Overview
overview
9Static
static
7YI_IoT_base.apk
android-9-x86
9ShareSDK.xml
windows7-x64
1ShareSDK.xml
windows10-2004-x64
1alibaba_pu...ld.otf
windows7-x64
3alibaba_pu...ld.otf
windows10-2004-x64
7alibaba_sa...ic.otf
windows7-x64
3alibaba_sa...ic.otf
windows10-2004-x64
7app.4df63c...87.css
windows7-x64
3app.4df63c...87.css
windows10-2004-x64
7bg-alarm-o...02.png
windows7-x64
3bg-alarm-o...02.png
windows10-2004-x64
3bg-alarm.d56d033.png
windows7-x64
3bg-alarm.d56d033.png
windows10-2004-x64
3bg-bind-su...17.png
windows7-x64
3bg-bind-su...17.png
windows10-2004-x64
3bg_w10_bin...83.png
windows7-x64
3bg_w10_bin...83.png
windows10-2004-x64
3bg_w10_bin...33.png
windows7-x64
3bg_w10_bin...33.png
windows10-2004-x64
3bg_w10_bin...9b.png
windows7-x64
3bg_w10_bin...9b.png
windows10-2004-x64
3bind-devic...60.png
windows7-x64
3bind-devic...60.png
windows10-2004-x64
3bind-devic...75.png
windows7-x64
3bind-devic...75.png
windows10-2004-x64
3bind-devic...97.png
windows7-x64
3bind-devic...97.png
windows10-2004-x64
3bind-fail.ee24f95.png
windows7-x64
3bind-fail.ee24f95.png
windows10-2004-x64
3bind-gate-...29.png
windows7-x64
3bind-gate-...29.png
windows10-2004-x64
3bind-gate-...b6.png
windows7-x64
3Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2023 08:35
Static task
static1
Behavioral task
behavioral1
Sample
YI_IoT_base.apk
Resource
android-x86-arm-20230621-en
Behavioral task
behavioral2
Sample
ShareSDK.xml
Resource
win7-20230703-en
Behavioral task
behavioral3
Sample
ShareSDK.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral4
Sample
alibaba_puhuiyi_bold.otf
Resource
win7-20230703-en
Behavioral task
behavioral5
Sample
alibaba_puhuiyi_bold.otf
Resource
win10v2004-20230703-en
Behavioral task
behavioral6
Sample
alibaba_sans_medium_italic.otf
Resource
win7-20230703-en
Behavioral task
behavioral7
Sample
alibaba_sans_medium_italic.otf
Resource
win10v2004-20230703-en
Behavioral task
behavioral8
Sample
app.4df63c69c64f6ef78419a0a528801587.css
Resource
win7-20230703-en
Behavioral task
behavioral9
Sample
app.4df63c69c64f6ef78419a0a528801587.css
Resource
win10v2004-20230703-en
Behavioral task
behavioral10
Sample
bg-alarm-other.932c602.png
Resource
win7-20230703-en
Behavioral task
behavioral11
Sample
bg-alarm-other.932c602.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral12
Sample
bg-alarm.d56d033.png
Resource
win7-20230703-en
Behavioral task
behavioral13
Sample
bg-alarm.d56d033.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral14
Sample
bg-bind-success.e7c5c17.png
Resource
win7-20230703-en
Behavioral task
behavioral15
Sample
bg-bind-success.e7c5c17.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral16
Sample
bg_w10_bind_one.41d7983.png
Resource
win7-20230703-en
Behavioral task
behavioral17
Sample
bg_w10_bind_one.41d7983.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral18
Sample
bg_w10_bind_three.35c6433.png
Resource
win7-20230703-en
Behavioral task
behavioral19
Sample
bg_w10_bind_three.35c6433.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral20
Sample
bg_w10_bind_two.62f969b.png
Resource
win7-20230703-en
Behavioral task
behavioral21
Sample
bg_w10_bind_two.62f969b.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral22
Sample
bind-device-W10.7a5b360.png
Resource
win7-20230703-en
Behavioral task
behavioral23
Sample
bind-device-W10.7a5b360.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral24
Sample
bind-device-gate.46bb475.png
Resource
win7-20230703-en
Behavioral task
behavioral25
Sample
bind-device-gate.46bb475.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral26
Sample
bind-device-sensor.694c397.png
Resource
win7-20230703-en
Behavioral task
behavioral27
Sample
bind-device-sensor.694c397.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral28
Sample
bind-fail.ee24f95.png
Resource
win7-20230705-en
Behavioral task
behavioral29
Sample
bind-fail.ee24f95.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral30
Sample
bind-gate-guide-first.8538f29.png
Resource
win7-20230703-en
Behavioral task
behavioral31
Sample
bind-gate-guide-first.8538f29.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral32
Sample
bind-gate-guide-second.2ac19b6.png
Resource
win7-20230703-en
General
-
Target
app.4df63c69c64f6ef78419a0a528801587.css
-
Size
35KB
-
MD5
c5948e2082976d1d298eb03bca6b21ee
-
SHA1
c8aa44c79e4f6198890ea7d60110536b490fdb48
-
SHA256
d87a84fb7978b6804f9e9bf292e4e06638904e46254297504bf7fe6914d2228e
-
SHA512
b61b9760bbf387179c9eb33d44176423aea1f03519655da0009b6e19ad1ed391c88e0ee1aae4ba994c694d227a3833fac371a02b4333aef6b2268be40f1b41e1
-
SSDEEP
384:IG/kmhKTze8ykyI4hv20Vn5TLz7d151HVXZCuVeo8W8W3fqknoV6Ij+1dot2x2T3:tNoYy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3860 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3824 wrote to memory of 3860 3824 cmd.exe NOTEPAD.EXE PID 3824 wrote to memory of 3860 3824 cmd.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\app.4df63c69c64f6ef78419a0a528801587.css1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\app.4df63c69c64f6ef78419a0a528801587.css2⤵
- Opens file in notepad (likely ransom note)