a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5

General

Target

chuanameexe.exe
Size

157KB
MD5

5767ca40c29cb20842c8d3b12c93d582
SHA1

8fe5bcd90416a48b3f862ea52f726239d2d8efc3
SHA256

a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5
SHA512

9c6fd9ffb1b0ea6305c4ed893923aa2e21ccaa63797b36458dc63eabd84e01cbc6b3331d808b58c79ae74122ee841872ab1e12683f8065ba0f40042f7f8b6321
SSDEEP

3072:s2A2+ClsFxK7hfi5ji+8T26z02mNt4H96u:/AbZFx4h2uaew4Hn

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
38.54.95.217
Port:
21
Username:
123
Password:
123

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1672	local.exe
2004	{5EF2C316-9059-42c0-AF8F-260081A510C4}.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	chuanameexe.exe
1704	chuanameexe.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	local.exe
File opened (read-only)	\??\U:	local.exe
File opened (read-only)	\??\Z:	local.exe
File opened (read-only)	\??\F:	local.exe
File opened (read-only)	\??\G:	local.exe
File opened (read-only)	\??\O:	local.exe
File opened (read-only)	\??\R:	local.exe
File opened (read-only)	\??\H:	local.exe
File opened (read-only)	\??\L:	local.exe
File opened (read-only)	\??\Q:	local.exe
File opened (read-only)	\??\S:	local.exe
File opened (read-only)	\??\W:	local.exe
File opened (read-only)	\??\X:	local.exe
File opened (read-only)	\??\E:	local.exe
File opened (read-only)	\??\J:	local.exe
File opened (read-only)	\??\N:	local.exe
File opened (read-only)	\??\P:	local.exe
File opened (read-only)	\??\V:	local.exe
File opened (read-only)	\??\Y:	local.exe
File opened (read-only)	\??\B:	local.exe
File opened (read-only)	\??\I:	local.exe
File opened (read-only)	\??\K:	local.exe
File opened (read-only)	\??\M:	local.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	local.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	local.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1688197809"	{5EF2C316-9059-42c0-AF8F-260081A510C4}.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe
1672	local.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1704	chuanameexe.exe
1672	local.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1672	1704	chuanameexe.exe	30
PID 1704 wrote to memory of 1672	1704	chuanameexe.exe	30
PID 1704 wrote to memory of 1672	1704	chuanameexe.exe	30
PID 1704 wrote to memory of 1672	1704	chuanameexe.exe	30

C:\Users\Admin\AppData\Local\Temp\chuanameexe.exe
"C:\Users\Admin\AppData\Local\Temp\chuanameexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\ProgramData\babyiloveyou\local.exe
  "C:\ProgramData\babyiloveyou\local.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1672

C:\Users\Admin\AppData\Local\Temp\{5EF2C316-9059-42c0-AF8F-260081A510C4}.exe
"C:\Users\Admin\AppData\Local\Temp\{5EF2C316-9059-42c0-AF8F-260081A510C4}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{54D53D10-576E-4376-881D-2016C5E4B6EC}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54D53D10-576E-4376-881D-2016C5E4B6EC}

Filesize
215B

MD5
764c5a2a928249a303d97b2376dd3934

SHA1
3b61f1686db3b031a3f89d78f95deaf166c494f7

SHA256
8b1dba7e440238545281b28047cc9392098bfd5d64b915f6b510262f5ee4f1f1

SHA512
364b1dac8d4327054dfb1bd2dcd6325e65e1a7996eb436cc5591689d8a85de2325a935acd3e1ff8914b45da8c94fc62696cea1b84d7d4493567924b9ace06234

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5EF2C316-9059-42c0-AF8F-260081A510C4}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
\Users\Admin\AppData\Local\Temp\{5EF2C316-9059-42c0-AF8F-260081A510C4}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
memory/1672-79-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1672-224-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1672-229-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1672-231-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1672-232-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1672-234-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1704-56-0x0000000003360000-0x000000000364E000-memory.dmp

Filesize
2.9MB

Download
memory/1704-57-0x0000000010000000-0x00000000102F2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads