Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2023 16:29
Static task
static1
Behavioral task
behavioral1
Sample
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe
Resource
win7-20230220-en
General
-
Target
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe
-
Size
898KB
-
MD5
bf351f934bbfd7fdbaadeeafa83c7375
-
SHA1
b3b62f4f9157daffe634e995b183b46343f7e268
-
SHA256
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff
-
SHA512
f965672020d2a0a83529a8d893e47b05b72de3556a002712d53c6476d297a7776ea17a16ee200edbef6ee233f0f867d5bdc92282f24babe6fda732c54bd710d9
-
SSDEEP
24576:DcVkKSxRhGyOXW1QTPz1HlslplY0AHdL3LokK3Mfn:DcBsR8NYWbYpqr1LDRfn
Malware Config
Signatures
-
Detects HZRAT backdoor 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1180-189-0x0000000000400000-0x00000000004B4000-memory.dmp family_hzrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
default.exe城管自动追呼系统V8.6_8.exepid process 1180 default.exe 1564 城管自动追呼系统V8.6_8.exe -
Processes:
resource yara_rule behavioral2/memory/1564-145-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-146-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-147-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-149-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-151-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-153-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-155-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-157-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-159-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-161-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-163-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-165-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-167-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-169-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-171-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-173-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-175-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-177-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-179-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-181-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-183-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-185-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-187-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/1564-188-0x0000000010000000-0x000000001003D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
城管自动追呼系统V8.6_8.exepid process 1564 城管自动追呼系统V8.6_8.exe 1564 城管自动追呼系统V8.6_8.exe 1564 城管自动追呼系统V8.6_8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exewscript.execmd.exedescription pid process target process PID 5020 wrote to memory of 3896 5020 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 5020 wrote to memory of 3896 5020 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 5020 wrote to memory of 3896 5020 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe wscript.exe PID 3896 wrote to memory of 4736 3896 wscript.exe cmd.exe PID 3896 wrote to memory of 4736 3896 wscript.exe cmd.exe PID 3896 wrote to memory of 4736 3896 wscript.exe cmd.exe PID 3896 wrote to memory of 1180 3896 wscript.exe default.exe PID 3896 wrote to memory of 1180 3896 wscript.exe default.exe PID 3896 wrote to memory of 1180 3896 wscript.exe default.exe PID 4736 wrote to memory of 1564 4736 cmd.exe 城管自动追呼系统V8.6_8.exe PID 4736 wrote to memory of 1564 4736 cmd.exe 城管自动追呼系统V8.6_8.exe PID 4736 wrote to memory of 1564 4736 cmd.exe 城管自动追呼系统V8.6_8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\install.vbs 城管自动追呼系统V8.6_8.exe default.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K 城管自动追呼系统V8.6_8.exe & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe城管自动追呼系统V8.6_8.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe"C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe"3⤵
- Executes dropped EXE
PID:1180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
746KB
MD5b7e2a2bc66eff2194fe89c3b39492725
SHA13dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA2561da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854
-
Filesize
197B
MD590a1ba69792dcb304a28a848a44c60b9
SHA17cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA5121a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a
-
Filesize
1.1MB
MD53dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA2565aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a