXSSFrpgc41Jlmt8/qXuxT8
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
815.exe°ÁÊÀÖбä.exepid process 4944 815.exe 1956 °ÁÊÀÖбä.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
815.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll" 815.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\815.exe vmprotect C:\Users\Admin\AppData\Local\Temp\815.exe vmprotect behavioral2/memory/4944-138-0x0000000000200000-0x000000000023E000-memory.dmp vmprotect C:\Windows\IPv6NetBrowsSvc.dll vmprotect \??\c:\windows\ipv6netbrowssvc.dll vmprotect behavioral2/memory/4856-145-0x0000000075130000-0x000000007516E000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
815.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 815.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4856 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
815.exedescription ioc process File created C:\Windows\IPv6NetBrowsSvc.dll 815.exe File opened for modification C:\Windows\IPv6NetBrowsSvc.dll 815.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
°ÁÊÀÖбä.exepid process 1956 °ÁÊÀÖбä.exe 1956 °ÁÊÀÖбä.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
傲世中变.execmd.execmd.exe815.exedescription pid process target process PID 2060 wrote to memory of 4084 2060 傲世中变.exe cmd.exe PID 2060 wrote to memory of 4084 2060 傲世中变.exe cmd.exe PID 2060 wrote to memory of 4084 2060 傲世中变.exe cmd.exe PID 2060 wrote to memory of 396 2060 傲世中变.exe cmd.exe PID 2060 wrote to memory of 396 2060 傲世中变.exe cmd.exe PID 2060 wrote to memory of 396 2060 傲世中变.exe cmd.exe PID 4084 wrote to memory of 4944 4084 cmd.exe 815.exe PID 4084 wrote to memory of 4944 4084 cmd.exe 815.exe PID 4084 wrote to memory of 4944 4084 cmd.exe 815.exe PID 396 wrote to memory of 1956 396 cmd.exe °ÁÊÀÖбä.exe PID 396 wrote to memory of 1956 396 cmd.exe °ÁÊÀÖбä.exe PID 396 wrote to memory of 1956 396 cmd.exe °ÁÊÀÖбä.exe PID 4944 wrote to memory of 2180 4944 815.exe cmd.exe PID 4944 wrote to memory of 2180 4944 815.exe cmd.exe PID 4944 wrote to memory of 2180 4944 815.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\傲世中变.exe"C:\Users\Admin\AppData\Local\Temp\傲世中变.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\815.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\815.exeC:\Users\Admin\AppData\Local\Temp\815.exe3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240580687.bat" "4⤵PID:2180
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeC:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc1⤵
- Loads dropped DLL
PID:4856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240580687.batFilesize
117B
MD5ae099850d161ead2ae911c37205d8b3d
SHA136f6664acb63693a6cd00e066f7935b529c6c2f6
SHA25645ba8fd3a804bef3a20c5e380775c432b36c51d221ab9f220ae44025b246e32d
SHA512d8f3433e3b2a019591a2e3f46112a5fc09f76621a79690db19a99408cf5d35a04ac82066533f34da5de6ee4522b2fbaa691de209f2f370a7fb56af26ca742124
-
C:\Users\Admin\AppData\Local\Temp\815.exeFilesize
122KB
MD590f14c2282b3fb8b818fde041f4904e3
SHA1202e348b1e11f5b16a291de3e2b0681c58560d99
SHA25638b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665
SHA512ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245
-
C:\Users\Admin\AppData\Local\Temp\815.exeFilesize
122KB
MD590f14c2282b3fb8b818fde041f4904e3
SHA1202e348b1e11f5b16a291de3e2b0681c58560d99
SHA25638b6d3bc45441b6bd7421fc103b96dc7f655f104c2ea519964d829c93cc24665
SHA512ccd1cc600e74e966f483966ddc3c1a3b4d3b7cf924c2fa01c15cf78553713f294b0c36310c39b2399ef04a84b04710c5b60144500a1d51a4487249ae64946245
-
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeFilesize
3.0MB
MD5bbcccdbb736c5a8ebe506d9cead4a073
SHA1ee0b2a95e162d2b927150d8640ae137a5252357d
SHA256f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f
SHA512929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf
-
C:\Users\Admin\AppData\Local\Temp\°ÁÊÀÖбä.exeFilesize
3.0MB
MD5bbcccdbb736c5a8ebe506d9cead4a073
SHA1ee0b2a95e162d2b927150d8640ae137a5252357d
SHA256f5c1fd0e5856d672f3d17fe3d09c16024d33bd3be9f998f1d5f4cb288a1ace3f
SHA512929002e4b2e9505bb9c993336f0573c862e08f7f369c2963957062c941d5f53b7187254ebc81df50e9f61d3b334849cc88bf9a8a987d3a3affa08e55faf73cdf
-
C:\Windows\IPv6NetBrowsSvc.dllFilesize
122KB
MD524eed50175fc5d55463e4f1ba09dfa58
SHA1920102ebf53647b8043d554a431db96bf53200fb
SHA25653037c3e50d0b29b6a53accb0bf871dc0221fc857b2ff829039518cd86381a86
SHA5126106c4ffb374c4c3efa2197ca6b7943b8b73d69aaf4c5cc9030846008d8223e76b7b7609b048557a9cb82479b65448f262129ef96e0869b19b0afdbfb6349d37
-
\??\c:\windows\ipv6netbrowssvc.dllFilesize
122KB
MD524eed50175fc5d55463e4f1ba09dfa58
SHA1920102ebf53647b8043d554a431db96bf53200fb
SHA25653037c3e50d0b29b6a53accb0bf871dc0221fc857b2ff829039518cd86381a86
SHA5126106c4ffb374c4c3efa2197ca6b7943b8b73d69aaf4c5cc9030846008d8223e76b7b7609b048557a9cb82479b65448f262129ef96e0869b19b0afdbfb6349d37
-
memory/396-133-0x0000000000000000-mapping.dmp
-
memory/1956-146-0x0000000000400000-0x000000000080E000-memory.dmpFilesize
4.1MB
-
memory/1956-139-0x0000000000000000-mapping.dmp
-
memory/1956-149-0x0000000000400000-0x000000000080E000-memory.dmpFilesize
4.1MB
-
memory/2180-147-0x0000000000000000-mapping.dmp
-
memory/4084-132-0x0000000000000000-mapping.dmp
-
memory/4856-144-0x0000000075131000-0x0000000075134000-memory.dmpFilesize
12KB
-
memory/4856-145-0x0000000075130000-0x000000007516E000-memory.dmpFilesize
248KB
-
memory/4944-134-0x0000000000000000-mapping.dmp
-
memory/4944-137-0x0000000000201000-0x0000000000204000-memory.dmpFilesize
12KB
-
memory/4944-138-0x0000000000200000-0x000000000023E000-memory.dmpFilesize
248KB