dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
Size

5.5MB
MD5

9c3901f10998c40021f36d407a87c31a
SHA1

b4f433c15c722bd9485d609bf5d93790369ad853
SHA256

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9
SHA512

cd6fa94fef2dbcfa7e4a70b680c7321139c4814f5244d4a70ddbb4dced020f3787e409dfae9017e3cf37e760c7ff0ca0de5060d39b5712546580a3c8f8a6ee7c
SSDEEP

98304:+1wWJq72sVxUybf5zSbJM+fmbFOb/2r3CgPTv4WWA7d7TuMSMGzbftvJJvw+kNGq:soVxNF82rHTv4E2zbftXwvGq

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exeZT2Box.exe

pid process

2560 Õ÷Í¾2ºÏÒ»84.exe
1532 ZT2Box.exe
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2656 takeown.exe
2292 icacls.exe
4328 takeown.exe
1912 icacls.exe
4612 takeown.exe
5032 icacls.exe

pid	process
2656	takeown.exe
2292	icacls.exe
4328	takeown.exe
1912	icacls.exe
4612	takeown.exe
5032	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2656 takeown.exe
2292 icacls.exe
4328 takeown.exe
1912 icacls.exe
4612 takeown.exe
5032 icacls.exe

pid	process
2656	takeown.exe
2292	icacls.exe
4328	takeown.exe
1912	icacls.exe
4612	takeown.exe
5032	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123105E.tmp	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\sxload.tmp	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\SysWOW64\123F802.tmp	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	Õ÷Í¾2ºÏÒ»84.exe
File opened for modification	C:\Windows\SysWOW64\123AC0.tmp	Õ÷Í¾2ºÏÒ»84.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	Õ÷Í¾2ºÏÒ»84.exe

Drops file in Program Files directory 3 IoCs

Processes:

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exeÕ÷Í¾2ºÏÒ»84.exe

description	ioc	process
File created	C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.jpg	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
File created	C:\program files\common files\microsoft shared\msinfo\ZT2Box.jpg	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
File created	C:\Program Files (x86)\Common Files\sxzt2.tmp	Õ÷Í¾2ºÏÒ»84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2796 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exe

pid process

2560 Õ÷Í¾2ºÏÒ»84.exe
2560 Õ÷Í¾2ºÏÒ»84.exe

pid	process
2796	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2560	Õ÷Í¾2ºÏÒ»84.exe
Token: SeTakeOwnershipPrivilege	4612	takeown.exe
Token: SeDebugPrivilege	2796	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Õ÷Í¾2ºÏÒ»84.exe

pid	process
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe
2560	Õ÷Í¾2ºÏÒ»84.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exeÕ÷Í¾2ºÏÒ»84.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2564 wrote to memory of 2560	2564	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 2564 wrote to memory of 2560	2564	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 2564 wrote to memory of 2560	2564	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	Õ÷Í¾2ºÏÒ»84.exe
PID 2560 wrote to memory of 2112	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 2112	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 2112	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2564 wrote to memory of 1532	2564	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 2564 wrote to memory of 1532	2564	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 2564 wrote to memory of 1532	2564	dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe	ZT2Box.exe
PID 2112 wrote to memory of 2324	2112	cmd.exe	cmd.exe
PID 2112 wrote to memory of 2324	2112	cmd.exe	cmd.exe
PID 2112 wrote to memory of 2324	2112	cmd.exe	cmd.exe
PID 2324 wrote to memory of 4612	2324	cmd.exe	takeown.exe
PID 2324 wrote to memory of 4612	2324	cmd.exe	takeown.exe
PID 2324 wrote to memory of 4612	2324	cmd.exe	takeown.exe
PID 2112 wrote to memory of 5032	2112	cmd.exe	icacls.exe
PID 2112 wrote to memory of 5032	2112	cmd.exe	icacls.exe
PID 2112 wrote to memory of 5032	2112	cmd.exe	icacls.exe
PID 2560 wrote to memory of 536	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 536	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 536	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 536 wrote to memory of 1748	536	cmd.exe	cmd.exe
PID 536 wrote to memory of 1748	536	cmd.exe	cmd.exe
PID 536 wrote to memory of 1748	536	cmd.exe	cmd.exe
PID 1748 wrote to memory of 2656	1748	cmd.exe	takeown.exe
PID 1748 wrote to memory of 2656	1748	cmd.exe	takeown.exe
PID 1748 wrote to memory of 2656	1748	cmd.exe	takeown.exe
PID 536 wrote to memory of 2292	536	cmd.exe	icacls.exe
PID 536 wrote to memory of 2292	536	cmd.exe	icacls.exe
PID 536 wrote to memory of 2292	536	cmd.exe	icacls.exe
PID 2560 wrote to memory of 3232	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 3232	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 3232	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 3232 wrote to memory of 532	3232	cmd.exe	cmd.exe
PID 3232 wrote to memory of 532	3232	cmd.exe	cmd.exe
PID 3232 wrote to memory of 532	3232	cmd.exe	cmd.exe
PID 532 wrote to memory of 4328	532	cmd.exe	takeown.exe
PID 532 wrote to memory of 4328	532	cmd.exe	takeown.exe
PID 532 wrote to memory of 4328	532	cmd.exe	takeown.exe
PID 3232 wrote to memory of 1912	3232	cmd.exe	icacls.exe
PID 3232 wrote to memory of 1912	3232	cmd.exe	icacls.exe
PID 3232 wrote to memory of 1912	3232	cmd.exe	icacls.exe
PID 2560 wrote to memory of 2796	2560	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 2560 wrote to memory of 2796	2560	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 2560 wrote to memory of 2796	2560	Õ÷Í¾2ºÏÒ»84.exe	taskkill.exe
PID 2560 wrote to memory of 3844	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 3844	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe
PID 2560 wrote to memory of 3844	2560	Õ÷Í¾2ºÏÒ»84.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe
"C:\Users\Admin\AppData\Local\Temp\dc7b82e29450c6593925a469e8b4021d386c8b50a363e413c91d9d3a18dc5fd9.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2564

C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.exe
"C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2656

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4328

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "zhengtu2.dat"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
3⤵
PID:3844

C:\program files\common files\microsoft shared\msinfo\ZT2Box.exe
"C:\program files\common files\microsoft shared\msinfo\ZT2Box.exe"
2⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\ZT2Box.exe

Filesize
5.4MB

MD5
a30266f462d684a8896c42602b54e568

SHA1
330a7aee6343f23c026e7014d80f05c8f315fba7

SHA256
9b1f9eee8684917dabf27dac97269ec4da067cf73d0d9ef3332d892675bc8d41

SHA512
8cf01825901ea3400205205073fef228b3f326d908910a1e7a58f5a9b10d9e09846f68cd5963306af8d268ac6508e508c313f8846590b64708cc951bf727f224

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\Õ÷Í¾2ºÏÒ»84.exe

Filesize
28KB

MD5
8acf7d3fd0ad17a4cece8332badec44c

SHA1
764afe3712ad0c2f48f6d3d189fe093a9a07fa6f

SHA256
44654a6c0cf11261810c66cb5e6d5719258abab4334bea37505738d658f967f0

SHA512
ca374b99fb3dad4a2b501bdc4af25412888363e1e3a9b14beba45c4f9edd1075541c42fb445fdee84e79f9c7a62b242cf7cea8ea7e8682237afb066dd1495023

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
187B

MD5
0bc7bbe32288f8922cb7964c2be9615d

SHA1
70eb3dffd023503f5da01c60f03fad4a51423767

SHA256
af7dc74cb781752a1da9f28f626609c2697064c8437d56a903649fde0acf4223

SHA512
d7ccc4cbba7a9ff2e3f824ef692296d706566766745dc921421de50693bf73114c96329e12ef1d1be62adfbed3c17392a680774a8a6e37a70e5b622cb478c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
192KB

MD5
e3f75f63f56789e5a3edb85f17933594

SHA1
d4a9ad438971294099f1b14b67f2d2f33ca19498

SHA256
8c6cbc631ec4013a3b99726f6bcaf3f8e11cb3f64a3ebf68b6e0e69cfaad54ce

SHA512
bfb732a68b5c5072caa0d4303bfdbaf0a74ee6bcd1cb2dbb32e0bd041a6693beff641124be57dacf4e0e1886e5e2988bcbe1e597f5a4aa8933ed5dd2de4c1a34

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
12KB

MD5
ccc8b561f91537b54ea41ae10b60b2dc

SHA1
72c5bb4adf50cbcf9053b05ff35e5d8b97537305

SHA256
a3b573b45ad961bd358cf751f409fef62b9571c822fdeb6fd40fa64821f43271

SHA512
6e9f5e5638024bb704938bda9c0f686607e4c5530714ac684e74567d73d6b984dd06ced2d5b0f9fffc2b897aae2412cdf81dc1c78d611b829a89fdc559fe870f

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll

Filesize
192KB

MD5
e3f75f63f56789e5a3edb85f17933594

SHA1
d4a9ad438971294099f1b14b67f2d2f33ca19498

SHA256
8c6cbc631ec4013a3b99726f6bcaf3f8e11cb3f64a3ebf68b6e0e69cfaad54ce

SHA512
bfb732a68b5c5072caa0d4303bfdbaf0a74ee6bcd1cb2dbb32e0bd041a6693beff641124be57dacf4e0e1886e5e2988bcbe1e597f5a4aa8933ed5dd2de4c1a34

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
12KB

MD5
ccc8b561f91537b54ea41ae10b60b2dc

SHA1
72c5bb4adf50cbcf9053b05ff35e5d8b97537305

SHA256
a3b573b45ad961bd358cf751f409fef62b9571c822fdeb6fd40fa64821f43271

SHA512
6e9f5e5638024bb704938bda9c0f686607e4c5530714ac684e74567d73d6b984dd06ced2d5b0f9fffc2b897aae2412cdf81dc1c78d611b829a89fdc559fe870f

Download Submit
C:\program files\common files\microsoft shared\msinfo\ZT2Box.exe

Filesize
5.4MB

MD5
a30266f462d684a8896c42602b54e568

SHA1
330a7aee6343f23c026e7014d80f05c8f315fba7

SHA256
9b1f9eee8684917dabf27dac97269ec4da067cf73d0d9ef3332d892675bc8d41

SHA512
8cf01825901ea3400205205073fef228b3f326d908910a1e7a58f5a9b10d9e09846f68cd5963306af8d268ac6508e508c313f8846590b64708cc951bf727f224

Download Submit
C:\program files\common files\microsoft shared\msinfo\Õ÷Í¾2ºÏÒ»84.exe

Filesize
28KB

MD5
8acf7d3fd0ad17a4cece8332badec44c

SHA1
764afe3712ad0c2f48f6d3d189fe093a9a07fa6f

SHA256
44654a6c0cf11261810c66cb5e6d5719258abab4334bea37505738d658f967f0

SHA512
ca374b99fb3dad4a2b501bdc4af25412888363e1e3a9b14beba45c4f9edd1075541c42fb445fdee84e79f9c7a62b242cf7cea8ea7e8682237afb066dd1495023

Download Submit
memory/532-152-0x0000000000000000-mapping.dmp

Download
memory/536-143-0x0000000000000000-mapping.dmp

Download
memory/1532-136-0x0000000000000000-mapping.dmp

Download
memory/1748-145-0x0000000000000000-mapping.dmp

Download
memory/1912-154-0x0000000000000000-mapping.dmp

Download
memory/2112-135-0x0000000000000000-mapping.dmp

Download
memory/2292-147-0x0000000000000000-mapping.dmp

Download
memory/2324-140-0x0000000000000000-mapping.dmp

Download
memory/2560-132-0x0000000000000000-mapping.dmp

Download
memory/2656-146-0x0000000000000000-mapping.dmp

Download
memory/2796-157-0x0000000000000000-mapping.dmp

Download
memory/3232-150-0x0000000000000000-mapping.dmp

Download
memory/3844-158-0x0000000000000000-mapping.dmp

Download
memory/4328-153-0x0000000000000000-mapping.dmp

Download
memory/4612-141-0x0000000000000000-mapping.dmp

Download
memory/5032-142-0x0000000000000000-mapping.dmp

Download