Overview

overview

8

Static

static

8f2b449f57...ca.exe

windows7-x64

8

8f2b449f57...ca.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    189s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 12:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe

  • Size

    133KB

  • MD5

    fbf5cb4b73ce813eb85a6ab501a84f6c

  • SHA1

    1a9983754716d96e827377ccac96f5ec7e16f42f

  • SHA256

    8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca

  • SHA512

    ed825c4ddf0509a1fdaed7c2a2a23878ac95f26c3cf1a1295e782b51812bffcc054ceef084b0637bb090737e50e359c42ebd9c60cfc9958d13fc59232052eb9f

  • SSDEEP

    1536:609kselPdFsYl5GDe3GeuKEZzwd1joWRv02rd9cqCmh6DY5atOXPQ6DYu8O/7f:60L65GaSu5oWRv0SJVPDkO/D

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe
    "C:\Users\Admin\AppData\Local\Temp\8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\tlbongaa.dll Exbcute
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\net.exe
        net stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop WinDefend
          4⤵
            PID:4068
        • C:\Windows\SysWOW64\net.exe
          net stop MpsSvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MpsSvc
            4⤵
              PID:4088
          • C:\Windows\SysWOW64\sc.exe
            sc config MpsSvc start= disabled
            3⤵
            • Launches sc.exe
            PID:2184
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            3⤵
            • Launches sc.exe
            PID:3728
          • C:\Windows\SysWOW64\sc.exe
            sc delete ZhuDongFangYu
            3⤵
            • Launches sc.exe
            PID:532
          • C:\Windows\SysWOW64\sc.exe
            sc stop ZhuDongFangYu
            3⤵
            • Launches sc.exe
            PID:2920
          • C:\Windows\SysWOW64\sc.exe
            sc stop 360rp
            3⤵
            • Launches sc.exe
            PID:4144
          • C:\Windows\SysWOW64\sc.exe
            sc delete 360rp
            3⤵
            • Launches sc.exe
            PID:3128
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" stop PolicyAgent
            3⤵
            • Launches sc.exe
            PID:4652
        • C:\Windows\SysWOW64\xhwtqgaa.exe
          C:\Windows\system32\xhwtqgaa.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          PID:1584

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\EC35.tmp
              Filesize

              4.3MB

              MD5

              6c7cdd25c2cb0073306eb22aebfc663f

              SHA1

              a1eba8ab49272b9852fe6a543677e8af36271248

              SHA256

              58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

              SHA512

              17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

              Download Submit

            • C:\Windows\SysWOW64\tlbongaa.dll
              Filesize

              75KB

              MD5

              880f130092d44064030eda33bf693a1b

              SHA1

              f5a1db60845502afb099721236d4f34f323472d8

              SHA256

              9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

              SHA512

              d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

              Download Submit

            • C:\Windows\SysWOW64\tlbongaa.dll
              Filesize

              75KB

              MD5

              880f130092d44064030eda33bf693a1b

              SHA1

              f5a1db60845502afb099721236d4f34f323472d8

              SHA256

              9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

              SHA512

              d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

              Download Submit

            • C:\Windows\SysWOW64\xhwtqgaa.exe
              Filesize

              15KB

              MD5

              ecaa6afefb9034c3184397845755c620

              SHA1

              8e9e502ad06ac13f25f0370fecb591bcdb88dd5d

              SHA256

              12908176561536320ce309870bc15206dbadd84c602164e6b76bb75f4748f1c3

              SHA512

              0d16413c2db64678453f0b83ce7e8ada58f4b629575afc19c820b8e237fbe2b35abea852c3f56b1158f30fa718b92c12b9078f9e43abba3bb673b8b013a117ed

              Download Submit

            • C:\Windows\SysWOW64\xhwtqgaa.exe
              Filesize

              15KB

              MD5

              ecaa6afefb9034c3184397845755c620

              SHA1

              8e9e502ad06ac13f25f0370fecb591bcdb88dd5d

              SHA256

              12908176561536320ce309870bc15206dbadd84c602164e6b76bb75f4748f1c3

              SHA512

              0d16413c2db64678453f0b83ce7e8ada58f4b629575afc19c820b8e237fbe2b35abea852c3f56b1158f30fa718b92c12b9078f9e43abba3bb673b8b013a117ed

              Download Submit