3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb

Analysis

max time kernel
64s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.5MB
MD5

858ee6ceb590822f57d2d98a32e3c5af
SHA1

0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
SHA256

3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
SHA512

ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
SSDEEP

24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exe

pid process

2760 360TS_Setup.exe
3588 360TS_Setup.exe

pid	process
2760	360TS_Setup.exe
3588	360TS_Setup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Loads dropped DLL 3 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exe

pid process

2620 360TS_Setup_Mini.exe
2760 360TS_Setup.exe
3588 360TS_Setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 360TS_Setup_Mini.exe
File opened for modification \??\PhysicalDrive0 360TS_Setup.exe

pid	process
2620	360TS_Setup_Mini.exe
2760	360TS_Setup.exe
3588	360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 2 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\1675211394_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1675211394_0\360TS_Setup.exe	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

360TS_Setup_Mini.exe

description pid process

Token: SeManageVolumePrivilege 2620 360TS_Setup_Mini.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

2620 360TS_Setup_Mini.exe
2620 360TS_Setup_Mini.exe
2620 360TS_Setup_Mini.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

360TS_Setup_Mini.exe

pid process

2620 360TS_Setup_Mini.exe
2620 360TS_Setup_Mini.exe
2620 360TS_Setup_Mini.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exe

pid process

2760 360TS_Setup.exe
3588 360TS_Setup.exe

description	pid	process
Token: SeManageVolumePrivilege	2620	360TS_Setup_Mini.exe

pid	process
2620	360TS_Setup_Mini.exe
2620	360TS_Setup_Mini.exe
2620	360TS_Setup_Mini.exe

pid	process
2620	360TS_Setup_Mini.exe
2620	360TS_Setup_Mini.exe
2620	360TS_Setup_Mini.exe

pid	process
2760	360TS_Setup.exe
3588	360TS_Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe

description	pid	process	target process
PID 2620 wrote to memory of 2760	2620	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 2620 wrote to memory of 2760	2620	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 2620 wrote to memory of 2760	2620	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 2760 wrote to memory of 3588	2760	360TS_Setup.exe	360TS_Setup.exe
PID 2760 wrote to memory of 3588	2760	360TS_Setup.exe	360TS_Setup.exe
PID 2760 wrote to memory of 3588	2760	360TS_Setup.exe	360TS_Setup.exe

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files (x86)\1675211394_0\360TS_Setup.exe
"C:\Program Files (x86)\1675211394_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1675211394_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\1675211394_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
2KB

MD5
e3f19580788ce1e1229aac360daf9537

SHA1
ca034b00c27080edb9f518d5f9da97e5a6c20767

SHA256
b2453e292bc9ff4371e4f657622fc9dc143672e5db0a5d878d1d9c3607678a86

SHA512
f440339ff9e80c5ec34fc3428491b0c8af18a228e83e42887f40562f522f414601dc76c5d70a0a264dfbd9c0db5a8607282949df2a44b3b75aca386efea22ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
9bf10855213d2d2b26123cd2a04220b8

SHA1
231d2ed3b9098617f196e89cee3c2a82b38b5d40

SHA256
a508e5bc0086119681076c2b05889d6f70047f971342d65792776ab7b53ca1e9

SHA512
df78a9f4ed0296f9a16d17672758411306e1b3664e9c6aece1ec738da350e2ee703f5c4f30167c4d5b54de8d154a7a4dc7250420c024e26063c8521a333e3dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
488B

MD5
56dbb57b5a1471d550ce080de0b4e564

SHA1
17f3fdb9d04e0d93f0c6cab0bd7ec88bde91070c

SHA256
78f58e80a09b53ae5af05d66c1ed52f799c6f55f5bc92fc7eec989ab027cf484

SHA512
0c7f5e78bb7d6416e7f8669bc7cc81500e7fa0e0c2c11d9f98d8b45c92954abd48aaeef73632f740a48051dd26e42e5630909c2d95eea304e3ad949f49a29a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
41a473490399b3a6e0d5d6c7ed75dd68

SHA1
663c0124c7ab9992d179ec2974debb206f201656

SHA256
8e578426ba2c09da4978ec3121594015ea0deff74d15ddb338fe6dcdcef4f204

SHA512
0bd5d9e65687fa4492ad6a121d6601f78643ff96592077183a0d8694bb600552ea97b9a4ed1463d81ab0116aa7cbb307e9851565347f08b3e0d9bb75f85e8b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675211389_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675211396_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{05A3E1E5-2F64-4c55-851B-368C0BC7EEF7}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/2760-133-0x0000000000000000-mapping.dmp

Download
memory/3588-137-0x0000000000000000-mapping.dmp

Download