3e1e58c974bd5981f45438a2fb6f9ea909e2a578f4d39bf55b5a251d6bfe5006

General

Target

710475fad4072f93192db19f14847c42.exe
Size

3.6MB
MD5

710475fad4072f93192db19f14847c42
SHA1

9bf391f8472480390fd31cec52203762533bdbf1
SHA256

3e1e58c974bd5981f45438a2fb6f9ea909e2a578f4d39bf55b5a251d6bfe5006
SHA512

6d6352d38482a1954805315b19deb59cc75056999655d5c15d59869fa61bbbf6e81ce06ccbfcde6116091370fe1358550cfa65bc992ed778bb23cb3fde722dcb
SSDEEP

49152:iSgkERHLY2fSGfrhN2Gt8ZTgo+QCDJR7xTC2GQGJYlgQJaHVL9D7a+FMbj7Z/tT:6xRHL6G3e0cWTC2IiRE9va9bj7Z

Score

10^/10

vmprotect

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1640	rundll32.exe	75

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	710475fad4072f93192db19f14847c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	yuzhenzhang.exe

Executes dropped EXE 3 IoCs

pid	Process
1684	llpb1133.exe
4188	yuzhenzhang.exe
3708	yuzhenzhang.exe

Loads dropped DLL 1 IoCs

pid	Process
2920	rundll32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000300000000072b-134.dat	vmprotect
behavioral2/files/0x000300000000072b-135.dat	vmprotect
behavioral2/memory/1684-139-0x0000000140000000-0x000000014061C000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1352	2920	WerFault.exe	88

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1684	4948	710475fad4072f93192db19f14847c42.exe	82
PID 4948 wrote to memory of 1684	4948	710475fad4072f93192db19f14847c42.exe	82
PID 4948 wrote to memory of 4188	4948	710475fad4072f93192db19f14847c42.exe	83
PID 4948 wrote to memory of 4188	4948	710475fad4072f93192db19f14847c42.exe	83
PID 4948 wrote to memory of 4188	4948	710475fad4072f93192db19f14847c42.exe	83
PID 4188 wrote to memory of 3708	4188	yuzhenzhang.exe	85
PID 4188 wrote to memory of 3708	4188	yuzhenzhang.exe	85
PID 4188 wrote to memory of 3708	4188	yuzhenzhang.exe	85
PID 1212 wrote to memory of 2920	1212	rundll32.exe	88
PID 1212 wrote to memory of 2920	1212	rundll32.exe	88
PID 1212 wrote to memory of 2920	1212	rundll32.exe	88

C:\Users\Admin\AppData\Local\Temp\710475fad4072f93192db19f14847c42.exe
"C:\Users\Admin\AppData\Local\Temp\710475fad4072f93192db19f14847c42.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\llpb1133.exe
  "C:\Users\Admin\AppData\Local\Temp\llpb1133.exe"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe
  "C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe
    "C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe" -h
    3⤵
    - Executes dropped EXE
    PID:3708

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 572
    3⤵
    - Program crash
    PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2920 -ip 2920
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe

Filesize
3.5MB

MD5
e80efc25a192b860387b90c209ef9d6b

SHA1
f98a542cb2fda237cc4f4339bd4b2bb4730059d5

SHA256
fd6c77bfc453c6270c44fcabb019eb7f183a7c8c3521e705188600ed95ef413e

SHA512
5b6e2a59b79e20dffde6292b0949b60f162f8686b261284bae31fa3e673a2e6e6f5566d0df51eaca5b62e75041196c5b641fa84734fb3ffa5a5d27382a0b4ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\llpb1133.exe

Filesize
3.5MB

MD5
e80efc25a192b860387b90c209ef9d6b

SHA1
f98a542cb2fda237cc4f4339bd4b2bb4730059d5

SHA256
fd6c77bfc453c6270c44fcabb019eb7f183a7c8c3521e705188600ed95ef413e

SHA512
5b6e2a59b79e20dffde6292b0949b60f162f8686b261284bae31fa3e673a2e6e6f5566d0df51eaca5b62e75041196c5b641fa84734fb3ffa5a5d27382a0b4ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe

Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe

Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzhenzhang.exe

Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
memory/1684-139-0x0000000140000000-0x000000014061C000-memory.dmp

Filesize
6.1MB

Download
memory/1684-133-0x0000000000000000-mapping.dmp

Download
memory/2920-146-0x0000000000000000-mapping.dmp

Download
memory/3708-143-0x0000000000000000-mapping.dmp

Download
memory/4188-136-0x0000000000000000-mapping.dmp

Download
memory/4948-132-0x0000000000EA0000-0x000000000124C000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing