ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14

General

Target

ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
Size

285KB
MD5

8728609e88f9f8a582247665a859fa75
SHA1

8bbc0fdd9db4c8df1aab5cf21b9f8623f22c871d
SHA256

ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14
SHA512

383df18d17cc211852afa35fd087ddd301538295aed2a2006e9a1cae12c7139f289103ffb9cf45542bff1789ed414055e9cd354a8097e902e98f859ee8daea6a
SSDEEP

6144:CZuuObR8sVImcyYIK2JogutPT50T4wmUBSLe3et1d8D/K/Xy7KU:BV+mz6rPN0TrbSLXt1SD/K/XyOU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,c:\\windows\\system32\\RSTray.exe"	huli.exe

Executes dropped EXE 3 IoCs

pid	Process
4908	huli.exe
1144	360setup.exe
756	cj2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	huli.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\360setup.exe	huli.exe
File opened for modification	C:\Windows\SysWOW64\RSTray.exe	huli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4628	756	WerFault.exe	86

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	huli.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4908	huli.exe
1144	360setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4908	4520	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	82
PID 4520 wrote to memory of 4908	4520	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	82
PID 4520 wrote to memory of 4908	4520	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	82
PID 4908 wrote to memory of 1144	4908	huli.exe	83
PID 4908 wrote to memory of 1144	4908	huli.exe	83
PID 4908 wrote to memory of 1144	4908	huli.exe	83
PID 4908 wrote to memory of 2636	4908	huli.exe	84
PID 4908 wrote to memory of 2636	4908	huli.exe	84
PID 4908 wrote to memory of 2636	4908	huli.exe	84
PID 4520 wrote to memory of 756	4520	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	86
PID 4520 wrote to memory of 756	4520	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	86
PID 4520 wrote to memory of 756	4520	ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe	86

C:\Users\Admin\AppData\Local\Temp\ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe
"C:\Users\Admin\AppData\Local\Temp\ae653bf178849524d00e8598296ca7f109e96551a93fcf05e97310b431137d14.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\360setup.exe
    "C:\Windows\system32\360setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat""
    3⤵
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe"
  2⤵
  - Executes dropped EXE
  PID:756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 400
    3⤵
    - Program crash
    PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 756 -ip 756
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe

Filesize
10KB

MD5
59df9a5bee8f0efb4d8fa4ef533a75f5

SHA1
425d13da70388767e1a88bea567729f239c312d0

SHA256
a83c1a332b1b8e5784b0d7f39e3077fd9c7d681ac6055a9a066b1e44cd993b89

SHA512
f014b9679d26af9d069fbae77535898314339595aebec0553c97487aadaccdec5c5b7985fe0da5ba6a4abaaf47af8c694fd1806062a8e2ec27cf2411cadce892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cj2.exe

Filesize
10KB

MD5
59df9a5bee8f0efb4d8fa4ef533a75f5

SHA1
425d13da70388767e1a88bea567729f239c312d0

SHA256
a83c1a332b1b8e5784b0d7f39e3077fd9c7d681ac6055a9a066b1e44cd993b89

SHA512
f014b9679d26af9d069fbae77535898314339595aebec0553c97487aadaccdec5c5b7985fe0da5ba6a4abaaf47af8c694fd1806062a8e2ec27cf2411cadce892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe

Filesize
232KB

MD5
a2ce852533ddb97a40c2a85ea09c648f

SHA1
3ce2a8304ebbf4009d364c9c18459452e6235eb9

SHA256
513973afd3a587d82672ca0fe96931d56e52f3b101966c7c3467508708ec4312

SHA512
4961ef8abff181383b833358c643c330ec362077e0a02b89850cc1120731c0097c7796e13252131a5172c8468793e0d3748e660215140ca9d47d9a3e7ea311f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\huli.exe

Filesize
232KB

MD5
a2ce852533ddb97a40c2a85ea09c648f

SHA1
3ce2a8304ebbf4009d364c9c18459452e6235eb9

SHA256
513973afd3a587d82672ca0fe96931d56e52f3b101966c7c3467508708ec4312

SHA512
4961ef8abff181383b833358c643c330ec362077e0a02b89850cc1120731c0097c7796e13252131a5172c8468793e0d3748e660215140ca9d47d9a3e7ea311f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templateskill.bat

Filesize
150B

MD5
ed85a3d9b6c240890a471e563ad51d8d

SHA1
390ffe91c255164c1b7544c2464850df96e7c23e

SHA256
6dfed0f5a52f87082a0005f68790ecc11f36242614726313b5ca4cba6afea18a

SHA512
22d10dab34ded654c5650e78a454905f7cdee0b0d122c17c443062087db4dc397a8430ffed2b3c4d77108e9c1b1dc09eb410c605939de0d600c0dcb9caeffc1e

Download Submit
C:\WINDOWS\SysWOW64\RSTRAY.EXE

Filesize
72KB

MD5
93b49744b7ce7c0f75ac8cd2d78a8aa2

SHA1
5b22eeedfd00e898a32ecf84620c06447b9ad6bc

SHA256
fb514660e066521b078961daec192338f6e98573c679b37a17596da891ac876d

SHA512
e71c4af707a09bd33b4031fb643142f3d6d21ca1536f3bc59d9b4a114baec10a2678362a25a80ec9bbd1accb5491be3d36763dd756b2e1bbd1cf045692326273

Download Submit
C:\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
C:\Windows\SysWOW64\360setup.exe

Filesize
80KB

MD5
e11bced11196fd7a8c914ab8da81c16e

SHA1
50f67e14dd7646de76c088eb6f58307c7f14dad5

SHA256
28ce96206970b988603001a6aac71df3cc5a67cc5ccd31840b9839810ca5cc08

SHA512
17bc8ac4b9699fa46ec7ae2ea4bba843018bf675df3ea5427a333ea06bb440e9669c4cc5f5eefe5d43702c3375e04fcb439db3fd4695b699a467671e05a639a3

Download Submit
memory/756-148-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1144-143-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4908-142-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4908-137-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing