6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756

Analysis

max time kernel
178s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe
Size

238KB
MD5

0b3b30f71ac6304b593d8889faebfff4
SHA1

ac1fa0fdae5670e684e41806ce0fa97749ef7c29
SHA256

6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756
SHA512

a6e7b912bb9865e62bdd8cc4b0a398b25422b27d67315dcee05014991cd6bb9785bbadf6aa5355d53877161411256948a498da35a55ca07c3c9f7be078ebeafa
SSDEEP

6144:EZuuObR8sVImcyYEdJgoETWv7YISq3H+BlUufK:jV+mz/Eiv7YIH3eHtfK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3928	dx.exe
2612	360SE.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 11 IoCs

pid	Process
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe
3928	dx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RunmeAtStartup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\360SE.exe"	360SE.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\xvhost.sb	360SE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e4e-136.dat	nsis_installer_1
behavioral2/files/0x0006000000022e4e-136.dat	nsis_installer_2
behavioral2/files/0x0006000000022e4e-137.dat	nsis_installer_1
behavioral2/files/0x0006000000022e4e-137.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	360SE.exe
2612	360SE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2612	360SE.exe
2612	360SE.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4344	876	6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe	81
PID 876 wrote to memory of 4344	876	6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe	81
PID 876 wrote to memory of 4344	876	6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe	81
PID 4344 wrote to memory of 4996	4344	WScript.exe	82
PID 4344 wrote to memory of 4996	4344	WScript.exe	82
PID 4344 wrote to memory of 4996	4344	WScript.exe	82
PID 4996 wrote to memory of 3928	4996	cmd.exe	84
PID 4996 wrote to memory of 3928	4996	cmd.exe	84
PID 4996 wrote to memory of 3928	4996	cmd.exe	84
PID 4344 wrote to memory of 2952	4344	WScript.exe	85
PID 4344 wrote to memory of 2952	4344	WScript.exe	85
PID 4344 wrote to memory of 2952	4344	WScript.exe	85
PID 2952 wrote to memory of 2612	2952	cmd.exe	87
PID 2952 wrote to memory of 2612	2952	cmd.exe	87
PID 2952 wrote to memory of 2612	2952	cmd.exe	87
PID 4344 wrote to memory of 4008	4344	WScript.exe	88
PID 4344 wrote to memory of 4008	4344	WScript.exe	88
PID 4344 wrote to memory of 4008	4344	WScript.exe	88
PID 4008 wrote to memory of 632	4008	cmd.exe	90
PID 4008 wrote to memory of 632	4008	cmd.exe	90
PID 4008 wrote to memory of 632	4008	cmd.exe	90
PID 632 wrote to memory of 3748	632	WScript.exe	91
PID 632 wrote to memory of 3748	632	WScript.exe	91
PID 632 wrote to memory of 3748	632	WScript.exe	91
PID 3748 wrote to memory of 4372	3748	cmd.exe	93
PID 3748 wrote to memory of 4372	3748	cmd.exe	93
PID 3748 wrote to memory of 4372	3748	cmd.exe	93
PID 632 wrote to memory of 4816	632	WScript.exe	94
PID 632 wrote to memory of 4816	632	WScript.exe	94
PID 632 wrote to memory of 4816	632	WScript.exe	94
PID 632 wrote to memory of 3500	632	WScript.exe	96
PID 632 wrote to memory of 3500	632	WScript.exe	96
PID 632 wrote to memory of 3500	632	WScript.exe	96
PID 3500 wrote to memory of 4364	3500	cmd.exe	98
PID 3500 wrote to memory of 4364	3500	cmd.exe	98
PID 3500 wrote to memory of 4364	3500	cmd.exe	98
PID 632 wrote to memory of 2388	632	WScript.exe	99
PID 632 wrote to memory of 2388	632	WScript.exe	99
PID 632 wrote to memory of 2388	632	WScript.exe	99
PID 2388 wrote to memory of 4740	2388	cmd.exe	101
PID 2388 wrote to memory of 4740	2388	cmd.exe	101
PID 2388 wrote to memory of 4740	2388	cmd.exe	101
PID 632 wrote to memory of 1612	632	WScript.exe	102
PID 632 wrote to memory of 1612	632	WScript.exe	102
PID 632 wrote to memory of 1612	632	WScript.exe	102
PID 1612 wrote to memory of 4768	1612	cmd.exe	104
PID 1612 wrote to memory of 4768	1612	cmd.exe	104
PID 1612 wrote to memory of 4768	1612	cmd.exe	104

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4372	attrib.exe
4364	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe
"C:\Users\Admin\AppData\Local\Temp\6dbc2879636d206c573afaeb24db157f303a649e4a75bb1db1e42156e30ee756.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start dx.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\dx.exe
      dx.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start 360SE.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\360SE.exe
      360SE.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start b.vbs
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c attrib -s -h -r "C:\Users\Admin\Desktop\Internet Explorer.*"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h -r "C:\Users\Admin\Desktop\Internet Explorer.*"
        6⤵
        Views/modifies file attributes
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c del /f/a/q "C:\Users\Admin\Desktop\Internet Explorer.*"
        5⤵
        
        PID:4816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c attrib +r "C:\Users\Admin\Desktop\Internet Explorer.lnk"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r "C:\Users\Admin\Desktop\Internet Explorer.lnk"
        6⤵
        Views/modifies file attributes
        
