7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 07:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
Size

3.5MB
MD5

03d9bd5b2e777234ed9abb531795a432
SHA1

4ce18554eae7a948685581cbb54629b5bb9323e1
SHA256

7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4
SHA512

3e738fe8469d85d51d94e75c81847eb3f461a1ca1c22e4eff599e0651dd38f8b9d6568907e88d4070d66d1501687bf63a13fa802215369ec3d2c6647d5acdbe3
SSDEEP

98304:RDGnkRWN+Ci067DeL2iUZz9ZdvyjfXMNgvHNIekdwLg:gN+Cw62Nrv0fXMNetIPwLg

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
992	1352	WerFault.exe	25

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 992	1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe	26
PID 1352 wrote to memory of 992	1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe	26
PID 1352 wrote to memory of 992	1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe	26
PID 1352 wrote to memory of 992	1352	7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe	26

C:\Users\Admin\AppData\Local\Temp\7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
"C:\Users\Admin\AppData\Local\Temp\7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 460
  2⤵
  - Program crash
  PID:992

Network

DNS

config.dianxinkan.com

7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe

Remote address:

8.8.8.8:53

Request

config.dianxinkan.com

IN A

Response

config.dianxinkan.com

IN CNAME

ziyuan.baidu.com

ziyuan.baidu.com

IN CNAME

ziyuan.n.shifen.com

ziyuan.n.shifen.com

IN A

182.61.201.50

ziyuan.n.shifen.com

IN A

182.61.201.90

ziyuan.n.shifen.com

IN A

182.61.201.91

ziyuan.n.shifen.com

IN A

182.61.201.92
GET

http://config.dianxinkan.com/Public/conf/open/1/1_1_0_1_7/10.jpg

7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe

Remote address:

182.61.201.50:80

Request

GET /Public/conf/open/1/1_1_0_1_7/10.jpg HTTP/1.1
Host: config.dianxinkan.com
Accept:
Referer: http://config.dianxinkan.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)
Range: bytes=0-

Response

HTTP/1.1 500 Internal Server Error

Server: bfe
Date: Mon, 28 Nov 2022 02:23:03 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

182.61.201.50:80

http://config.dianxinkan.com/Public/conf/open/1/1_1_0_1_7/10.jpg

http

7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe

608 B
628 B
8
8

HTTP Request

GET http://config.dianxinkan.com/Public/conf/open/1/1_1_0_1_7/10.jpg

HTTP Response

500

8.8.8.8:53

config.dianxinkan.com

dns

7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe

67 B
188 B
1
1

DNS Request

config.dianxinkan.com

DNS Response

182.61.201.50

182.61.201.90

182.61.201.91

182.61.201.92

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\11282230486\LZMA.dll

Filesize
67KB

MD5
d0f2416807f04c559e6394a0a4c7f1d1

SHA1
7df43ffa3716156d282b1e37d12dd1122f0a762c

SHA256
0fe6a869cf220769a058f8d281f272ef72669e3587673e52b53f3f9650dcf1fc

SHA512
8199c967ad813216f2ef3094a7614c9ccc95d35a817fc685cb7823f36cc97f0279bddd0ec0bb8f07ee2445476aaea35548516841ee9cde53a8be395515457799

Download Submit
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.