a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5

Analysis

max time kernel
75s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chuaname.exe
Size

157KB
MD5

5767ca40c29cb20842c8d3b12c93d582
SHA1

8fe5bcd90416a48b3f862ea52f726239d2d8efc3
SHA256

a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5
SHA512

9c6fd9ffb1b0ea6305c4ed893923aa2e21ccaa63797b36458dc63eabd84e01cbc6b3331d808b58c79ae74122ee841872ab1e12683f8065ba0f40042f7f8b6321
SSDEEP

3072:s2A2+ClsFxK7hfi5ji+8T26z02mNt4H96u:/AbZFx4h2uaew4Hn

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
38.54.95.217
Port:
21
Username:
123
Password:
123

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	chuaname.exe

Executes dropped EXE 2 IoCs

pid	Process
3544	local.exe
3020	{2BDCA70C-3525-4d76-8B12-8D95C59B7053}.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	local.exe
File opened (read-only)	\??\O:	local.exe
File opened (read-only)	\??\R:	local.exe
File opened (read-only)	\??\U:	local.exe
File opened (read-only)	\??\W:	local.exe
File opened (read-only)	\??\G:	local.exe
File opened (read-only)	\??\H:	local.exe
File opened (read-only)	\??\I:	local.exe
File opened (read-only)	\??\X:	local.exe
File opened (read-only)	\??\Y:	local.exe
File opened (read-only)	\??\B:	local.exe
File opened (read-only)	\??\J:	local.exe
File opened (read-only)	\??\V:	local.exe
File opened (read-only)	\??\E:	local.exe
File opened (read-only)	\??\P:	local.exe
File opened (read-only)	\??\Z:	local.exe
File opened (read-only)	\??\Q:	local.exe
File opened (read-only)	\??\S:	local.exe
File opened (read-only)	\??\T:	local.exe
File opened (read-only)	\??\K:	local.exe
File opened (read-only)	\??\L:	local.exe
File opened (read-only)	\??\M:	local.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	local.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	local.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	chuaname.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1688152268"	{2BDCA70C-3525-4d76-8B12-8D95C59B7053}.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe
3544	local.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4364	chuaname.exe
3544	local.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3544	4364	chuaname.exe	100
PID 4364 wrote to memory of 3544	4364	chuaname.exe	100
PID 4364 wrote to memory of 3544	4364	chuaname.exe	100

C:\Users\Admin\AppData\Local\Temp\chuaname.exe
"C:\Users\Admin\AppData\Local\Temp\chuaname.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\ProgramData\babyiloveyou\local.exe
  "C:\ProgramData\babyiloveyou\local.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\{2BDCA70C-3525-4d76-8B12-8D95C59B7053}.exe
"C:\Users\Admin\AppData\Local\Temp\{2BDCA70C-3525-4d76-8B12-8D95C59B7053}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{2EC231D7-2D48-4245-8EE9-88CDDB02BADF}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
621B

MD5
b41f2e813f22dc07d55a69743fe7b348

SHA1
d415dffd038e8ac046c8739de31f27e310bc3947

SHA256
4a4cb3fa898d2dd19f6ab8e9fb1ace3f9a2a64c95b1b4db8b7a31dcbce27c538

SHA512
97cec08f492c3bafe5a8fe7437cf906e27c01f40496ddd926c46d431b2d462bfeca0cc06ca4e545615d6eaacb9350aef29d1e5d9e32195747ccd39265e0fc8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2BDCA70C-3525-4d76-8B12-8D95C59B7053}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2BDCA70C-3525-4d76-8B12-8D95C59B7053}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2EC231D7-2D48-4245-8EE9-88CDDB02BADF}

Filesize
215B

MD5
a80a8cfa2ccce3d252f42c0ff0cc593e

SHA1
a7deff1869e946f5b2aacaf42f6cb3f40b2e48db

SHA256
d083b1589d604e67668cf2bab215824c2cef688b14b947e90a012455bb747455

SHA512
a2e82c3e7eb6619b9d2ca216552a536adfc572e660c2e8c3554abc66e76e49fe96dfdcffdef5892a688865f11a0557c31f8f3bceb33fc735777a5aba1875575c

Download Submit
memory/3544-162-0x0000000003A30000-0x0000000003A71000-memory.dmp

Filesize
260KB

Download
memory/3544-307-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3544-312-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3544-313-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3544-314-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3544-315-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/3544-316-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4364-135-0x00000000030C0000-0x00000000033AE000-memory.dmp

Filesize
2.9MB

Download
memory/4364-136-0x0000000010000000-0x00000000102F2000-memory.dmp

Filesize
2.9MB

Download