Analysis
-
max time kernel
90s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 14:46
Static task
static1
Behavioral task
behavioral1
Sample
be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
Resource
win10v2004-20220901-en
General
-
Target
be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
-
Size
123KB
-
MD5
8a105d4d072da4e7e60b5d52e40dd1e4
-
SHA1
75600781f3abd0e93b97caae3b3deac91c5d2e63
-
SHA256
be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b
-
SHA512
fd9f0f5ca3a6891e693b5bb114ad855d8be1b88813a6e47d2e19546d0fd7c37d50e19901ffe951cc6050f5d4747754b4e948196ba78f71f4b1dbfc9133529d7f
-
SSDEEP
3072:DMEMvxdknmg1tDbuLB+5xGT21JqaEvNW41i/NU8bOMYcYYcmy5OJkHGGi:DME1nmg1tDbJ5621YNWWi/NjO5SJmi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
taobao3981.exepid process 1900 taobao3981.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe -
Drops file in Windows directory 1 IoCs
Processes:
taobao3981.exedescription ioc process File opened for modification C:\Windows\taobao.ico taobao3981.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
taobao3981.exepid process 1900 taobao3981.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exedescription pid process target process PID 1688 wrote to memory of 1900 1688 be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe taobao3981.exe PID 1688 wrote to memory of 1900 1688 be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe taobao3981.exe PID 1688 wrote to memory of 1900 1688 be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe taobao3981.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe"C:\Users\Admin\AppData\Local\Temp\be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\windows\temp\aa\taobao3981.exe"C:\windows\temp\aa\taobao3981.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\aa\taobao3981.exeFilesize
36KB
MD57eed0015317f276e356da5527325ee26
SHA113d72f30c84f70325bdaa0a90311d6e5b8aca177
SHA256566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b
SHA51273ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c
-
C:\windows\temp\aa\taobao3981.exeFilesize
36KB
MD57eed0015317f276e356da5527325ee26
SHA113d72f30c84f70325bdaa0a90311d6e5b8aca177
SHA256566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b
SHA51273ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c
-
memory/1900-132-0x0000000000000000-mapping.dmp