ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
Size

285KB
MD5

8728609e88f9f8a582247665a859fa75
SHA1

8bbc0fdd9db4c8df1aab5cf21b9f8623f22c871d
SHA256

ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14
SHA512

383df18d17cc211852afa35fd087ddd301538295aed2a2006e9a1cae12c7139f289103ffb9cf45542bff1789ed414055e9cd354a8097e902e98f859ee8daea6a
SSDEEP

6144:CZuuObR8sVImcyYIK2JogutPT50T4wmUBSLe3et1d8D/K/Xy7KU:BV+mz6rPN0TrbSLXt1SD/K/XyOU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,c:\\windows\\system32\\RSTray.exe"	huli.exe

Executes dropped EXE 3 IoCs

pid	Process
940	huli.exe
1660	360setup.exe
308	cj2.exe

Loads dropped DLL 8 IoCs

pid	Process
1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
940	huli.exe
1660	360setup.exe
1660	360setup.exe
1660	360setup.exe
1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RSTray.exe	huli.exe
File opened for modification	C:\Windows\SysWOW64\360setup.exe	huli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
940	huli.exe
1660	360setup.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 940	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	27
PID 1604 wrote to memory of 940	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	27
PID 1604 wrote to memory of 940	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	27
PID 1604 wrote to memory of 940	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	27
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 1660	940	huli.exe	28
PID 940 wrote to memory of 680	940	huli.exe	29
PID 940 wrote to memory of 680	940	huli.exe	29
PID 940 wrote to memory of 680	940	huli.exe	29
PID 940 wrote to memory of 680	940	huli.exe	29
PID 1604 wrote to memory of 308	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	31
PID 1604 wrote to memory of 308	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	31
PID 1604 wrote to memory of 308	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	31
PID 1604 wrote to memory of 308	1604	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	31

C:\Users\Admin\AppData\Local\Temp\ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
"C:\Users\Admin\AppData\Local\Temp\ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\360setup.exe
    "C:\Windows\system32\360setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat""
    3⤵
    PID:680
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe"
  2⤵
  - Executes dropped EXE
  PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe

Filesize
10KB

MD5
59df9a5bee8f0efb4d8fa4ef533a75f5

SHA1
425d13da70388767e1a88bea567729f239c312d0

SHA256
a83c1a332b1b8e5784b0d7f39e3077fd9c7d681ac6055a9a066b1e44cd993b89

SHA512
f014b9679d26af9d069fbae77535898314339595aebec0553c97487aadaccdec5c5b7985fe0da5ba6a4abaaf47af8c694fd1806062a8e2ec27cf2411cadce892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe

Filesize
232KB

MD5
a2ce852533ddb97a40c2a85ea09c648f

SHA1
3ce2a8304ebbf4009d364c9c18459452e6235eb9

SHA256
513973afd3a587d82672ca0fe96931d56e52f3b101966c7c3467508708ec4312

SHA512
4961ef8abff181383b833358c643c330ec362077e0a02b89850cc1120731c0097c7796e13252131a5172c8468793e0d3748e660215140ca9d47d9a3e7ea311f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe

Filesize
232KB

MD5
a2ce852533ddb97a40c2a85ea09c648f

SHA1
3ce2a8304ebbf4009d364c9c18459452e6235eb9

SHA256
513973afd3a587d82672ca0fe96931d56e52f3b101966c7c3467508708ec4312

SHA512
4961ef8abff181383b833358c643c330ec362077e0a02b89850cc1120731c0097c7796e13252131a5172c8468793e0d3748e660215140ca9d47d9a3e7ea311f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat

Filesize
150B

MD5
ed85a3d9b6c240890a471e563ad51d8d

SHA1
390ffe91c255164c1b7544c2464850df96e7c23e

SHA256
6dfed0f5a52f87082a0005f68790ecc11f36242614726313b5ca4cba6afea18a

SHA512
22d10dab34ded654c5650e78a454905f7cdee0b0d122c17c443062087db4dc397a8430ffed2b3c4d77108e9c1b1dc09eb410c605939de0d600c0dcb9caeffc1e

Download Submit
C:\WINDOWS\SYSWOW64\RSTRAY.EXE

Filesize
72KB

MD5
93b49744b7ce7c0f75ac8cd2d78a8aa2

SHA1
5b22eeedfd00e898a32ecf84620c06447b9ad6bc

SHA256
fb514660e066521b078961daec192338f6e98573c679b37a17596da891ac876d

SHA512
e71c4af707a09bd33b4031fb643142f3d6d21ca1536f3bc59d9b4a114baec10a2678362a25a80ec9bbd1accb5491be3d36763dd756b2e1bbd1cf045692326273

Download Submit
C:\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
C:\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe

Filesize
10KB

MD5
59df9a5bee8f0efb4d8fa4ef533a75f5

SHA1
425d13da70388767e1a88bea567729f239c312d0

SHA256
a83c1a332b1b8e5784b0d7f39e3077fd9c7d681ac6055a9a066b1e44cd993b89

SHA512
f014b9679d26af9d069fbae77535898314339595aebec0553c97487aadaccdec5c5b7985fe0da5ba6a4abaaf47af8c694fd1806062a8e2ec27cf2411cadce892

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe

Filesize
10KB

MD5
59df9a5bee8f0efb4d8fa4ef533a75f5

SHA1
425d13da70388767e1a88bea567729f239c312d0

SHA256
a83c1a332b1b8e5784b0d7f39e3077fd9c7d681ac6055a9a066b1e44cd993b89

SHA512
f014b9679d26af9d069fbae77535898314339595aebec0553c97487aadaccdec5c5b7985fe0da5ba6a4abaaf47af8c694fd1806062a8e2ec27cf2411cadce892

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe

Filesize
232KB

MD5
a2ce852533ddb97a40c2a85ea09c648f

SHA1
3ce2a8304ebbf4009d364c9c18459452e6235eb9

SHA256
513973afd3a587d82672ca0fe96931d56e52f3b101966c7c3467508708ec4312

SHA512
4961ef8abff181383b833358c643c330ec362077e0a02b89850cc1120731c0097c7796e13252131a5172c8468793e0d3748e660215140ca9d47d9a3e7ea311f9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe

Filesize
232KB

MD5
a2ce852533ddb97a40c2a85ea09c648f

SHA1
3ce2a8304ebbf4009d364c9c18459452e6235eb9

SHA256
513973afd3a587d82672ca0fe96931d56e52f3b101966c7c3467508708ec4312

SHA512
4961ef8abff181383b833358c643c330ec362077e0a02b89850cc1120731c0097c7796e13252131a5172c8468793e0d3748e660215140ca9d47d9a3e7ea311f9

Download Submit
\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
memory/308-86-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/940-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1604-85-0x00000000021E0000-0x00000000021E3000-memory.dmp

Filesize
12KB

Download
memory/1604-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1604-79-0x0000000002F80000-0x0000000002FC8000-memory.dmp

Filesize
288KB

Download
memory/1604-80-0x0000000002F80000-0x0000000002FC8000-memory.dmp

Filesize
288KB

Download
memory/1604-90-0x0000000002F80000-0x0000000002FC8000-memory.dmp

Filesize
288KB

Download
memory/1604-84-0x00000000021E0000-0x00000000021E3000-memory.dmp

Filesize
12KB

Download
memory/1660-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1660-83-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1660-81-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1660-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download