Analysis

  • max time kernel
    167s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 20:12

General

  • Target

    b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe

  • Size

    140KB

  • MD5

    5a3ad1d47e14f387f3682e4c7518c765

  • SHA1

    b2d07db3330a10ee4f398a57d01aa031925a5ba8

  • SHA256

    b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9

  • SHA512

    2b71057986eafecfeb80e52ba4660c1172d9bdaff872e632211d6f943e31b82b7a3ebb32197e60cf0e8f4ce930471a24f62d70e45d09ca074855dc8957605534

  • SSDEEP

    1536:nnMg2OVLjlevyaRLBnLuRgiaUxRIxecePKH5nKLV+I:M0LpeTLlamiaUxRIxecePKQJ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe
    "C:\Users\Admin\AppData\Local\Temp\b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
          4⤵
            PID:3672
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\1.inf
            4⤵
              PID:2988
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\2.bat
              4⤵
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:1908
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
                5⤵
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                PID:2900
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
                5⤵
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                PID:3744
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
                5⤵
                  PID:1068
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
                  5⤵
                  • Modifies registry class
                  PID:2572
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\winzip\3.bat""" /f
                  5⤵
                  • Modifies registry class
                  PID:4032
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
                  5⤵
                  • Sets file to hidden
                  • Views/modifies file attributes
                  PID:1016
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp
                  5⤵
                  • Sets file to hidden
                  • Views/modifies file attributes
                  PID:1396
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\2.inf
                  5⤵
                    PID:1368
                  • C:\Windows\SysWOW64\rundll32.exe
                    rundll32 D:\VolumeDH\inj.dat,MainLoad
                    5⤵
                      PID:4860
              • C:\Users\Admin\AppData\Local\Temp\inlCCA.tmp
                C:\Users\Admin\AppData\Local\Temp\inlCCA.tmp
                2⤵
                • Executes dropped EXE
                PID:4484

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

              Filesize

              1KB

              MD5

              3facc60dceffd752f284e286f4ceeb8a

              SHA1

              667ffb98ff425eeb8e3c4c85e0b9fee75cf76da4

              SHA256

              a0583d0e827c3e2aabdfb4e99d6ce78e06eac265bd85f339559433571853f56d

              SHA512

              26c16fd7d173aca60695d464035f639affbb0dcc74788b9246fa051a2bdcfa886e162014ff0eca751fcb90c84a17ab77bacfda1442249f4cbe6bb334c06ce317

            • C:\Users\Admin\AppData\Local\Temp\inlCCA.tmp

              Filesize

              10.5MB

              MD5

              0e89ce2721281ca656472d141538a70e

              SHA1

              a0af9a0bd10f30adfffb24411a259dc416c4ed09

              SHA256

              64eb5c4b3edf1a4b0bd2bdb585002537b3485dfb73cc99a072719d2605107ebf

              SHA512

              037f3bce7b4ebc61bb1638b366f63b2bc8bf09a2b8bfaaeb636348d9fe327613966a79c61a2e088eaeb0d9fbca3dc55588d759357351ee1247e85520fc828754

            • C:\Users\Admin\AppData\Local\Temp\inlCCA.tmp

              Filesize

              10.4MB

              MD5

              26e9a8d421edb454ced70e1dd76c22a7

              SHA1

              357e49d3c1a189bcc36da289584101978c12b3dd

              SHA256

              a0d2bf21b8f9a5ebd13ae316e15dd90c1b65d49af3324b88db2e4278acbff6f8

              SHA512

              58db7eea998a07f7dbe7e8c90b43a95736e159ba0f95f916a538ee4294868da45babd7d2d90ae77319b68c3842ced04d826efe49e1784ae74fb9b752e953f1e1

            • C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat

              Filesize

              53B

              MD5

              9b41ad553fc0a87c014049dfede9e7fa

              SHA1

              840b9c356ec59e65d33bae61c439b0abf11663bd

              SHA256

              a4bd6b14aa9694ba74db5503576072036cd232d586b5e3dd3fe3dade84a67b5e

              SHA512

              6de134478cd5052675cf936f3dc92fb823d72fc3d44c66f5d0755691481302f63cfe602dd7b492354487c9c5b692a09a404c1081265bb3676030cb43a64369b8

            • C:\Users\Admin\AppData\Roaming\winzip\1.bat

              Filesize

              2KB

              MD5

              68a30985a8b4a1dae5b24721ca5b8269

              SHA1

              78481107bbddcf18ffc4d25a184ec74274241a6b

              SHA256

              fe94352a25ade782ea77db82f1ec849479ebfe4605156142fc3fdfabc507a0cf

              SHA512

              d452182a296a9e202bce81ad0c752b34d4d779cac94bb54a07517936b79a4007127585673c524c75055f15e33c56eef0d26d1c448723a97fe70c15457bae5a24

            • C:\Users\Admin\AppData\Roaming\winzip\2.bat

              Filesize

              3KB

              MD5

              c106ffc420b54a4f0fd331f10657dc66

              SHA1

              8930d5b56358f518bdf5ccca2b4d24f98ce7a03f

              SHA256

              fb8218f8c607ec3a4c4cb6e59ee81a94cf8ff513d0b09565ad456c88a9e7250b

              SHA512

              ee82fb57af0dddf8f1acab855cda151d3eacb8e11b0adc3a81852c1e2d77a566aa630ff5dabd8c7bc92ebe78b6187cc823c8a4a645ca78ee88e2c27483080fbd

            • C:\Users\Admin\AppData\Roaming\winzip\4.bat

              Filesize

              44KB

              MD5

              822f43c751ed96af0176caedbd680847

              SHA1

              8c320b1b13b4ecda470288d28a35cf5be40c50cd

              SHA256

              bae40f8014dd2d393364075e5390e91c1f6b5a18cfae211b3fe8f6d6d170daeb

              SHA512

              6e418f5a34a15651e5e23b50ec0fd946f9e2ff6013fe3b7958863cffb8427a8848f28c947502a846172c0369565d777e2de2c15f6303b305336f176f7f04ac89

            • memory/5076-133-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB

            • memory/5076-132-0x0000000000400000-0x0000000000423000-memory.dmp

              Filesize

              140KB