Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 04:18
Static task
static1
Behavioral task
behavioral1
Sample
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
Resource
win10v2004-20230221-en
General
-
Target
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
-
Size
791KB
-
MD5
385a5478ea84a7ad68151cb65e13b47d
-
SHA1
952d6b3789d055376f38351a2ff3f8aa911e5df4
-
SHA256
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f
-
SHA512
30d753499a11ed943846b4691ec2e941c7ed5b17628b57fcf1ce490e0d22e230796a043dbe1f33af0005f59ca98971dfe7436fb6ac38e5a973d311bb42382647
-
SSDEEP
12288:YV+mzA28UpWFkjt//zBYVICCPJHUqYTilBSEg36XkTCzGeIBhN+0AEYYRd:Y8UTjt/9CChhPrFYQkmVJmd
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
ebook.exepid process 912 ebook.exe -
Loads dropped DLL 2 IoCs
Processes:
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exepid process 1148 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe 1148 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
ebook.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main ebook.exe -
Modifies registry class 13 IoCs
Processes:
ebook.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543} ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32 ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\ebook.exe" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\ = "Embedded Async Pluggable Protocol" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\Clsid ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\Clsid\ = "{5902C4EB-8397-4FF6-B5D8-741A51D26543}" ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID\ = "ebook.EAPProtocol" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ = "Embedded Async Pluggable Protocol" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID\{e26d50e6-31fe-40f5-835b-8ea21da1e2ed} ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG ebook.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ebook.exepid process 912 ebook.exe 912 ebook.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exedescription pid process target process PID 1148 wrote to memory of 912 1148 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe PID 1148 wrote to memory of 912 1148 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe PID 1148 wrote to memory of 912 1148 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe PID 1148 wrote to memory of 912 1148 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe"C:\Users\Admin\AppData\Local\Temp\71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
C:\Users\Admin\AppData\Local\Temp\s_chinese.iniFilesize
7KB
MD5143557d65a22ef084f95fff54e37b831
SHA1e5082324acb8348c1c7f4d78f90a7cc2a2252dd2
SHA256e22f912400b3e66c079d3bccf7deabd8be724759b55d903e9b2aa1a85d7b1b7d
SHA51220d934e6ca5720d6894f208b3371d866136df1c7186ca62a43addc544f98b8ad6efef07d183f93436954dd130cd056391a0a860403c5893aff623647ae04b0ce
-
\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
memory/912-65-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/912-134-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/912-135-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/912-143-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/1148-56-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/1148-116-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1148-132-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB