f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244

Analysis

max time kernel
184s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe
Size

7.4MB
MD5

f5f1d1cd9a3db2b4304c358787108d62
SHA1

35a1b68de07441a4076ef7f9c8376a9c8adb37cf
SHA256

f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244
SHA512

e85861d52b225ca77ca5b03b60dc9e970ced1a6f7bcd57203e9984a6cd284aa3ffc70af5c640f2ff7f452166753163a0df27f8a1f7f7ee99a194bcc343f35ad8
SSDEEP

196608:W1aV6G/CERp3n3IOgFMPGGWBpdQk/TzdT6p:W1QCERpIPKGlph6p

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe

Executes dropped EXE 1 IoCs

pid	Process
4920	setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4888-132-0x0000000000400000-0x00000000010DE000-memory.dmp	upx
behavioral2/memory/4888-140-0x0000000000400000-0x00000000010DE000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
4920	setup.exe
4920	setup.exe
2976	MsiExec.exe
2976	MsiExec.exe
2976	MsiExec.exe
2976	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	setup.exe
File opened (read-only)	\??\T:	setup.exe
File opened (read-only)	\??\V:	setup.exe
File opened (read-only)	\??\Z:	setup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	setup.exe
File opened (read-only)	\??\M:	setup.exe
File opened (read-only)	\??\S:	setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	setup.exe
File opened (read-only)	\??\Y:	setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\R:	setup.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	setup.exe
File opened (read-only)	\??\O:	setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	setup.exe
File opened (read-only)	\??\N:	setup.exe
File opened (read-only)	\??\P:	setup.exe
File opened (read-only)	\??\U:	setup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	setup.exe
File opened (read-only)	\??\L:	setup.exe
File opened (read-only)	\??\X:	setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\I:	setup.exe
File opened (read-only)	\??\K:	setup.exe
File opened (read-only)	\??\J:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4920	setup.exe
Token: SeAssignPrimaryTokenPrivilege	4920	setup.exe
Token: SeLockMemoryPrivilege	4920	setup.exe
Token: SeIncreaseQuotaPrivilege	4920	setup.exe
Token: SeMachineAccountPrivilege	4920	setup.exe
Token: SeTcbPrivilege	4920	setup.exe
Token: SeSecurityPrivilege	4920	setup.exe
Token: SeTakeOwnershipPrivilege	4920	setup.exe
Token: SeLoadDriverPrivilege	4920	setup.exe
Token: SeSystemProfilePrivilege	4920	setup.exe
Token: SeSystemtimePrivilege	4920	setup.exe
Token: SeProfSingleProcessPrivilege	4920	setup.exe
Token: SeIncBasePriorityPrivilege	4920	setup.exe
Token: SeCreatePagefilePrivilege	4920	setup.exe
Token: SeCreatePermanentPrivilege	4920	setup.exe
Token: SeBackupPrivilege	4920	setup.exe
Token: SeRestorePrivilege	4920	setup.exe
Token: SeShutdownPrivilege	4920	setup.exe
Token: SeDebugPrivilege	4920	setup.exe
Token: SeAuditPrivilege	4920	setup.exe
Token: SeSystemEnvironmentPrivilege	4920	setup.exe
Token: SeChangeNotifyPrivilege	4920	setup.exe
Token: SeRemoteShutdownPrivilege	4920	setup.exe
Token: SeUndockPrivilege	4920	setup.exe
Token: SeSyncAgentPrivilege	4920	setup.exe
Token: SeEnableDelegationPrivilege	4920	setup.exe
Token: SeManageVolumePrivilege	4920	setup.exe
Token: SeImpersonatePrivilege	4920	setup.exe
Token: SeCreateGlobalPrivilege	4920	setup.exe
Token: SeSecurityPrivilege	3156	msiexec.exe
Token: SeCreateTokenPrivilege	4920	setup.exe
Token: SeAssignPrimaryTokenPrivilege	4920	setup.exe
Token: SeLockMemoryPrivilege	4920	setup.exe
Token: SeIncreaseQuotaPrivilege	4920	setup.exe
Token: SeMachineAccountPrivilege	4920	setup.exe
Token: SeTcbPrivilege	4920	setup.exe
Token: SeSecurityPrivilege	4920	setup.exe
Token: SeTakeOwnershipPrivilege	4920	setup.exe
Token: SeLoadDriverPrivilege	4920	setup.exe
Token: SeSystemProfilePrivilege	4920	setup.exe
Token: SeSystemtimePrivilege	4920	setup.exe
Token: SeProfSingleProcessPrivilege	4920	setup.exe
Token: SeIncBasePriorityPrivilege	4920	setup.exe
Token: SeCreatePagefilePrivilege	4920	setup.exe
Token: SeCreatePermanentPrivilege	4920	setup.exe
Token: SeBackupPrivilege	4920	setup.exe
Token: SeRestorePrivilege	4920	setup.exe
Token: SeShutdownPrivilege	4920	setup.exe
Token: SeDebugPrivilege	4920	setup.exe
Token: SeAuditPrivilege	4920	setup.exe
Token: SeSystemEnvironmentPrivilege	4920	setup.exe
Token: SeChangeNotifyPrivilege	4920	setup.exe
Token: SeRemoteShutdownPrivilege	4920	setup.exe
Token: SeUndockPrivilege	4920	setup.exe
Token: SeSyncAgentPrivilege	4920	setup.exe
Token: SeEnableDelegationPrivilege	4920	setup.exe
Token: SeManageVolumePrivilege	4920	setup.exe
Token: SeImpersonatePrivilege	4920	setup.exe
Token: SeCreateGlobalPrivilege	4920	setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4920	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4888	f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4920	4888	f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe	81
PID 4888 wrote to memory of 4920	4888	f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe	81
PID 4888 wrote to memory of 4920	4888	f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe	81
PID 3156 wrote to memory of 2976	3156	msiexec.exe	92
PID 3156 wrote to memory of 2976	3156	msiexec.exe	92
PID 3156 wrote to memory of 2976	3156	msiexec.exe	92

C:\Users\Admin\AppData\Local\Temp\f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe
"C:\Users\Admin\AppData\Local\Temp\f1aaa249322c7e6776d9a1ccb825d707c2af752e126053f83d867122ea843244.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AED108800B3AC546CDA36686DF5D096A C
  2⤵
  - Loads dropped DLL
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA3C2.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA3C2.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA614.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA614.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA625.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA625.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA991.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA991.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.4MB

MD5
8ec063ada0f9cddf9ae268f1a19032b2

SHA1
dff3ba460f443a68ef55a998f3be62db0dcaf990

SHA256
9f9f7369e6413d2d4f419881fe3faa7bcd12cde1a0eaa8959ef06f46efed9285

SHA512
c65f0e173be87ba2992cbb46a3a948bcdb49ffcd51dcd4cd3529abd5a4f461dc17dc51ace45e714bd47ea70ecd8628e26156b743ed133debdc0f313adcc9ae48

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.4MB

MD5
8ec063ada0f9cddf9ae268f1a19032b2

SHA1
dff3ba460f443a68ef55a998f3be62db0dcaf990

SHA256
9f9f7369e6413d2d4f419881fe3faa7bcd12cde1a0eaa8959ef06f46efed9285

SHA512
c65f0e173be87ba2992cbb46a3a948bcdb49ffcd51dcd4cd3529abd5a4f461dc17dc51ace45e714bd47ea70ecd8628e26156b743ed133debdc0f313adcc9ae48

Download Submit
C:\Users\Admin\AppData\Roaming\JWXF\净网先锋-网吧文化管理系统v2.0 2.0.1920\install\decoder.dll

Filesize
120KB

MD5
8c00a53e94bf9571f6fea2b36bfa526c

SHA1
090bb8ff15e4277c9c85a402a4726179e9bf696d

SHA256
333bb1ac355835f781edf467b3ba35ed9a78d9ae658047aab7203e7980fcf060

SHA512
313ea8c2634b66147690876fd0af4acb34fe5b15be6450bdb05c1687b58891c32778d41546c042d5861509ffa61a98bddd1bc0b6c94be5812ab7f91936a41bab

Download Submit
C:\Users\Admin\AppData\Roaming\JWXF\净网先锋-网吧文化管理系统v2.0 2.0.1920\install\decoder.dll

Filesize
120KB

MD5
8c00a53e94bf9571f6fea2b36bfa526c

SHA1
090bb8ff15e4277c9c85a402a4726179e9bf696d

SHA256
333bb1ac355835f781edf467b3ba35ed9a78d9ae658047aab7203e7980fcf060

SHA512
313ea8c2634b66147690876fd0af4acb34fe5b15be6450bdb05c1687b58891c32778d41546c042d5861509ffa61a98bddd1bc0b6c94be5812ab7f91936a41bab

Download Submit
memory/4888-140-0x0000000000400000-0x00000000010DE000-memory.dmp

Filesize
12.9MB

Download
memory/4888-132-0x0000000000400000-0x00000000010DE000-memory.dmp

Filesize
12.9MB

Download