bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
Size

350KB
MD5

e6786ce38b952ae797e4045489c27d77
SHA1

e4503a1468c5ded7d54e079610b2f73a3123dbdb
SHA256

bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4
SHA512

c18d50e16b7d44fc40a04c737c3473aacf318d64ad6ccadc63f91f5855595c4814de4e08d7f0b63a0f6d7d80635b2ec746cd919dd031e038443cac46c421ca4e
SSDEEP

6144:c/0uoJvfHhR/AAxVCvoSrCo44i8hrrZCWRqah1A9mmCQKeYDijk:cJWnBRlxVErCoKKXAZahe9m4EL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
456	3.exe
1020	0.exe
2592	6_Signd.exe
2188	Hacker.com.cn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\program files\common files\microsoft shared\msinfo\6_Signd.exe	6_Signd.exe
File created	C:\program files\common files\microsoft shared\msinfo\6_Signd.jpg	0.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\0.exe	3.exe
File created	C:\Windows\Hacker.com.cn.exe	6_Signd.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	6_Signd.exe
File created	C:\Windows\uninstal.bat	6_Signd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	6_Signd.exe
Token: SeDebugPrivilege	2188	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 456	1692	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	81
PID 1692 wrote to memory of 456	1692	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	81
PID 1692 wrote to memory of 456	1692	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	81
PID 456 wrote to memory of 1020	456	3.exe	82
PID 456 wrote to memory of 1020	456	3.exe	82
PID 456 wrote to memory of 1020	456	3.exe	82
PID 1020 wrote to memory of 2592	1020	0.exe	83
PID 1020 wrote to memory of 2592	1020	0.exe	83
PID 1020 wrote to memory of 2592	1020	0.exe	83
PID 2592 wrote to memory of 4060	2592	6_Signd.exe	85
PID 2592 wrote to memory of 4060	2592	6_Signd.exe	85
PID 2592 wrote to memory of 4060	2592	6_Signd.exe	85
PID 2188 wrote to memory of 4888	2188	Hacker.com.cn.exe	86
PID 2188 wrote to memory of 4888	2188	Hacker.com.cn.exe	86

C:\Users\Admin\AppData\Local\Temp\bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
"C:\Users\Admin\AppData\Local\Temp\bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\0.exe
    "C:\Windows\0.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\program files\common files\microsoft shared\msinfo\6_Signd.exe
      "C:\program files\common files\microsoft shared\msinfo\6_Signd.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        5⤵
        
        PID:4060

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\6_Signd.exe

Filesize
284KB

MD5
cd5aa4b108b5072d65d5d964adc133ed

SHA1
8856b450df05f47d00b5b6c6374a46fe8a10a506

SHA256
b8840b18cfc37610dce535a05c70e830a295e8d40e5d81f45bac36a9a99a3afe

SHA512
933de4aee9fe8718736d3a97aa22c7e3b88c0d8a600cfee99b947046361e56b59a112b1c9f7145178f532bb9dd6d2ebf9fecebedca0057738562ad72b53a578e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
C:\Windows\0.exe

Filesize
300KB

MD5
e2403f5591b98ccf5c2e30174aa9dd59

SHA1
42db4f2865526528c1ed99f83268f5a0c22c08ad

SHA256
7b8647a6b5e417cf4f263c0583d901c6fadc946831349f50af6a8c051adf86ed

SHA512
e9a96fad770659b5543394640696280996c467672de29f1a67079955324c30532daab33fd7cbf19e81dba2782faecbf6bda03d8195dbf9f2ce7d0980de0fb33c

Download Submit
C:\Windows\0.exe

Filesize
300KB

MD5
e2403f5591b98ccf5c2e30174aa9dd59

SHA1
42db4f2865526528c1ed99f83268f5a0c22c08ad

SHA256
7b8647a6b5e417cf4f263c0583d901c6fadc946831349f50af6a8c051adf86ed

SHA512
e9a96fad770659b5543394640696280996c467672de29f1a67079955324c30532daab33fd7cbf19e81dba2782faecbf6bda03d8195dbf9f2ce7d0980de0fb33c

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
284KB

MD5
cd5aa4b108b5072d65d5d964adc133ed

SHA1
8856b450df05f47d00b5b6c6374a46fe8a10a506

SHA256
b8840b18cfc37610dce535a05c70e830a295e8d40e5d81f45bac36a9a99a3afe

SHA512
933de4aee9fe8718736d3a97aa22c7e3b88c0d8a600cfee99b947046361e56b59a112b1c9f7145178f532bb9dd6d2ebf9fecebedca0057738562ad72b53a578e

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
284KB

MD5
cd5aa4b108b5072d65d5d964adc133ed

SHA1
8856b450df05f47d00b5b6c6374a46fe8a10a506

SHA256
b8840b18cfc37610dce535a05c70e830a295e8d40e5d81f45bac36a9a99a3afe

SHA512
933de4aee9fe8718736d3a97aa22c7e3b88c0d8a600cfee99b947046361e56b59a112b1c9f7145178f532bb9dd6d2ebf9fecebedca0057738562ad72b53a578e

Download Submit
C:\Windows\uninstal.bat

Filesize
180B

MD5
793f6ae699ad344185ad071cd88d7e66

SHA1
3d478780d23c797ba6631f162ea994e5356b4092

SHA256
7c99c2d91bc324a9b5bcaa9556055ce0bbe844c5d7f555093a817bc44309c0a5

SHA512
961ef16178a65a4c6de15fc14c900a37f86f22df610ede8e598e0d7830ec21d03f8dcfbfe02909fb1dda9c9fa61db77a6913eb3b7cd43f1f986f872378ab3224

Download Submit
C:\program files\common files\microsoft shared\msinfo\6_Signd.exe

Filesize
284KB

MD5
cd5aa4b108b5072d65d5d964adc133ed

SHA1
8856b450df05f47d00b5b6c6374a46fe8a10a506

SHA256
b8840b18cfc37610dce535a05c70e830a295e8d40e5d81f45bac36a9a99a3afe

SHA512
933de4aee9fe8718736d3a97aa22c7e3b88c0d8a600cfee99b947046361e56b59a112b1c9f7145178f532bb9dd6d2ebf9fecebedca0057738562ad72b53a578e

Download Submit
memory/2188-145-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2188-147-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2188-149-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2592-141-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2592-142-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download