Analysis
-
max time kernel
73s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
20-03-2023 07:59
General
-
Target
票-据202331554102115001.exe
-
Size
3.3MB
-
MD5
50298c571eeb5d3c9dbb5945f5692d2d
-
SHA1
82817defaabee93a9d15c78e763137c4c2d1dcb4
-
SHA256
6ae296e1d6faefa0851a7f40736d4404409eb1fa3e2b884664a1cc6f1107bb47
-
SHA512
8a953c3c14c30532cfad0f5c83cd3f267d0625dc333d3510647e3ab82c0ad7c27fe1548ea75975be8f28e64a1c3104c7729858a31fbed9c24957a15d56a44f3b
-
SSDEEP
49152:53wqqmcOSW0FONVReXFYYjSpHl9r9zzoMr6YNDsxmDb7S1xR+VXHxasznBKWKv:53wqZDjcL8rf6YNoxmDbm1xR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\票-据202331554102115001.exe"C:\Users\Admin\AppData\Local\Temp\票-据202331554102115001.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EHHJJLLLNP\music.exe"C:\Users\Admin\AppData\Roaming\EHHJJLLLNP\music.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_config.exe"C:\Users\Admin\AppData\Local\Temp\_config.exe"2⤵
- Executes dropped EXE
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_config.exe"C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\EHHJJLLLNP" /f2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\EHHJJLLLNP" /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.lnkFilesize
2KB
MD5db271f32bf8072ec46a5b098595ace3c
SHA16c7f4ece8982221d50d5a77f12e8833805fa31a3
SHA25626bc23134a6a9a5e0ba61a7d9540fe4ff5de262f600cb634ab70f317eb8667f4
SHA512c96f4a8a262cdf474355ceea42ec2716e4d493d3f802b6596a0653ab4941a664861d7b259e3b6f0223afdd8191d8ac5d052c00a29a62df6b7b9ea92f8d6d4b26
-
C:\Users\Admin\AppData\Roaming\EHHJJLLLNP\music.exeFilesize
108KB
MD5a6a9abf50eb980d12622e14c237a9f37
SHA18ef76ad1aaac59cc082a94dd1fa65338c7d59111
SHA2561ef14f23c1c3fad652b81376340e8882a942b27052f85e96040067fc0ac4cd5a
SHA512952a4e01f4d6018289db4ead6b52d50f9dfa2939ebe37294c2c07c4af18c20d9beb3f65b41a04cfc92f26b61794b53bd8884a78cbe4be6cf4904a9b608fd1252
-
C:\Users\Admin\AppData\Roaming\EHHJJLLLNP\music.exeFilesize
108KB
MD5a6a9abf50eb980d12622e14c237a9f37
SHA18ef76ad1aaac59cc082a94dd1fa65338c7d59111
SHA2561ef14f23c1c3fad652b81376340e8882a942b27052f85e96040067fc0ac4cd5a
SHA512952a4e01f4d6018289db4ead6b52d50f9dfa2939ebe37294c2c07c4af18c20d9beb3f65b41a04cfc92f26b61794b53bd8884a78cbe4be6cf4904a9b608fd1252
-
\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
\Users\Admin\AppData\Roaming\EHHJJLLLNP\music.exeFilesize
108KB
MD5a6a9abf50eb980d12622e14c237a9f37
SHA18ef76ad1aaac59cc082a94dd1fa65338c7d59111
SHA2561ef14f23c1c3fad652b81376340e8882a942b27052f85e96040067fc0ac4cd5a
SHA512952a4e01f4d6018289db4ead6b52d50f9dfa2939ebe37294c2c07c4af18c20d9beb3f65b41a04cfc92f26b61794b53bd8884a78cbe4be6cf4904a9b608fd1252
-
memory/1032-93-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1116-56-0x0000000010000000-0x000000001001E000-memory.dmpFilesize
120KB
-
memory/1116-59-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1116-95-0x0000000010000000-0x000000001001E000-memory.dmpFilesize
120KB
-
memory/1116-94-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1116-66-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1116-63-0x0000000010000000-0x000000001001E000-memory.dmpFilesize
120KB
-
memory/1116-67-0x0000000010000000-0x000000001001E000-memory.dmpFilesize
120KB
-
memory/1116-62-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1116-61-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1116-60-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1116-64-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/1116-58-0x0000000000400000-0x0000000000FB8000-memory.dmpFilesize
11.7MB
-
memory/1360-78-0x0000000000020000-0x0000000000024000-memory.dmpFilesize
16KB
-
memory/1360-77-0x0000000000F10000-0x0000000000F5C000-memory.dmpFilesize
304KB
-
memory/1360-74-0x0000000000F10000-0x0000000000F5C000-memory.dmpFilesize
304KB
-
memory/1360-96-0x0000000000F10000-0x0000000000F5C000-memory.dmpFilesize
304KB