69857b0fdea21533133d3ae432a7ea65b98f251fc989764a2025d4614c9d4d87

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2023 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aha.exe
Size

7.2MB
MD5

e4e72df36a03b69b1d9129cf64b871ae
SHA1

352a2b8c27e1d6014855a30c6dc2d5af22ce3b34
SHA256

69857b0fdea21533133d3ae432a7ea65b98f251fc989764a2025d4614c9d4d87
SHA512

316ab9939c6937d3d91631ec93605c33a3d50af43c07e01b9a0ad3d51d3aa035f27735e05cf372509c6e2dad4977fc3a210f7034b0d8c0bdebf91b25b03dfa1a
SSDEEP

98304:0PZYxnMe4V/cJtKpGvJc5twG9Nh0FhgUkHaQfGrC2BqtEcTu9:dxMe4cxhAsWUI3VBG

Score

8^/10

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	aha.exe

Executes dropped EXE 5 IoCs

pid	Process
4688	irsetup.exe
1048	un.exe
4120	un.exe
1832	iusb3mon.exe
5008	Microsoft.NET.exe

Loads dropped DLL 1 IoCs

pid	Process
4688	irsetup.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Your Product\livep.dat	irsetup.exe
File created	C:\Program Files\Your Product\EdgeVerLib.dat	irsetup.exe
File opened for modification	C:\Program Files\Your Product\EdgeVerLib.dat	irsetup.exe
File opened for modification	C:\Program Files\Your Product\360bscdde.dat	irsetup.exe
File created	C:\Program Files\Your Product\thxt.dat	irsetup.exe
File created	C:\Program Files\Your Product\nhplib.dat	irsetup.exe
File created	C:\Program Files\Your Product\livep.dat	irsetup.exe
File created	C:\Program Files\Your Product\360bscdde.dat	irsetup.exe
File opened for modification	C:\Program Files\Your Product\thxt.dat	irsetup.exe
File created	C:\Program Files\Your Product\safehmpg.ini	irsetup.exe
File opened for modification	C:\Program Files\Your Product\safehmpg.ini	irsetup.exe
File opened for modification	C:\Program Files\Your Product\nhplib.dat	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iusb3mon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iusb3mon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe
1832	iusb3mon.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4688	irsetup.exe
4688	irsetup.exe
4688	irsetup.exe
1048	un.exe
4120	un.exe
1832	iusb3mon.exe
5008	Microsoft.NET.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4688	5052	aha.exe	85
PID 5052 wrote to memory of 4688	5052	aha.exe	85
PID 4688 wrote to memory of 1048	4688	irsetup.exe	87
PID 4688 wrote to memory of 1048	4688	irsetup.exe	87
PID 4688 wrote to memory of 4120	4688	irsetup.exe	89
PID 4688 wrote to memory of 4120	4688	irsetup.exe	89
PID 4688 wrote to memory of 1832	4688	irsetup.exe	91
PID 4688 wrote to memory of 1832	4688	irsetup.exe	91
PID 4688 wrote to memory of 1832	4688	irsetup.exe	91
PID 1832 wrote to memory of 948	1832	iusb3mon.exe	93
PID 1832 wrote to memory of 948	1832	iusb3mon.exe	93
PID 1832 wrote to memory of 948	1832	iusb3mon.exe	93
PID 1832 wrote to memory of 3032	1832	iusb3mon.exe	92
PID 1832 wrote to memory of 3032	1832	iusb3mon.exe	92
PID 1832 wrote to memory of 3032	1832	iusb3mon.exe	92
PID 1832 wrote to memory of 2136	1832	iusb3mon.exe	98
PID 1832 wrote to memory of 2136	1832	iusb3mon.exe	98
PID 1832 wrote to memory of 2136	1832	iusb3mon.exe	98
PID 1832 wrote to memory of 5116	1832	iusb3mon.exe	101
PID 1832 wrote to memory of 5116	1832	iusb3mon.exe	101
PID 1832 wrote to memory of 5116	1832	iusb3mon.exe	101
PID 1832 wrote to memory of 5008	1832	iusb3mon.exe	103
PID 1832 wrote to memory of 5008	1832	iusb3mon.exe	103
PID 1832 wrote to memory of 5008	1832	iusb3mon.exe	103

C:\Users\Admin\AppData\Local\Temp\aha.exe
"C:\Users\Admin\AppData\Local\Temp\aha.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5566322 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\aha.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1529757233-3489015626-3409890339-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\un.exe
    "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg C:\ProgramData\Microsoft\Program\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1048
- - C:\un.exe
    "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe shader.dat C:\ProgramData\Program\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4120
- - C:\ProgramData\Program\iusb3mon.exe
    C:\ProgramData\Program\iusb3mon.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\odbc.inst.ini
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\odbc.inst.ini
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\inst.ini
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\odbc.inst.ini
      4⤵
      PID:5116
  - - C:\ProgramData\Microsoft\Microsoft.NET.exe
      C:\ProgramData\Microsoft\Microsoft.NET.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\UPX.rar

Filesize
1.5MB

MD5
4a01160b44a9213a3e73c040e1f23655

SHA1
dae8cb8bd1f9629f1052173a4b0fd94f8e932662

SHA256
0b412f32a3e25454209dc0de69837c7243612fe2d70173804528de714d95e41b

SHA512
20314be6ce7c12f42a2e2357cd47eadb3993069b45d25fc37e7bb4b30685bf05ba67ffb4b8b0f9903db78413a5338b723341786a05ca5feaab50ee32a1519ef8

Download Submit
C:\ProgramData\Microsoft\Microsoft.NET.exe

Filesize
450KB

MD5
a05454a2ca6a6aa30e912a9ce1651151

SHA1
8cd91f18ac52fa0b5df381a2c9a80711887ce9c5

SHA256
992e7f4ee378577bcb5f8848b945b3fa32c897505dce38416e11f153a7a4c045

SHA512
b682b4faa47c61d112feec06a4598d9ec2497e7379a1578a2303577d4c15cc871d77c7d938218546166415686363262560308d66e47d7e57dee5fe4c59ea813d

Download Submit
C:\ProgramData\Microsoft\Microsoft.NET.exe

Filesize
450KB

MD5
a05454a2ca6a6aa30e912a9ce1651151

SHA1
8cd91f18ac52fa0b5df381a2c9a80711887ce9c5

SHA256
992e7f4ee378577bcb5f8848b945b3fa32c897505dce38416e11f153a7a4c045

SHA512
b682b4faa47c61d112feec06a4598d9ec2497e7379a1578a2303577d4c15cc871d77c7d938218546166415686363262560308d66e47d7e57dee5fe4c59ea813d

Download Submit
C:\ProgramData\Microsoft\Microsoft.NET.exe

Filesize
450KB

MD5
a05454a2ca6a6aa30e912a9ce1651151

SHA1
8cd91f18ac52fa0b5df381a2c9a80711887ce9c5

SHA256
992e7f4ee378577bcb5f8848b945b3fa32c897505dce38416e11f153a7a4c045

SHA512
b682b4faa47c61d112feec06a4598d9ec2497e7379a1578a2303577d4c15cc871d77c7d938218546166415686363262560308d66e47d7e57dee5fe4c59ea813d

Download Submit
C:\ProgramData\Microsoft\Program\ziliao.jpg

Filesize
808KB

MD5
d4ab0a4662b1f4df98a9aab4de23420d

SHA1
51ce4cf58445581c008dcac4b799422ab219adb2

SHA256
50d2854f39e39928959201ea9952f35471b27f85c797d14ec9efdd31ffd55e0a

SHA512
2016119fb973b7c2e2783246e9723aadc79c682fef176660af7c11cba2de413e5fb8b0579180aef2db9ef348575706c590b96eedd56e87f6cfb7aa782f0688e5

Download Submit
C:\ProgramData\Program\iusb3mon.exe

Filesize
450KB

MD5
a05454a2ca6a6aa30e912a9ce1651151

SHA1
8cd91f18ac52fa0b5df381a2c9a80711887ce9c5

SHA256
992e7f4ee378577bcb5f8848b945b3fa32c897505dce38416e11f153a7a4c045

SHA512
b682b4faa47c61d112feec06a4598d9ec2497e7379a1578a2303577d4c15cc871d77c7d938218546166415686363262560308d66e47d7e57dee5fe4c59ea813d

Download Submit
C:\ProgramData\Program\iusb3mon.exe

Filesize
450KB

MD5
a05454a2ca6a6aa30e912a9ce1651151

SHA1
8cd91f18ac52fa0b5df381a2c9a80711887ce9c5

SHA256
992e7f4ee378577bcb5f8848b945b3fa32c897505dce38416e11f153a7a4c045

SHA512
b682b4faa47c61d112feec06a4598d9ec2497e7379a1578a2303577d4c15cc871d77c7d938218546166415686363262560308d66e47d7e57dee5fe4c59ea813d

Download Submit
C:\ProgramData\Program\shader.dat

Filesize
109KB

MD5
3c72179f4070f1e61f038ea069df3fdf

SHA1
aa2e13335384bbef8d02dd3a38f1e0e997fce46c

SHA256
e99cfdc985f0ed08581a7caac37f52ab8265400959dfeb0066fedbf5cad8af83

SHA512
97a8f2493d9612e279b3b0007bba796070e7441a424e7f93ed35f8307b05d4f164ba21c9d5c5e7b607bd423a59d0031d21df7e79dddf9e1073e8d99c2105458a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
2a7d5f8d3fb4ab753b226fd88d31453b

SHA1
2ba2f1e7d4c5ff02a730920f0796cee9b174820c

SHA256
879109ae311e9b88f930ce1c659f29ec0e338687004318661e604d0d3727e3cf

SHA512
fa520ebf9e2626008f479c6e8f472514980d105f917c48ad638a64177d77c82a651c34ed3f28f3e39e67f12e50920503b66e373b5e92cf606bc81dc62a6b3ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
958103e55c74427e5c66d7e18f3bf237

SHA1
cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

SHA256
3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

SHA512
02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
329KB

MD5
958103e55c74427e5c66d7e18f3bf237

SHA1
cea3fc512763dc2ba1cfa9b7cb7a46ae89d9fcd8

SHA256
3ea4a4c3c6dea44d8917b342e93d653f59d93e1f552ace16e97e43bb04e951d8

SHA512
02ed6e1f24ef8f7f1c0377fa86a3a494b8a4474472ab7001f7902f2f3afa6cd975dc69fcab6f5524545a67657ecccfcd4ed2c95431843e9d50f2fff4c5178dbe

Download Submit
C:\odbc.inst.ini

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\un.exe

Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
C:\un.exe

Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
C:\un.exe

Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
\??\c:\odbc.inst.ini

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
memory/1832-203-0x00000000033F0000-0x00000000034C2000-memory.dmp

Filesize
840KB

Download
memory/1832-190-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download