9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c

General

Target

9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe
Size

149KB
MD5

d3965ed87e85d69cf6a16aff968a597d
SHA1

773e80623299d0ce1c0b337b69c02a1ec034cf61
SHA256

9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c
SHA512

7f4075540676284bd8f1ba20d530ffb198a3491fa32ade1dc9b52e7c6397d3b36f810a0fcc11a8b3ca32b504dab41a06fa4061685ca0970ef425a6f39162c734
SSDEEP

1536:IaQJ4uxhhlPbJHS9sf2bsqzln3R4stMOiWGEP7w02rd9cqCmh6DY5atOXPQWzfba:IaQ/xrHS9sf2QQRsEP7w0SJVvbktO0h7

Score

10^/10

evasion execution persistence

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\761A.tmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Blocklisted process makes network request 1 IoCs

Processes:

Rundll32.exe

flow pid process

6 4716 Rundll32.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
6	4716	Rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

Rundll32.exeRundll32.exe

pid process

2124 Rundll32.exe
4716 Rundll32.exe
4716 Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Rundll32.exe

description ioc process

File opened (read-only) \??\D: Rundll32.exe
File opened (read-only) \??\F: Rundll32.exe

description	ioc	process
File opened (read-only)	\??\D:	Rundll32.exe
File opened (read-only)	\??\F:	Rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wqemngaa.dll	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe
File created	C:\Windows\SysWOW64\obhmngaa.dll	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe

Drops file in Program Files directory 1 IoCs

Processes:

Rundll32.exe

description ioc process

File opened for modification C:\Program Files\AAV\CDriver.sys Rundll32.exe
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3016 sc.exe
2460 sc.exe
2748 sc.exe
1664 sc.exe
1920 sc.exe
2028 sc.exe
4840 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

description	ioc	process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

pid	process
3016	sc.exe
2460	sc.exe
2748	sc.exe
1664	sc.exe
1920	sc.exe
2028	sc.exe
4840	sc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Rundll32.exe

pid	process
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe
2124	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: RenamesItself 1 IoCs

Processes:

9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe

pid process

1072 9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe

pid	process
656

pid	process
1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exeRundll32.exenet.exenet.exe

description	pid	process	target process
PID 1072 wrote to memory of 2124	1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe	Rundll32.exe
PID 1072 wrote to memory of 2124	1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe	Rundll32.exe
PID 1072 wrote to memory of 2124	1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe	Rundll32.exe
PID 2124 wrote to memory of 3968	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 3968	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 3968	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 5084	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 5084	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 5084	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 1664	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1664	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1664	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2748	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2748	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2748	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2460	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2460	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2460	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 4840	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 4840	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 4840	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 3016	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 3016	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 3016	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1920	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1920	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1920	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1072	2124	Rundll32.exe	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe
PID 2124 wrote to memory of 1072	2124	Rundll32.exe	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe
PID 2124 wrote to memory of 3968	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 3968	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 5084	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 5084	2124	Rundll32.exe	net.exe
PID 2124 wrote to memory of 1664	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 1664	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2028	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2028	2124	Rundll32.exe	sc.exe
PID 2124 wrote to memory of 2028	2124	Rundll32.exe	sc.exe
PID 5084 wrote to memory of 4728	5084	net.exe	net1.exe
PID 5084 wrote to memory of 4728	5084	net.exe	net1.exe
PID 5084 wrote to memory of 4728	5084	net.exe	net1.exe
PID 1072 wrote to memory of 4716	1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe	Rundll32.exe
PID 1072 wrote to memory of 4716	1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe	Rundll32.exe
PID 1072 wrote to memory of 4716	1072	9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe	Rundll32.exe
PID 3968 wrote to memory of 3528	3968	net.exe	net1.exe
PID 3968 wrote to memory of 3528	3968	net.exe	net1.exe
PID 3968 wrote to memory of 3528	3968	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe
"C:\Users\Admin\AppData\Local\Temp\9ff888b086d928dcd66985e4b89aad02dcd2b97b750a392cdbac2a79453df59c.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\wqemngaa.dll Exbcute
2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:3528

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:4728

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
3⤵
- Launches sc.exe
PID:1664

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
3⤵
- Launches sc.exe
PID:2748

C:\Windows\SysWOW64\sc.exe
sc stop ZhuDongFangYu
3⤵
- Launches sc.exe
PID:2460

C:\Windows\SysWOW64\sc.exe
sc delete ZhuDongFangYu
3⤵
- Launches sc.exe
PID:4840

C:\Windows\SysWOW64\sc.exe
sc stop 360rp
3⤵
- Launches sc.exe
PID:3016

C:\Windows\SysWOW64\sc.exe
sc delete 360rp
3⤵
- Launches sc.exe
PID:1920

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" stop PolicyAgent
3⤵
- Launches sc.exe
PID:2028

C:\Windows\SysWOW64\Rundll32.exe
Rundll32 C:\Windows\system32\obhmngaa.dll Exbcute
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\761A.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\obhmngaa.dll

Filesize
24KB

MD5
af18ffd71cf2abe49e60353b9202bf70

SHA1
fca0fb502f5d79eacfb6b3af613e9f38e30220d8

SHA256
adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac

SHA512
3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb

Download Submit
C:\Windows\SysWOW64\wqemngaa.dll

Filesize
75KB

MD5
9b0bdefd566a844ab82d31d41cae80eb

SHA1
11221562bee4503b003ba5f8e7be67df92093dd9

SHA256
c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc

SHA512
66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909

Download Submit
memory/1072-4-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1072-22-0x0000000000D30000-0x0000000000D57000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads