a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5

Analysis

max time kernel
85s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

chuanameexe.exe
Size

157KB
MD5

5767ca40c29cb20842c8d3b12c93d582
SHA1

8fe5bcd90416a48b3f862ea52f726239d2d8efc3
SHA256

a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5
SHA512

9c6fd9ffb1b0ea6305c4ed893923aa2e21ccaa63797b36458dc63eabd84e01cbc6b3331d808b58c79ae74122ee841872ab1e12683f8065ba0f40042f7f8b6321
SSDEEP

3072:s2A2+ClsFxK7hfi5ji+8T26z02mNt4H96u:/AbZFx4h2uaew4Hn

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
38.54.95.217
Port:
21
Username:
123
Password:
123

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	chuanameexe.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	local.exe
4396	{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	local.exe
File opened (read-only)	\??\R:	local.exe
File opened (read-only)	\??\N:	local.exe
File opened (read-only)	\??\V:	local.exe
File opened (read-only)	\??\W:	local.exe
File opened (read-only)	\??\K:	local.exe
File opened (read-only)	\??\M:	local.exe
File opened (read-only)	\??\I:	local.exe
File opened (read-only)	\??\O:	local.exe
File opened (read-only)	\??\P:	local.exe
File opened (read-only)	\??\Q:	local.exe
File opened (read-only)	\??\U:	local.exe
File opened (read-only)	\??\X:	local.exe
File opened (read-only)	\??\G:	local.exe
File opened (read-only)	\??\H:	local.exe
File opened (read-only)	\??\Y:	local.exe
File opened (read-only)	\??\Z:	local.exe
File opened (read-only)	\??\L:	local.exe
File opened (read-only)	\??\S:	local.exe
File opened (read-only)	\??\T:	local.exe
File opened (read-only)	\??\B:	local.exe
File opened (read-only)	\??\J:	local.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	local.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	local.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	chuanameexe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1688197804"	{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe
4868	local.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
468	chuanameexe.exe
4868	local.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4868	468	chuanameexe.exe	89
PID 468 wrote to memory of 4868	468	chuanameexe.exe	89
PID 468 wrote to memory of 4868	468	chuanameexe.exe	89

C:\Users\Admin\AppData\Local\Temp\chuanameexe.exe
"C:\Users\Admin\AppData\Local\Temp\chuanameexe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468
- C:\ProgramData\babyiloveyou\local.exe
  "C:\ProgramData\babyiloveyou\local.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe
"C:\Users\Admin\AppData\Local\Temp\{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{0D611EE8-33DA-40d6-9610-3D0F5FA5F9A0}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\ProgramData\babyiloveyou\local.exe

Filesize
141KB

MD5
fd296444464edd9d1ca67e62c1494fb8

SHA1
b81b8a3e55754c7597d51f144b878de6987770b6

SHA256
91209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6

SHA512
50f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
829B

MD5
a3dd775111efd46e0abd9ef662e6d458

SHA1
07a2759e6d7237a279b5bcf8cb177b9fd6c673ba

SHA256
31ef3bed15d38e2c5333e311c562e11f068b19d0539ce28af9f3411ee7ef15be

SHA512
f953e0687fd5421b9cc42d49ebb6abff66a894422c7ac182b614d2066b58fdb79f0ac4c22fae78359f120ae3e537f47e081503ee6761e1660bf2bba1132d4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0D611EE8-33DA-40d6-9610-3D0F5FA5F9A0}

Filesize
215B

MD5
b36872603898adf29dc000d66f9ee3ef

SHA1
b791670740194ec215630203969a622f35c398ec

SHA256
fcc78b7741d25bc7bafa41631bf23ab6fae4b008bc59beb341210c11a922c090

SHA512
647b0e7eb517bd92c0aa866fc09db13b7499f4d4c54110285e254d996c5ce7e9633dc9ed9ddc00173a041771ec5f39dc0e555b6c2cd454443ab66df2a8d2fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
memory/468-135-0x00000000030C0000-0x00000000033AE000-memory.dmp

Filesize
2.9MB

Download
memory/468-136-0x0000000010000000-0x00000000102F2000-memory.dmp

Filesize
2.9MB

Download
memory/4868-162-0x0000000002CF0000-0x0000000002D31000-memory.dmp

Filesize
260KB

Download
memory/4868-307-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4868-312-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4868-313-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4868-315-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4868-316-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download