Analysis
-
max time kernel
167s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe
Resource
win10v2004-20220812-en
General
-
Target
b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe
-
Size
140KB
-
MD5
5a3ad1d47e14f387f3682e4c7518c765
-
SHA1
b2d07db3330a10ee4f398a57d01aa031925a5ba8
-
SHA256
b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9
-
SHA512
2b71057986eafecfeb80e52ba4660c1172d9bdaff872e632211d6f943e31b82b7a3ebb32197e60cf0e8f4ce930471a24f62d70e45d09ca074855dc8957605534
-
SSDEEP
1536:nnMg2OVLjlevyaRLBnLuRgiaUxRIxecePKH5nKLV+I:M0LpeTLlamiaUxRIxecePKQJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4484 inlCCA.tmp -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1016 attrib.exe 1396 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main reg.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\winzip\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2356 5076 b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe 87 PID 5076 wrote to memory of 2356 5076 b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe 87 PID 5076 wrote to memory of 2356 5076 b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe 87 PID 2356 wrote to memory of 3320 2356 cmd.exe 89 PID 2356 wrote to memory of 3320 2356 cmd.exe 89 PID 2356 wrote to memory of 3320 2356 cmd.exe 89 PID 3320 wrote to memory of 3672 3320 cmd.exe 91 PID 3320 wrote to memory of 3672 3320 cmd.exe 91 PID 3320 wrote to memory of 2988 3320 cmd.exe 92 PID 3320 wrote to memory of 2988 3320 cmd.exe 92 PID 3320 wrote to memory of 2988 3320 cmd.exe 92 PID 3320 wrote to memory of 1908 3320 cmd.exe 93 PID 3320 wrote to memory of 1908 3320 cmd.exe 93 PID 3320 wrote to memory of 1908 3320 cmd.exe 93 PID 1908 wrote to memory of 2900 1908 cmd.exe 95 PID 1908 wrote to memory of 2900 1908 cmd.exe 95 PID 1908 wrote to memory of 2900 1908 cmd.exe 95 PID 1908 wrote to memory of 3744 1908 cmd.exe 96 PID 1908 wrote to memory of 3744 1908 cmd.exe 96 PID 1908 wrote to memory of 3744 1908 cmd.exe 96 PID 1908 wrote to memory of 1068 1908 cmd.exe 97 PID 1908 wrote to memory of 1068 1908 cmd.exe 97 PID 1908 wrote to memory of 1068 1908 cmd.exe 97 PID 1908 wrote to memory of 2572 1908 cmd.exe 98 PID 1908 wrote to memory of 2572 1908 cmd.exe 98 PID 1908 wrote to memory of 2572 1908 cmd.exe 98 PID 1908 wrote to memory of 4032 1908 cmd.exe 99 PID 1908 wrote to memory of 4032 1908 cmd.exe 99 PID 1908 wrote to memory of 4032 1908 cmd.exe 99 PID 1908 wrote to memory of 1016 1908 cmd.exe 100 PID 1908 wrote to memory of 1016 1908 cmd.exe 100 PID 1908 wrote to memory of 1016 1908 cmd.exe 100 PID 5076 wrote to memory of 4484 5076 b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe 101 PID 5076 wrote to memory of 4484 5076 b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe 101 PID 5076 wrote to memory of 4484 5076 b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe 101 PID 1908 wrote to memory of 1396 1908 cmd.exe 102 PID 1908 wrote to memory of 1396 1908 cmd.exe 102 PID 1908 wrote to memory of 1396 1908 cmd.exe 102 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1016 attrib.exe 1396 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe"C:\Users\Admin\AppData\Local\Temp\b9385d6afb0c48e79f28d0ec061b429efce9eb058ba4e4ac9d8a75994d8fc6c9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821334⤵PID:3672
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\1.inf4⤵PID:2988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2900
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3744
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f5⤵PID:1068
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:2572
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\winzip\3.bat""" /f5⤵
- Modifies registry class
PID:4032
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1016
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1396
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\2.inf5⤵PID:1368
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵PID:4860
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlCCA.tmpC:\Users\Admin\AppData\Local\Temp\inlCCA.tmp2⤵
- Executes dropped EXE
PID:4484
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53facc60dceffd752f284e286f4ceeb8a
SHA1667ffb98ff425eeb8e3c4c85e0b9fee75cf76da4
SHA256a0583d0e827c3e2aabdfb4e99d6ce78e06eac265bd85f339559433571853f56d
SHA51226c16fd7d173aca60695d464035f639affbb0dcc74788b9246fa051a2bdcfa886e162014ff0eca751fcb90c84a17ab77bacfda1442249f4cbe6bb334c06ce317
-
Filesize
10.5MB
MD50e89ce2721281ca656472d141538a70e
SHA1a0af9a0bd10f30adfffb24411a259dc416c4ed09
SHA25664eb5c4b3edf1a4b0bd2bdb585002537b3485dfb73cc99a072719d2605107ebf
SHA512037f3bce7b4ebc61bb1638b366f63b2bc8bf09a2b8bfaaeb636348d9fe327613966a79c61a2e088eaeb0d9fbca3dc55588d759357351ee1247e85520fc828754
-
Filesize
10.4MB
MD526e9a8d421edb454ced70e1dd76c22a7
SHA1357e49d3c1a189bcc36da289584101978c12b3dd
SHA256a0d2bf21b8f9a5ebd13ae316e15dd90c1b65d49af3324b88db2e4278acbff6f8
SHA51258db7eea998a07f7dbe7e8c90b43a95736e159ba0f95f916a538ee4294868da45babd7d2d90ae77319b68c3842ced04d826efe49e1784ae74fb9b752e953f1e1
-
Filesize
53B
MD59b41ad553fc0a87c014049dfede9e7fa
SHA1840b9c356ec59e65d33bae61c439b0abf11663bd
SHA256a4bd6b14aa9694ba74db5503576072036cd232d586b5e3dd3fe3dade84a67b5e
SHA5126de134478cd5052675cf936f3dc92fb823d72fc3d44c66f5d0755691481302f63cfe602dd7b492354487c9c5b692a09a404c1081265bb3676030cb43a64369b8
-
Filesize
2KB
MD568a30985a8b4a1dae5b24721ca5b8269
SHA178481107bbddcf18ffc4d25a184ec74274241a6b
SHA256fe94352a25ade782ea77db82f1ec849479ebfe4605156142fc3fdfabc507a0cf
SHA512d452182a296a9e202bce81ad0c752b34d4d779cac94bb54a07517936b79a4007127585673c524c75055f15e33c56eef0d26d1c448723a97fe70c15457bae5a24
-
Filesize
3KB
MD5c106ffc420b54a4f0fd331f10657dc66
SHA18930d5b56358f518bdf5ccca2b4d24f98ce7a03f
SHA256fb8218f8c607ec3a4c4cb6e59ee81a94cf8ff513d0b09565ad456c88a9e7250b
SHA512ee82fb57af0dddf8f1acab855cda151d3eacb8e11b0adc3a81852c1e2d77a566aa630ff5dabd8c7bc92ebe78b6187cc823c8a4a645ca78ee88e2c27483080fbd
-
Filesize
44KB
MD5822f43c751ed96af0176caedbd680847
SHA18c320b1b13b4ecda470288d28a35cf5be40c50cd
SHA256bae40f8014dd2d393364075e5390e91c1f6b5a18cfae211b3fe8f6d6d170daeb
SHA5126e418f5a34a15651e5e23b50ec0fd946f9e2ff6013fe3b7958863cffb8427a8848f28c947502a846172c0369565d777e2de2c15f6303b305336f176f7f04ac89