e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
Size

64KB
MD5

3f31a294ae98b73f6fffa9112f5b7741
SHA1

1ebb20969c5ea06fae3d552a430846fdbd63c0d8
SHA256

e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879
SHA512

7bcfd7adf8bc0a888932d3933f8b5e29e209b90e3527e7a5019d61497571e68f952e0fc5b53fcba77de2eb2e73bebcb532dcf415f472d818d9567aa16069fc61
SSDEEP

768:/uLROd1Cb79hqAAuYtSnXF2+GbXt1mk6lV4klIJEo0wl:/ug294SnTQ+AklIJEo0wl

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5000	key.dll

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-A707-11d2-9CBD-0000F87A369H}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-A707-11d2-9CBD-0000F87A369H}\StubPath = "mir47.exe"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\360.bat	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
File created	C:\Windows\SysWOW64\mir47.exe	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
File opened for modification	C:\Windows\SysWOW64\mir47.exe	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
File opened for modification	C:\Windows\SysWOW64\qd.reg	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
File opened for modification	C:\Windows\SysWOW64\key.dll	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3580	tasklist.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4252	regedit.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
5000	key.dll
5000	key.dll
5000	key.dll
5000	key.dll

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2500	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	80
PID 1948 wrote to memory of 2500	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	80
PID 1948 wrote to memory of 2500	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	80
PID 1948 wrote to memory of 5000	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	82
PID 1948 wrote to memory of 5000	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	82
PID 1948 wrote to memory of 5000	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	82
PID 2500 wrote to memory of 4364	2500	cmd.exe	83
PID 2500 wrote to memory of 4364	2500	cmd.exe	83
PID 2500 wrote to memory of 4364	2500	cmd.exe	83
PID 2500 wrote to memory of 3844	2500	cmd.exe	84
PID 2500 wrote to memory of 3844	2500	cmd.exe	84
PID 2500 wrote to memory of 3844	2500	cmd.exe	84
PID 1948 wrote to memory of 4252	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	85
PID 1948 wrote to memory of 4252	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	85
PID 1948 wrote to memory of 4252	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	85
PID 1948 wrote to memory of 5036	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	86
PID 1948 wrote to memory of 5036	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	86
PID 1948 wrote to memory of 5036	1948	e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe	86
PID 3844 wrote to memory of 424	3844	mshta.exe	88
PID 3844 wrote to memory of 424	3844	mshta.exe	88
PID 3844 wrote to memory of 424	3844	mshta.exe	88
PID 424 wrote to memory of 1320	424	cmd.exe	90
PID 424 wrote to memory of 1320	424	cmd.exe	90
PID 424 wrote to memory of 1320	424	cmd.exe	90
PID 424 wrote to memory of 3580	424	cmd.exe	91
PID 424 wrote to memory of 3580	424	cmd.exe	91
PID 424 wrote to memory of 3580	424	cmd.exe	91
PID 424 wrote to memory of 768	424	cmd.exe	92
PID 424 wrote to memory of 768	424	cmd.exe	92
PID 424 wrote to memory of 768	424	cmd.exe	92
PID 424 wrote to memory of 376	424	cmd.exe	95
PID 424 wrote to memory of 376	424	cmd.exe	95
PID 424 wrote to memory of 376	424	cmd.exe	95
PID 424 wrote to memory of 4372	424	cmd.exe	96
PID 424 wrote to memory of 4372	424	cmd.exe	96
PID 424 wrote to memory of 4372	424	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe
"C:\Users\Admin\AppData\Local\Temp\e98fb4d99d9ad7fa8ea44f6636946ba9b19389ee6c3db95dd5e4c406204d0879.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\360.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=12 lines=1
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:createobject("wscript.shell").run("""360.bat"" kyo_PE-win32shell_ping",0)(window.close)
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\360.bat" kyo_PE-win32shell_ping"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:424
    - - C:\Windows\SysWOW64\mode.com
        
        mode con: cols=12 lines=1
        5⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "360tray.exe"
        5⤵
        
        PID:768
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript 360.vbs
        5⤵
        
        PID:376
    - - C:\Windows\SysWOW64\findstr.exe
        
        FINDSTR /i "360tray.exe" 360.txt
        5⤵
        
        PID:4372
- C:\Windows\SysWOW64\key.dll
  C:\Windows\system32\key.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5000
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\qd.reg
  2⤵
  - Modifies Installed Components in the registry
  - Runs .reg file with regedit
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat""
  2⤵
  PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360.txt

Filesize
4KB

MD5
8c210b56d9674ec61b8b2cb029bc7880

SHA1
5f400d7564c239ccdfb9b077e1a4446dac5ed369

SHA256
e488f7e37a3d3e5df9da3af9ffd43e6dd5ac191fd4be822643bd9679d0c22f9e

SHA512
69465f0e32d13d1517d9e7b04e4b82c5ca440f1c89419f45fc6acf60ea165f0cc8c7f9cf89ba3594b5c961bccc6454fc8a4806a880cca021dbf9579efd283bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\360.vbs

Filesize
149B

MD5
5fc199b0bdbcea02848de34c3d4fe6d0

SHA1
4b800d4a3a95b443e90784bdf54787f1ac292538

SHA256
9c6244f7b7cf0a01f02fce95be756b9f71ff384b4de1b0e64d9dd4204bfa249e

SHA512
3af32993a11219d32df27baafc1d6dfc87c60c26afaaffbe1f51add32f8d1398e609f8fea5b9c5bfb3edd4747ca18f574ec6f9141797da15fed8024c188cf758

Download Submit
C:\Users\Admin\AppData\Local\Temp\kill.bat

Filesize
253B

MD5
c996b2772c7f260c0689d4c93ff3fd40

SHA1
aa2032fb4633ae45b1a76d58fc9837e0a8e48b9e

SHA256
7302aeaa53cfc47eeacc021fac45860f13a61009b4f59203d38e9f098e19b3ed

SHA512
2a834ea9e7eac188fb6cc41cb25741c95fd868abf91e4668112b9e4c6bd173d7a7b039b9240b0d345bfb2dbe2de7c2fb6ee0d53eb0c0efdbea054126c51adf95

Download Submit
C:\Windows\SysWOW64\360.bat

Filesize
1KB

MD5
0dc2fa0f13fe0bc5ef5edb2e87fad4c6

SHA1
b3297461aaaaabccc5217dd7ebaea470ec21f5bd

SHA256
2d36d8d3aea8dd31450dea0e26992e5f7c575db579078855f3f7a882d6bb60a2

SHA512
ff28d7a879153ce286b08da30a619c26b17c59f66b169d08a331c175fcd31a3ef6caf034745637ee1e2c71ca4c59cc3f43708e2de586aa559a7102ab410e1827

Download Submit
C:\Windows\SysWOW64\key.dll

Filesize
41KB

MD5
88f9cd502c0aeb9bb2a877248636ec6a

SHA1
f81963c921721d062f5d304f2aeb416c50fbd689

SHA256
c014553930a8e655577f23cbecc84d34d8e0227dd9fb9c22589e34b4e32f5a36

SHA512
c3d1230875855249b620b0000cd710a60bb92e978de8a0ed120c167caa868bdee6eacb9e96d80b40ff4e56531452c8b63a1304d634f6110882f7cdc89addbfa8

Download Submit
C:\Windows\SysWOW64\key.dll

Filesize
41KB

MD5
88f9cd502c0aeb9bb2a877248636ec6a

SHA1
f81963c921721d062f5d304f2aeb416c50fbd689

SHA256
c014553930a8e655577f23cbecc84d34d8e0227dd9fb9c22589e34b4e32f5a36

SHA512
c3d1230875855249b620b0000cd710a60bb92e978de8a0ed120c167caa868bdee6eacb9e96d80b40ff4e56531452c8b63a1304d634f6110882f7cdc89addbfa8

Download Submit
C:\Windows\SysWOW64\qd.reg

Filesize
178B

MD5
5b7ef99cee143b794fb0aa75a4637278

SHA1
26c740f1b6a95eaaa7f6f32cf867f04a2fb9df1f

SHA256
2090c7400f383b29b18378ccca3205fd9924cbbf09f7538118c4a6b0def4f619

SHA512
508173d18f92efcadcea200ca8f36009ae7cf4f62c84096a2547b8e7251e98004069809dc9bcffee0ba5c75b1c45f82e721404476052ef36f343e82c5485c1df

Download Submit
memory/376-151-0x0000000000000000-mapping.dmp

Download
memory/424-146-0x0000000000000000-mapping.dmp

Download
memory/768-150-0x0000000000000000-mapping.dmp

Download
memory/1320-148-0x0000000000000000-mapping.dmp

Download
memory/2500-134-0x0000000000000000-mapping.dmp

Download
memory/3580-149-0x0000000000000000-mapping.dmp

Download
memory/3844-142-0x0000000000000000-mapping.dmp

Download
memory/4252-143-0x0000000000000000-mapping.dmp

Download
memory/4364-141-0x0000000000000000-mapping.dmp

Download
memory/4372-153-0x0000000000000000-mapping.dmp

Download
memory/5000-135-0x0000000000000000-mapping.dmp

Download
memory/5036-145-0x0000000000000000-mapping.dmp

Download