        PID:4364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v {871C5380-42A0-1069-A2EA-08002B30309D} /t REG_DWORD /d 1 /F
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v {871C5380-42A0-1069-A2EA-08002B30309D} /t REG_DWORD /d 1 /F
        6⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v {871C5380-42A0-1069-A2EA-08002B30309D} /t REG_DWORD /d 1 /F
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v {871C5380-42A0-1069-A2EA-08002B30309D} /t REG_DWORD /d 1 /F
        6⤵
        
        PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360SE.exe

Filesize
18KB

MD5
5f4a07a497e89c1bebf9aacf1a09ef11

SHA1
0ed73f38beb449339c074cbc51f9d33ff66c8581

SHA256
27f59b1c97ba4ba63ae18ed06f40c78e41a77994f6b94a306bcf3269867b8bb9

SHA512
e1764a0f20b0bbd6b27473027870858237c8cedae6bbca84c2f0a5a2f197b9a7325b77b8fd862de0951c83458f01cbe60097fc7fda88081a2f6be10b1687f023

Download Submit
C:\Users\Admin\AppData\Local\Temp\360SE.exe

Filesize
18KB

MD5
5f4a07a497e89c1bebf9aacf1a09ef11

SHA1
0ed73f38beb449339c074cbc51f9d33ff66c8581

SHA256
27f59b1c97ba4ba63ae18ed06f40c78e41a77994f6b94a306bcf3269867b8bb9

SHA512
e1764a0f20b0bbd6b27473027870858237c8cedae6bbca84c2f0a5a2f197b9a7325b77b8fd862de0951c83458f01cbe60097fc7fda88081a2f6be10b1687f023

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
267B

MD5
5150a41f89a7e1456165794645a5da1c

SHA1
c32d2e019814819b3102ce31b5d1ee336e83f50e

SHA256
902facb51ff31446e4e1748b779d49498765578a371afbb8fff1571ba76ac382

SHA512
8b2bfc91ba81bf9ee592a43001e44840d2f2d47f887e1f44d59e7cadd49e9d5503fc3a786370b9d542804f7dcc69f9ce003ffaa2aaa843350a2770438609c17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.vbs

Filesize
1KB

MD5
cbea154e91fc3a4d442554dc3bc68993

SHA1
62cf7dfdaea71292b946a0251c973bee2c351da5

SHA256
96ccd91e5a133da6af44dfea985ad7b0118a4ae678b333da99f44f011905d874

SHA512
ca4e17f04bac054f4e67fe47b355ec265ea82d14199d4c11b87c2162309cb04af2490ddee3afe4753549d08ec1447978ae2d06ca9dd22b63d44c0cf106a7e2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dx.exe

Filesize
160KB

MD5
632533e3985fade1dede6840ecc8ccda

SHA1
b4c8bb54ad7c34c3ccd4001cf6141c15191db75a

SHA256
b1ffb8f0e097025f464f5be7cb9c8a8418302993def1a0839161425f8977646e

SHA512
ca6b054b8346393c836d0569406b50a8a8bfaea6e493416cce964fefc794e29c5d43aa6750bbb95c1699cc2402f895239938f42653c438ea37f9c2ccb5421fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dx.exe

Filesize
160KB

MD5
632533e3985fade1dede6840ecc8ccda

SHA1
b4c8bb54ad7c34c3ccd4001cf6141c15191db75a

SHA256
b1ffb8f0e097025f464f5be7cb9c8a8418302993def1a0839161425f8977646e

SHA512
ca6b054b8346393c836d0569406b50a8a8bfaea6e493416cce964fefc794e29c5d43aa6750bbb95c1699cc2402f895239938f42653c438ea37f9c2ccb5421fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\ButtonEvent.dll

Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\InstallOptions.dll

Filesize
14KB

MD5
107737e3282fefd85684f2fa3df6d1c3

SHA1
3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f

SHA256
21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0

SHA512
439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\InstallOptions.dll

Filesize
14KB

MD5
107737e3282fefd85684f2fa3df6d1c3

SHA1
3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f

SHA256
21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0

SHA512
439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\linker.dll

Filesize
6KB

MD5
8450b29ee8d592c208ba1aaf6ee50267

SHA1
75096da057bc85cef63bb0eec168652ea75cf618

SHA256
53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

SHA512
d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC07.tmp\linker.dll

Filesize
6KB

MD5
8450b29ee8d592c208ba1aaf6ee50267

SHA1
75096da057bc85cef63bb0eec168652ea75cf618

SHA256
53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

SHA512
d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

Download Submit
C:\Users\Admin\Desktop\Internet Explorer.lnk

Filesize
603B

MD5
61e64fa5dc28e89ba44ad6fc2d5827fd

SHA1
f0870c42bfd3a6615dba4cf61d1add75db18aa04

SHA256
278597ef0eb06bea39c5294c8d035706655e981303c74903e33f471e1016f360

SHA512
060021f5562d3b384406c0fd85aebe8da8a4a0217417ea41a3b0c53a66d5f8362a7ec7c6e8398b80d51c950458ab383e923f5009572d932a11fe5fd32505b175

Download Submit
memory/2612-157-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2612-170-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3928-147-0x0000000002861000-0x0000000002863000-memory.dmp

Filesize
8KB

Download
memory/3928-156-0x0000000003B61000-0x0000000003B63000-memory.dmp

Filesize
8KB

Download