Analysis
-
max time kernel
310s -
max time network
342s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 15:55
Static task
static1
Behavioral task
behavioral1
Sample
工作报表.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
工作报表.exe
Resource
win10v2004-20230221-en
General
-
Target
工作报表.exe
-
Size
802KB
-
MD5
43dc1d7eeef9b4ca0d455404b12c34c8
-
SHA1
2e618174d09b00abc16d34bff7b646e036adf253
-
SHA256
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf
-
SHA512
b65a6542520ae094d8f9101d062339a997aa2eaed426e3aaa4c79145d97debf75062df334df4c02d874ebe15731e035bbf7b7cd0f55c248d4b6a45294c5c70c7
-
SSDEEP
24576:Sny/f9uCOXP25JiBvuXwKhbBh4iv/IVVWX77Sj+ithPW1:XF0IJSmgaVhvv/IVKyj+d
Malware Config
Signatures
-
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
工作报表.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 工作报表.exe -
Executes dropped EXE 1 IoCs
Processes:
Project.exepid process 3200 Project.exe -
Loads dropped DLL 1 IoCs
Processes:
Project.exepid process 3200 Project.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
工作报表.exedescription pid process target process PID 1456 wrote to memory of 3200 1456 工作报表.exe Project.exe PID 1456 wrote to memory of 3200 1456 工作报表.exe Project.exe PID 1456 wrote to memory of 3200 1456 工作报表.exe Project.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\工作报表.exe"C:\Users\Admin\AppData\Local\Temp\工作报表.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3200
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD54d4f8aea7be8e5f2372f6dbca75aa8ba
SHA15ca38dbc0188d1a93a043562f67cf4319ffdd24d
SHA25675451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2
SHA51278f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097
-
Filesize
1.1MB
MD54d4f8aea7be8e5f2372f6dbca75aa8ba
SHA15ca38dbc0188d1a93a043562f67cf4319ffdd24d
SHA25675451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2
SHA51278f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097
-
Filesize
1.1MB
MD54d4f8aea7be8e5f2372f6dbca75aa8ba
SHA15ca38dbc0188d1a93a043562f67cf4319ffdd24d
SHA25675451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2
SHA51278f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097
-
Filesize
98KB
MD529e0b67635a30d87d929bc1614eff68f
SHA1180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b
SHA256b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e
SHA51268a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49
-
Filesize
98KB
MD529e0b67635a30d87d929bc1614eff68f
SHA1180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b
SHA256b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e
SHA51268a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49