be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b

General

Target

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
Size

123KB
MD5

8a105d4d072da4e7e60b5d52e40dd1e4
SHA1

75600781f3abd0e93b97caae3b3deac91c5d2e63
SHA256

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b
SHA512

fd9f0f5ca3a6891e693b5bb114ad855d8be1b88813a6e47d2e19546d0fd7c37d50e19901ffe951cc6050f5d4747754b4e948196ba78f71f4b1dbfc9133529d7f
SSDEEP

3072:DMEMvxdknmg1tDbuLB+5xGT21JqaEvNW41i/NU8bOMYcYYcmy5OJkHGGi:DME1nmg1tDbJ5621YNWWi/NjO5SJmi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

taobao3981.exe

pid process

1924 taobao3981.exe

pid	process
1924	taobao3981.exe

Loads dropped DLL 5 IoCs

Processes:

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exetaobao3981.exe

pid	process
1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
1924	taobao3981.exe
1924	taobao3981.exe
1924	taobao3981.exe

Drops file in Windows directory 1 IoCs

Processes:

taobao3981.exe

description ioc process

File opened for modification C:\Windows\taobao.ico taobao3981.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\taobao.ico	taobao3981.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe

description	pid	process
Token: SeRestorePrivilege	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
Token: SeBackupPrivilege	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taobao3981.exe

pid process

1924 taobao3981.exe

pid	process
1924	taobao3981.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe

description	pid	process	target process
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1228 wrote to memory of 1924	1228	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe

C:\Users\Admin\AppData\Local\Temp\be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
"C:\Users\Admin\AppData\Local\Temp\be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\windows\temp\aa\taobao3981.exe
"C:\windows\temp\aa\taobao3981.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
C:\windows\temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
memory/1228-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1924-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads