3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb

Analysis

max time kernel
98s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2023 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.5MB
MD5

858ee6ceb590822f57d2d98a32e3c5af
SHA1

0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
SHA256

3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
SHA512

ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
SSDEEP

24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exe

pid process

1720 360TS_Setup.exe
3636 360TS_Setup.exe

pid	process
1720	360TS_Setup.exe
3636	360TS_Setup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Loads dropped DLL 3 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exe

pid process

4816 360TS_Setup_Mini.exe
1720 360TS_Setup.exe
3636 360TS_Setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 360TS_Setup_Mini.exe
File opened for modification \??\PhysicalDrive0 360TS_Setup.exe

pid	process
4816	360TS_Setup_Mini.exe
1720	360TS_Setup.exe
3636	360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 2 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\1674703094_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1674703094_0\360TS_Setup.exe	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

360TS_Setup_Mini.exe

description pid process

Token: SeManageVolumePrivilege 4816 360TS_Setup_Mini.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

4816 360TS_Setup_Mini.exe
4816 360TS_Setup_Mini.exe
4816 360TS_Setup_Mini.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

4816 360TS_Setup_Mini.exe
4816 360TS_Setup_Mini.exe
4816 360TS_Setup_Mini.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exe

pid process

1720 360TS_Setup.exe
3636 360TS_Setup.exe

description	pid	process
Token: SeManageVolumePrivilege	4816	360TS_Setup_Mini.exe

pid	process
4816	360TS_Setup_Mini.exe
4816	360TS_Setup_Mini.exe
4816	360TS_Setup_Mini.exe

pid	process
4816	360TS_Setup_Mini.exe
4816	360TS_Setup_Mini.exe
4816	360TS_Setup_Mini.exe

pid	process
1720	360TS_Setup.exe
3636	360TS_Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description	pid	process	target process
PID 4816 wrote to memory of 1720	4816	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4816 wrote to memory of 1720	4816	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4816 wrote to memory of 1720	4816	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 1720 wrote to memory of 3636	1720	360TS_Setup.exe	360TS_Setup.exe
PID 1720 wrote to memory of 3636	1720	360TS_Setup.exe	360TS_Setup.exe
PID 1720 wrote to memory of 3636	1720	360TS_Setup.exe	360TS_Setup.exe

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\1674703094_0\360TS_Setup.exe
"C:\Program Files (x86)\1674703094_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1674703094_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\1674703094_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
2KB

MD5
4db89abdc1fe97e8fad3a251978b870d

SHA1
a86ae12b59e082efef0b788e374ea789e05c7578

SHA256
a8e6937ef8b34398817e4b2cd716890b7cafa2a095139d1e101434e1b68d095c

SHA512
84aebf9c7d04aa81761f461350ddfbd20d4a5fd5256c80f0a3e513c64734a378bc2d119ad03303e97fb96f5f767788fa0d073393fb867e33c307768fba1cbb1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
5f37048de717939db22879d186493d92

SHA1
f2fac6a9a6261397d648aec0d3f7f2ead3ae023d

SHA256
31f3c6aa02743ff82e7fe54bcf5c3005406d9dc4858993cc4762f33f13198c37

SHA512
1188df5bbfa21db355b5bf124db2949ac6d75fa95d8aa03158b1b1bd17dd5077ee1a68691ea5e8ca866f5bb4bd8dacdba80a0d1e4005de6bfc5d9499b770acc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
488B

MD5
6b4a74ca61ec656731c07bd9003660a0

SHA1
ea52661e85e6e5dd1d60a774067f40b694619f6b

SHA256
8beef63b2436d3a42d9ea47f94997f4ba672aea991d5b0d1ac6ed0783852ef26

SHA512
f438b272a3f24278e03b03130e927d4943e62890917bf93aca6bebb3ae08488bed04431cb9283c56280eff192bfe35535dde9abbebe06d8095705b06fb4fc229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
794da73b8becbf891009cde53f72bb7d

SHA1
f9e6777073b0996e5657834e00f5de59a482b79c

SHA256
d6a27be71d9f028f5d0aaa393c72d61eecc073db2fda9afa3c2821ef5653a79a

SHA512
a0dc85a6781afb65924528e365219a8d04b5ad266415a5e07d64ba227d28110c420e5f4653a0bbabd4c13d7cccb5109154315e7b8de355a48c7ea74a6ff4d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1674703092_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1674703106_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FEAFC6B1-C8BB-4ef1-B80E-678A2AF20FAF}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/1720-133-0x0000000000000000-mapping.dmp

Download
memory/3636-137-0x0000000000000000-mapping.dmp

Download