d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021

Analysis

max time kernel
159s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
Size

167KB
MD5

b517c9b6710223a4a9cdc1685de07095
SHA1

c577b64a9dcda513fbe48b158f64766b9e85ed90
SHA256

d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021
SHA512

e6e1e678f9628e77fd8e7cd8484d1ac066c76df9c288fef5f1a17d6b124d417ca42379109b7bde521969de3b02c92bee7a32809405642e14f0a57eb04fc169b2
SSDEEP

3072:wgXdZt9P6D3XJ8150ZayybgOPOZFZ5KuWzsCi3ZhkP+YT6erSvy4rUhwRnTn:we34dZ1FWkFZUuWzA3MWYT+vy4hr

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4528	9377ltzn_mgaz_01.exe

Loads dropped DLL 20 IoCs

pid	Process
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
4528	9377ltzn_mgaz_01.exe
4528	9377ltzn_mgaz_01.exe
4528	9377ltzn_mgaz_01.exe
4528	9377ltzn_mgaz_01.exe
4528	9377ltzn_mgaz_01.exe
4528	9377ltzn_mgaz_01.exe
4528	9377ltzn_mgaz_01.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\9377À×öªÖ®Å\uninstall.exe	9377ltzn_mgaz_01.exe
File created	C:\Program Files (x86)\9377À×öªÖ®Å\replay.htm	9377ltzn_mgaz_01.exe
File opened for modification	C:\Program Files (x86)\9377À×öªÖ®Å\LTLogger.ini	9377ltzn_mgaz_01.exe
File created	C:\Program Files (x86)\9377À×öªÖ®Å\LTLogger.exe	9377ltzn_mgaz_01.exe
File created	C:\Program Files (x86)\9377À×öªÖ®Å\LeiTing.dll	9377ltzn_mgaz_01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002263a-148.dat	nsis_installer_1
behavioral2/files/0x000700000002263a-148.dat	nsis_installer_2
behavioral2/files/0x000700000002263a-149.dat	nsis_installer_1
behavioral2/files/0x000700000002263a-149.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4528	1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe	95
PID 1352 wrote to memory of 4528	1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe	95
PID 1352 wrote to memory of 4528	1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe	95
PID 1352 wrote to memory of 4552	1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe	96
PID 1352 wrote to memory of 4552	1352	d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe	96
PID 4552 wrote to memory of 3988	4552	msedge.exe	97
PID 4552 wrote to memory of 3988	4552	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe
"C:\Users\Admin\AppData\Local\Temp\d3595755d66cb07c607bd5a0343b6b5172b80fb3c11422e6483dc4ebdd0f0021.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\9377ltzn_mgaz_01.exe
  9377ltzn_mgaz_01.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.caogenchuangyejidi.com/ZDM1OTU3NTVkNjZjYjA3YzYwN2JkNWEwMzQzYjZiNTE3MmI4MGZiM2MxMTQyMmU2NDgzZGM0ZWJkZDBmMDAyMS5leGU=/40.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7fff70e646f8,0x7fff70e64708,0x7fff70e64718
    3⤵
    PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\9377ltzn_mgaz_01.exe

Filesize
1.2MB

MD5
76dfbd4fa28525b16a096b9a2e1f1b51

SHA1
ee48c12adb0cfb3b74d2df5077fbfc4bb7693b9c

SHA256
bd240f9378ce4a6622824906a2425737e99419220c694f6498eb04f496b46d5f

SHA512
2997c29034af7466f41715daa123ed1ec060e8be1785b1700180dd48d4b3a68c2ef12ed96ca5b1502a50e5fd2a9d9e20350b4b67fde82e7753e398a707c10c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\9377ltzn_mgaz_01.exe

Filesize
1.2MB

MD5
76dfbd4fa28525b16a096b9a2e1f1b51

SHA1
ee48c12adb0cfb3b74d2df5077fbfc4bb7693b9c

SHA256
bd240f9378ce4a6622824906a2425737e99419220c694f6498eb04f496b46d5f

SHA512
2997c29034af7466f41715daa123ed1ec060e8be1785b1700180dd48d4b3a68c2ef12ed96ca5b1502a50e5fd2a9d9e20350b4b67fde82e7753e398a707c10c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl16E4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\inetc.dll

Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\inetc.dll

Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\inetc.dll

Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\inetc.dll

Filesize
21KB

MD5
4b2ac1ce1a2d71e9655a92afb8f8c76b

SHA1
8d5086a8195e95d72667d6c7707778750ead5cdc

SHA256
b7481b29387fbc83ea24684919fec44eedb054d70dc7d4af81394f22184d1142

SHA512
b988bbc1d34e270736c073d2a2be7650c41f7d70d58671115665e48f19e8a8826f6c6e2d340ca7c82d6dd86e9c045acb9658bd4865ffd2ef71b596a7bd993ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\ip.dll

Filesize
16KB

MD5
4df6320e8281512932a6e86c98de2c17

SHA1
ae6336192d27874f9cd16cd581f1c091850cf494

SHA256
7744a495ceacf8584d4f6786699e94a09935a94929d4861142726562af53faa4

SHA512
7c468de59614f506a2ce8445ef00267625e5a8e483913cdd18636cea543be0ca241891e75979a55bb67eecc11a7ac0649b48b55a10e9a01362a0250839462d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAAD3.tmp\ip.dll

Filesize
16KB

MD5
4df6320e8281512932a6e86c98de2c17

SHA1
ae6336192d27874f9cd16cd581f1c091850cf494

SHA256
7744a495ceacf8584d4f6786699e94a09935a94929d4861142726562af53faa4

SHA512
7c468de59614f506a2ce8445ef00267625e5a8e483913cdd18636cea543be0ca241891e75979a55bb67eecc11a7ac0649b48b55a10e9a01362a0250839462d3b

Download Submit
memory/1352-143-0x0000000000511000-0x0000000000514000-memory.dmp

Filesize
12KB

Download
memory/1352-140-0x00000000027F1000-0x00000000027F4000-memory.dmp

Filesize
12KB

Download
memory/1352-135-0x00000000027F1000-0x00000000027F4000-memory.dmp

Filesize
12KB

Download
memory/4528-153-0x00000000032B1000-0x00000000032B4000-memory.dmp

Filesize
12KB

Download
memory/4528-156-0x00000000032B1000-0x00000000032B4000-memory.dmp

Filesize
12KB

Download