Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 16:29
Static task
static1
Behavioral task
behavioral1
Sample
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe
Resource
win7-20230220-en
General
-
Target
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe
-
Size
898KB
-
MD5
bf351f934bbfd7fdbaadeeafa83c7375
-
SHA1
b3b62f4f9157daffe634e995b183b46343f7e268
-
SHA256
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff
-
SHA512
f965672020d2a0a83529a8d893e47b05b72de3556a002712d53c6476d297a7776ea17a16ee200edbef6ee233f0f867d5bdc92282f24babe6fda732c54bd710d9
-
SSDEEP
24576:DcVkKSxRhGyOXW1QTPz1HlslplY0AHdL3LokK3Mfn:DcBsR8NYWbYpqr1LDRfn
Malware Config
Signatures
-
Detects HZRAT backdoor 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1440-117-0x0000000000400000-0x00000000004B4000-memory.dmp family_hzrat -
Executes dropped EXE 2 IoCs
Processes:
default.exe城管自动追呼系统V8.6_8.exepid process 1440 default.exe 1468 城管自动追呼系统V8.6_8.exe -
Loads dropped DLL 8 IoCs
Processes:
wscript.execmd.exedefault.exe城管自动追呼系统V8.6_8.exepid process 1308 wscript.exe 1308 wscript.exe 268 cmd.exe 1440 default.exe 1440 default.exe 1440 default.exe 1468 城管自动追呼系统V8.6_8.exe 1468 城管自动追呼系统V8.6_8.exe -
Processes:
resource yara_rule behavioral1/memory/1468-73-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-74-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-75-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-77-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-79-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-81-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-83-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-85-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-87-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-89-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-91-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-93-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-95-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-97-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-99-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-101-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-103-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-105-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-107-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-109-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-111-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-113-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-115-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral1/memory/1468-116-0x0000000010000000-0x000000001003D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
城管自动追呼系统V8.6_8.exepid process 1468 城管自动追呼系统V8.6_8.exe 1468 城管自动追呼系统V8.6_8.exe 1468 城管自动追呼系统V8.6_8.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exewscript.execmd.exedescription pid process target process PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1976 wrote to memory of 1308 1976 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 268 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 1308 wrote to memory of 1440 1308 wscript.exe default.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe PID 268 wrote to memory of 1468 268 cmd.exe 城管自动追呼系统V8.6_8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\install.vbs 城管自动追呼系统V8.6_8.exe default.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K 城管自动追呼系统V8.6_8.exe & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe城管自动追呼系统V8.6_8.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe"C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
197B
MD590a1ba69792dcb304a28a848a44c60b9
SHA17cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA5121a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a