Analysis
-
max time kernel
154s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 04:18
Static task
static1
Behavioral task
behavioral1
Sample
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
Resource
win10v2004-20230221-en
General
-
Target
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
-
Size
791KB
-
MD5
385a5478ea84a7ad68151cb65e13b47d
-
SHA1
952d6b3789d055376f38351a2ff3f8aa911e5df4
-
SHA256
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f
-
SHA512
30d753499a11ed943846b4691ec2e941c7ed5b17628b57fcf1ce490e0d22e230796a043dbe1f33af0005f59ca98971dfe7436fb6ac38e5a973d311bb42382647
-
SSDEEP
12288:YV+mzA28UpWFkjt//zBYVICCPJHUqYTilBSEg36XkTCzGeIBhN+0AEYYRd:Y8UTjt/9CChhPrFYQkmVJmd
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe -
Executes dropped EXE 1 IoCs
Processes:
ebook.exepid process 4576 ebook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 13 IoCs
Processes:
ebook.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID\ = "ebook.EAPProtocol" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543} ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ = "Embedded Async Pluggable Protocol" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\ = "Embedded Async Pluggable Protocol" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\Clsid ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\Clsid\ = "{5902C4EB-8397-4FF6-B5D8-741A51D26543}" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID\{e26d50e6-31fe-40f5-835b-8ea21da1e2ed} ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32 ebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\ebook.exe" ebook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG ebook.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ebook.exepid process 4576 ebook.exe 4576 ebook.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exedescription pid process target process PID 4060 wrote to memory of 4576 4060 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe PID 4060 wrote to memory of 4576 4060 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe PID 4060 wrote to memory of 4576 4060 71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe ebook.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe"C:\Users\Admin\AppData\Local\Temp\71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exeFilesize
693KB
MD53c5e3102dee1add4eef7f5c10617b976
SHA138989399fc28d88fad3229e37231e9304fd93322
SHA25671d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404
SHA512ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a
-
C:\Users\Admin\AppData\Local\Temp\s_chinese.iniFilesize
7KB
MD5143557d65a22ef084f95fff54e37b831
SHA1e5082324acb8348c1c7f4d78f90a7cc2a2252dd2
SHA256e22f912400b3e66c079d3bccf7deabd8be724759b55d903e9b2aa1a85d7b1b7d
SHA51220d934e6ca5720d6894f208b3371d866136df1c7186ca62a43addc544f98b8ad6efef07d183f93436954dd130cd056391a0a860403c5893aff623647ae04b0ce
-
memory/4060-188-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4576-187-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/4576-189-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/4576-190-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/4576-194-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB