Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 13:41
Static task
static1
Behavioral task
behavioral1
Sample
腾讯会议软件.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
腾讯会议软件.exe
Resource
win10v2004-20220812-en
General
-
Target
腾讯会议软件.exe
-
Size
2.0MB
-
MD5
5b9e8345fab7397985cd60729797abc6
-
SHA1
21d8e0efd71f4f00e8138360e56e72dbf533890a
-
SHA256
aacf9aa69f796273438327be6d804d20837272b331eb3b7689b431148a07c88d
-
SHA512
c505609e8de8c29f78490833f34a355d41eb3a6057919aa7f23ab9ae7ac83cef3b64f0116bba0ca145dbb17b1c2c3b18546d31af2397b82260f4cf708a709f75
-
SSDEEP
49152:R/BU6vSPotkoQsbJhPI2q056dN216k4xIURegVMw:R/BU6vSPotPQsbJhPI2qexFJEegVMw
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll acprotect -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
InstallHelper.exepid process 1132 InstallHelper.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll upx behavioral2/memory/876-133-0x0000000010000000-0x00000000103D1000-memory.dmp upx behavioral2/memory/876-134-0x0000000010000000-0x00000000103D1000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
腾讯会议软件.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 腾讯会议软件.exe -
Loads dropped DLL 1 IoCs
Processes:
腾讯会议软件.exepid process 876 腾讯会议软件.exe -
Processes:
腾讯会议软件.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 腾讯会议软件.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
腾讯会议软件.exedescription ioc process File opened for modification \??\PhysicalDrive0 腾讯会议软件.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 14 IoCs
Processes:
腾讯会议软件.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} 腾讯会议软件.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_166_508_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll" 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 腾讯会议软件.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "251731c104cf8f95cfd378f84a615549" 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories 腾讯会议软件.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "13DF6CE7D3740C79BC50DC30DBF4ACD4" 腾讯会议软件.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} 腾讯会议软件.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 腾讯会议软件.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" 腾讯会议软件.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "j5m2niuahwnda4f7oyaitlj9ygze" 腾讯会议软件.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
腾讯会议软件.exedescription pid process Token: SeDebugPrivilege 876 腾讯会议软件.exe Token: SeDebugPrivilege 876 腾讯会议软件.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
腾讯会议软件.exepid process 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
腾讯会议软件.exepid process 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe 876 腾讯会议软件.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
腾讯会议软件.exedescription pid process target process PID 876 wrote to memory of 1132 876 腾讯会议软件.exe InstallHelper.exe PID 876 wrote to memory of 1132 876 腾讯会议软件.exe InstallHelper.exe PID 876 wrote to memory of 1132 876 腾讯会议软件.exe InstallHelper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe"C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe"C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe" -Pid:"876" -LogFileName:"C:\Users\Admin\AppData\Local\Temp\kantivirus\semPacketDllLog.log" -InstallPath:"C:\Users\Admin\AppData\Local\Temp\kantivirus" -Tid1:"10" -Tid2:"166" -Tod1:"508" -Tod2:"1" -IId:"209641155" -UUID:"251731C104CF8F95CFD378F84A615549" -TryNo:"1335" -SvrId:"2022.SP4.1" -StrategyList:"0->1" -Version:"2" -ProductInstalled:"0" -CompetitorMask:"0" -CompetitorInstalled:"0"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exeFilesize
409KB
MD539ce66cbf9cbf36472d3dec7332f0451
SHA1625ab0e27ebf28b49627c156f8c4595c979adbed
SHA256446ca743f9f5d6364bbb46f4dce62ab754878b593b285890edec1e501357c533
SHA51200a3750b9c4b11bfb220db4123dc100d1b6f1fe1321ccaf3a825aa4b1918cd6039467cae5109a2a3eee77e59f30685c49e3bd7af8a26cb6358ce63e9de90a268
-
C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exeFilesize
409KB
MD539ce66cbf9cbf36472d3dec7332f0451
SHA1625ab0e27ebf28b49627c156f8c4595c979adbed
SHA256446ca743f9f5d6364bbb46f4dce62ab754878b593b285890edec1e501357c533
SHA51200a3750b9c4b11bfb220db4123dc100d1b6f1fe1321ccaf3a825aa4b1918cd6039467cae5109a2a3eee77e59f30685c49e3bd7af8a26cb6358ce63e9de90a268
-
C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dllFilesize
87.0MB
MD5c397a0085bf97f3f2bf526b5c791cfdf
SHA10b9c663a318a4c06ad816f5afff9ae8831d50254
SHA256f8fde5d1e78f100b60c8ce5ff8e6f49848452e30126b83d6bc65596cb594d3d6
SHA512badd7791f2c6d34f392ef80ff17ace2852bb9deeb4649f811c5c8b4b4ff67a9ca396c7ec2176142c4724df0cb321732e9d9528765e3ef802b2ba6c8b9b552c00
-
memory/876-133-0x0000000010000000-0x00000000103D1000-memory.dmpFilesize
3.8MB
-
memory/876-134-0x0000000010000000-0x00000000103D1000-memory.dmpFilesize
3.8MB
-
memory/1132-135-0x0000000000000000-mapping.dmp