bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da

Analysis

max time kernel
14s
max time network
48s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Size

1.9MB
MD5

5e9b4d3fc604788a269609c65eb9d61b
SHA1

a2d9a5040d4f6035fcd24bdc34800598117fa94f
SHA256

bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da
SHA512

89d7607a858e3f4f793445ca4644b0356f42abd9149378664b8bbfa8988becdfcfff5aa009941ed5cc70f4d1a67f6ca36b1f7de547fc3889e2e71b011f178ffe
SSDEEP

49152:PyM4eRDZ7fliJAiJqcJUzRkMq5HF3nh/c9uiaEg4ud:PSepbQjOzXW9pfsud

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1816	setup.exe
1852	TheWorld_3.exe
864	max2_133daohang4.exe

Loads dropped DLL 9 IoCs

pid	Process
1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
1816	setup.exe
1816	setup.exe
1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
1816	setup.exe
1852	TheWorld_3.exe
1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
1852	TheWorld_3.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\newiexplore.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\newiexplore.exe	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\sppert.ini	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 14 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000012696-63.dat	nsis_installer_1
behavioral1/files/0x0007000000012696-63.dat	nsis_installer_2
behavioral1/files/0x0007000000012696-69.dat	nsis_installer_1
behavioral1/files/0x0007000000012696-69.dat	nsis_installer_2
behavioral1/files/0x0007000000012696-68.dat	nsis_installer_1
behavioral1/files/0x0007000000012696-68.dat	nsis_installer_2
behavioral1/files/0x0007000000012696-66.dat	nsis_installer_1
behavioral1/files/0x0007000000012696-66.dat	nsis_installer_2
behavioral1/files/0x0007000000012696-71.dat	nsis_installer_1
behavioral1/files/0x0007000000012696-71.dat	nsis_installer_2
behavioral1/files/0x00070000000126bd-70.dat	nsis_installer_1
behavioral1/files/0x00070000000126bd-70.dat	nsis_installer_2
behavioral1/files/0x00070000000126bd-73.dat	nsis_installer_1
behavioral1/files/0x00070000000126bd-73.dat	nsis_installer_2

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\DefaultIcon	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\Shell	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\Shell\Internet Explorer	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\ = "Internet Explorer"	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\InfoTip = "Internet Explorer"	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\TypeLib\ = "{663CB4CA-35CB-468A-9DE0-170402DDE765}"	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\ShellFolder	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\TypeLib	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.131u.com"	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\Shell\Internet Explorer\Command	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{663CB4CA-35CB-468A-9DE0-170402DDE765}\ShellFolder\Attributes = "0"	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1816	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	28
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 1852	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	29
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1788 wrote to memory of 864	1788	bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe	30
PID 1816 wrote to memory of 1500	1816	setup.exe	31
PID 1816 wrote to memory of 1500	1816	setup.exe	31
PID 1816 wrote to memory of 1500	1816	setup.exe	31
PID 1816 wrote to memory of 1500	1816	setup.exe	31
PID 1816 wrote to memory of 1500	1816	setup.exe	31
PID 1816 wrote to memory of 1500	1816	setup.exe	31
PID 1816 wrote to memory of 1500	1816	setup.exe	31

C:\Users\Admin\AppData\Local\Temp\bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe
"C:\Users\Admin\AppData\Local\Temp\bc5b424568f74941d67a520a56d70b5727fbf6d6caa7e671eda59ea95a38a1da.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "
    3⤵
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\TheWorld_3.exe
  "C:\Users\Admin\AppData\Local\Temp\TheWorld_3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe
  "C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe"
  2⤵
  - Executes dropped EXE
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

Filesize
69B

MD5
32f45cd6abc1d26f07b8ddb71871ce05

SHA1
0cc28dc63d50327a74f8e964cdf23ffed05a8699

SHA256
a2023fadce396c9265a61f24b6dcc5e95aaaf2b9efa1eceac2fcc1332322e716

SHA512
f18d1ed212bda39f671fe7d7dac6cc6f5012e17149b57c7a121e666f09d5040c75ced09679bef1e630cd69fc03d824ced178be25b275139e4f4e139a0f96ebb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TheWorld_3.exe

Filesize
1.5MB

MD5
2c08531af1fd74a820931ac2f1d6bcfc

SHA1
ae7273c98cef73d15491a7343914676b96a5fcad

SHA256
ee22bd77b1817994b04a42b473bc179b974d65c15a0bebe88b44a858cd54b7b0

SHA512
19def1f7874c82c67a67509908fe7828351e180a5976be993f3bb2f72d7e45a6cfc861a46d9ebf57ef0d8b5a83c943657a63ecc73cb13ae437fd8d63acba0ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TheWorld_3.exe

Filesize
1.5MB

MD5
2c08531af1fd74a820931ac2f1d6bcfc

SHA1
ae7273c98cef73d15491a7343914676b96a5fcad

SHA256
ee22bd77b1817994b04a42b473bc179b974d65c15a0bebe88b44a858cd54b7b0

SHA512
19def1f7874c82c67a67509908fe7828351e180a5976be993f3bb2f72d7e45a6cfc861a46d9ebf57ef0d8b5a83c943657a63ecc73cb13ae437fd8d63acba0ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe

Filesize
65KB

MD5
b904cf041cacaae74655cf009acfed2e

SHA1
028ef889562a55bc98119fe2c186efb35f556bd1

SHA256
72f4498744d1c856eb35028fc0fa59bf0a78b0fa833c49ead54115f08c2f3846

SHA512
4ebf41f49fdcb1b70c6b88351c85dff98eb2f75787e36b8741e922363ec8134399450351c431cefed42d1757163eb6196275d2c6509a9c4826bcc4961d726d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
528KB

MD5
4430180a9cfa71d40321e03c980e804e

SHA1
b35df26016b6a17ff08143d1729b84af34214254

SHA256
82901369a20b258b1b5e3c6a96fcb14dd6ff0100d136caf95a63263c673cad24

SHA512
f0e0a642a000118b23f9a8998f6a2cf412d1fa2d378a1919e17cd2b00bbf5f7d01d9b63957cdeb32b729d32acb0c3967fc09eb10b88eeb5fce6bb50f7d58e148

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
528KB

MD5
4430180a9cfa71d40321e03c980e804e

SHA1
b35df26016b6a17ff08143d1729b84af34214254

SHA256
82901369a20b258b1b5e3c6a96fcb14dd6ff0100d136caf95a63263c673cad24

SHA512
f0e0a642a000118b23f9a8998f6a2cf412d1fa2d378a1919e17cd2b00bbf5f7d01d9b63957cdeb32b729d32acb0c3967fc09eb10b88eeb5fce6bb50f7d58e148

Download Submit
\Users\Admin\AppData\Local\Temp\TheWorld_3.exe

Filesize
1.5MB

MD5
2c08531af1fd74a820931ac2f1d6bcfc

SHA1
ae7273c98cef73d15491a7343914676b96a5fcad

SHA256
ee22bd77b1817994b04a42b473bc179b974d65c15a0bebe88b44a858cd54b7b0

SHA512
19def1f7874c82c67a67509908fe7828351e180a5976be993f3bb2f72d7e45a6cfc861a46d9ebf57ef0d8b5a83c943657a63ecc73cb13ae437fd8d63acba0ea2

Download Submit
\Users\Admin\AppData\Local\Temp\TheWorld_3.exe

Filesize
1.5MB

MD5
2c08531af1fd74a820931ac2f1d6bcfc

SHA1
ae7273c98cef73d15491a7343914676b96a5fcad

SHA256
ee22bd77b1817994b04a42b473bc179b974d65c15a0bebe88b44a858cd54b7b0

SHA512
19def1f7874c82c67a67509908fe7828351e180a5976be993f3bb2f72d7e45a6cfc861a46d9ebf57ef0d8b5a83c943657a63ecc73cb13ae437fd8d63acba0ea2

Download Submit
\Users\Admin\AppData\Local\Temp\TheWorld_3.exe

Filesize
1.5MB

MD5
2c08531af1fd74a820931ac2f1d6bcfc

SHA1
ae7273c98cef73d15491a7343914676b96a5fcad

SHA256
ee22bd77b1817994b04a42b473bc179b974d65c15a0bebe88b44a858cd54b7b0

SHA512
19def1f7874c82c67a67509908fe7828351e180a5976be993f3bb2f72d7e45a6cfc861a46d9ebf57ef0d8b5a83c943657a63ecc73cb13ae437fd8d63acba0ea2

Download Submit
\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe

Filesize
65KB

MD5
b904cf041cacaae74655cf009acfed2e

SHA1
028ef889562a55bc98119fe2c186efb35f556bd1

SHA256
72f4498744d1c856eb35028fc0fa59bf0a78b0fa833c49ead54115f08c2f3846

SHA512
4ebf41f49fdcb1b70c6b88351c85dff98eb2f75787e36b8741e922363ec8134399450351c431cefed42d1757163eb6196275d2c6509a9c4826bcc4961d726d4c

Download Submit
\Users\Admin\AppData\Local\Temp\nstB08C.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
528KB

MD5
4430180a9cfa71d40321e03c980e804e

SHA1
b35df26016b6a17ff08143d1729b84af34214254

SHA256
82901369a20b258b1b5e3c6a96fcb14dd6ff0100d136caf95a63263c673cad24

SHA512
f0e0a642a000118b23f9a8998f6a2cf412d1fa2d378a1919e17cd2b00bbf5f7d01d9b63957cdeb32b729d32acb0c3967fc09eb10b88eeb5fce6bb50f7d58e148

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
528KB

MD5
4430180a9cfa71d40321e03c980e804e

SHA1
b35df26016b6a17ff08143d1729b84af34214254

SHA256
82901369a20b258b1b5e3c6a96fcb14dd6ff0100d136caf95a63263c673cad24

SHA512
f0e0a642a000118b23f9a8998f6a2cf412d1fa2d378a1919e17cd2b00bbf5f7d01d9b63957cdeb32b729d32acb0c3967fc09eb10b88eeb5fce6bb50f7d58e148

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
528KB

MD5
4430180a9cfa71d40321e03c980e804e

SHA1
b35df26016b6a17ff08143d1729b84af34214254

SHA256
82901369a20b258b1b5e3c6a96fcb14dd6ff0100d136caf95a63263c673cad24

SHA512
f0e0a642a000118b23f9a8998f6a2cf412d1fa2d378a1919e17cd2b00bbf5f7d01d9b63957cdeb32b729d32acb0c3967fc09eb10b88eeb5fce6bb50f7d58e148

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
528KB

MD5
4430180a9cfa71d40321e03c980e804e

SHA1
b35df26016b6a17ff08143d1729b84af34214254

SHA256
82901369a20b258b1b5e3c6a96fcb14dd6ff0100d136caf95a63263c673cad24

SHA512
f0e0a642a000118b23f9a8998f6a2cf412d1fa2d378a1919e17cd2b00bbf5f7d01d9b63957cdeb32b729d32acb0c3967fc09eb10b88eeb5fce6bb50f7d58e148

Download Submit
memory/1788-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download