1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc

Analysis

max time kernel
126s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe
Size

17.3MB
MD5

3bea883c80e63b6f16cdcf2e3722958e
SHA1

f69b9fcaed82f03a29ad2db865eb8e4e1112fd58
SHA256

1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc
SHA512

f8605b4c0a5b4ddaf1e606f0cd63ba71e515626bde6405808d072ef972f50d72428d1df72fbbcd61f400be2c3db99ef94495e8d60e2312f35c1b2a8c292be054
SSDEEP

393216:UpT2nely0lP8Pnq7GaQlKXaBmxoEBlHs+BAZKgmIGPIlYDU0DUYcj:IT2e0062GjUK8xxBmXGPPU0DUF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	打印机驱动安装.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	打印机驱动安装.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	打印机驱动安装.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	打印机驱动安装.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	打印机驱动安装.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	4556	svchost.exe
Token: SeSecurityPrivilege	4556	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4936	1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2308	打印机驱动安装.exe
2308	打印机驱动安装.exe
2308	打印机驱动安装.exe
2308	打印机驱动安装.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2308	4936	1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe	82
PID 4936 wrote to memory of 2308	4936	1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe	82
PID 4936 wrote to memory of 2308	4936	1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe	82
PID 2308 wrote to memory of 4756	2308	打印机驱动安装.exe	84
PID 2308 wrote to memory of 4756	2308	打印机驱动安装.exe	84
PID 2308 wrote to memory of 4756	2308	打印机驱动安装.exe	84
PID 2308 wrote to memory of 1216	2308	打印机驱动安装.exe	85
PID 2308 wrote to memory of 1216	2308	打印机驱动安装.exe	85
PID 2308 wrote to memory of 1216	2308	打印机驱动安装.exe	85
PID 2308 wrote to memory of 1800	2308	打印机驱动安装.exe	88
PID 2308 wrote to memory of 1800	2308	打印机驱动安装.exe	88
PID 2308 wrote to memory of 1800	2308	打印机驱动安装.exe	88
PID 2308 wrote to memory of 2492	2308	打印机驱动安装.exe	89
PID 2308 wrote to memory of 2492	2308	打印机驱动安装.exe	89
PID 2308 wrote to memory of 2492	2308	打印机驱动安装.exe	89
PID 1216 wrote to memory of 4488	1216	net.exe	92
PID 1216 wrote to memory of 4488	1216	net.exe	92
PID 1216 wrote to memory of 4488	1216	net.exe	92
PID 4756 wrote to memory of 5092	4756	net.exe	93
PID 4756 wrote to memory of 5092	4756	net.exe	93
PID 4756 wrote to memory of 5092	4756	net.exe	93
PID 2492 wrote to memory of 3572	2492	net.exe	94
PID 2492 wrote to memory of 3572	2492	net.exe	94
PID 2492 wrote to memory of 3572	2492	net.exe	94
PID 1800 wrote to memory of 3924	1800	net.exe	95
PID 1800 wrote to memory of 3924	1800	net.exe	95
PID 1800 wrote to memory of 3924	1800	net.exe	95

C:\Users\Admin\AppData\Local\Temp\1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe
"C:\Users\Admin\AppData\Local\Temp\1aecc3e3462fee03c0f5377567aa0c0aa689bbbaa57804bd3e058f51e05e17bc.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\HP_LJM101-M106_U\打印机驱动安装.exe
  "C:\Users\Admin\AppData\Local\Temp\HP_LJM101-M106_U\打印机驱动安装.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\net.exe
    net start spooler
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start spooler
      4⤵
      PID:5092
- - C:\Windows\SysWOW64\net.exe
    net start stisvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start stisvc
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\net.exe
    net start DeviceInstall
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start DeviceInstall
      4⤵
      PID:3924
- - C:\Windows\SysWOW64\net.exe
    net start DsmSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start DsmSvc
      4⤵
      PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HP_LJM101-M106_U\config.ini

Filesize
234B

MD5
736af73bd56286eedf24be51a7091db0

SHA1
234feefedf8ed6f05ecae7f18e64e48b2940aeaa

SHA256
2422770290455e7f2b4d4e2267d7390d349554de02d9fcb846e61e14e87027a6

SHA512
90e703b73be6078f3aa25eb1e0f9034a1d0f687618bc22fe095dc573ff23ee70d132c8748c488218e9493fd36a7feed6f4e8fbc0074ac5a5dea50518d9a9a1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HP_LJM101-M106_U\打印机驱动安装.exe

Filesize
1.2MB

MD5
60741dfbb32a6f407bfdc187656a2696

SHA1
ffbc58973fcf5e141eae966cb8a0a56098211366

SHA256
1fe2918fac6b55f7b7ab33791cd6492015aff7ccc1364b63d28ce2aa95136a83

SHA512
9041aa2437c4daeb06a2b2e62520e07d9a3dd325196bd81661332a33fe6eb6711491ecf34153c7fdd9c7998a32eb0cde7dda799749ac763621b8d2f1c422e93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HP_LJM101-M106_U\打印机驱动安装.exe

Filesize
1.2MB

MD5
60741dfbb32a6f407bfdc187656a2696

SHA1
ffbc58973fcf5e141eae966cb8a0a56098211366

SHA256
1fe2918fac6b55f7b7ab33791cd6492015aff7ccc1364b63d28ce2aa95136a83

SHA512
9041aa2437c4daeb06a2b2e62520e07d9a3dd325196bd81661332a33fe6eb6711491ecf34153c7fdd9c7998a32eb0cde7dda799749ac763621b8d2f1c422e93b

Download Submit
memory/1216-138-0x0000000000000000-mapping.dmp

Download
memory/1800-139-0x0000000000000000-mapping.dmp

Download
memory/2308-133-0x0000000000000000-mapping.dmp

Download
memory/2492-140-0x0000000000000000-mapping.dmp

Download
memory/3572-143-0x0000000000000000-mapping.dmp

Download
memory/3924-144-0x0000000000000000-mapping.dmp

Download
memory/4488-141-0x0000000000000000-mapping.dmp

Download
memory/4756-137-0x0000000000000000-mapping.dmp

Download
memory/4936-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4936-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5092-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads