be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b

Analysis

max time kernel
90s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
Size

123KB
MD5

8a105d4d072da4e7e60b5d52e40dd1e4
SHA1

75600781f3abd0e93b97caae3b3deac91c5d2e63
SHA256

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b
SHA512

fd9f0f5ca3a6891e693b5bb114ad855d8be1b88813a6e47d2e19546d0fd7c37d50e19901ffe951cc6050f5d4747754b4e948196ba78f71f4b1dbfc9133529d7f
SSDEEP

3072:DMEMvxdknmg1tDbuLB+5xGT21JqaEvNW41i/NU8bOMYcYYcmy5OJkHGGi:DME1nmg1tDbJ5621YNWWi/NjO5SJmi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

taobao3981.exe

pid process

1900 taobao3981.exe

pid	process
1900	taobao3981.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe

Drops file in Windows directory 1 IoCs

Processes:

taobao3981.exe

description ioc process

File opened for modification C:\Windows\taobao.ico taobao3981.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taobao3981.exe

pid process

1900 taobao3981.exe

description	ioc	process
File opened for modification	C:\Windows\taobao.ico	taobao3981.exe

pid	process
1900	taobao3981.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe

description	pid	process	target process
PID 1688 wrote to memory of 1900	1688	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1688 wrote to memory of 1900	1688	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe
PID 1688 wrote to memory of 1900	1688	be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe	taobao3981.exe

C:\Users\Admin\AppData\Local\Temp\be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe
"C:\Users\Admin\AppData\Local\Temp\be0bca2f2aadb6450a24fed93644c600832a1dfbcc14ac3d08c6073436b65c4b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688

C:\windows\temp\aa\taobao3981.exe
"C:\windows\temp\aa\taobao3981.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
C:\windows\temp\aa\taobao3981.exe
Filesize
36KB

MD5
7eed0015317f276e356da5527325ee26

SHA1
13d72f30c84f70325bdaa0a90311d6e5b8aca177

SHA256
566d8a0267b6fdf0cdc66496b629ce70db5f8121bf15152c12aa6ffe95f1351b

SHA512
73ea6a6d0e0e4221b6f658dc1d632819ce4b07688c9c0e20bb74799cc719e3af09ae31cec89fdbfb100a7b1ffe0153a347cecfc37393e9e59a66fa528c002e7c

Download Submit
memory/1900-132-0x0000000000000000-mapping.dmp

Download