Analysis
-
max time kernel
167s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 15:14
Static task
static1
Behavioral task
behavioral1
Sample
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
Resource
win7-20220414-en
General
-
Target
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe
-
Size
41KB
-
MD5
5d1e4a4e7302c1c20d358978a5fcba50
-
SHA1
b1c5289e645610db4aa891c4a08ced5d359505f1
-
SHA256
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8
-
SHA512
556dbe93692e55dd83580c989fb3e73e5997433d41166fd7db0eed209431ae09124589c01939a4091c4b869c4a5a2031a22eadab9342f54a02fe33ce3d1eb6ee
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 2 IoCs
Processes:
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exedescription ioc process File created C:\Windows\SysWOW64\sklh.dat 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe File created C:\Windows\SysWOW64\jzcom32.dll 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe -
Modifies registry class 9 IoCs
Processes:
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\ = "Rmn plugin" 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\InprocServer32\ = "jzcom32.dll" 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\InprocServer32\ThreadingModel = "Apartment" 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\ProgID\ = "RITLAB.1" 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A} 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\InprocServer32 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\ProgID 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\TypeLib 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}\TypeLib\ = "{0781A6CB-03C2-4780-A4F4-946319703918}" 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exedescription pid process target process PID 4708 wrote to memory of 2124 4708 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe cmd.exe PID 4708 wrote to memory of 2124 4708 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe cmd.exe PID 4708 wrote to memory of 2124 4708 9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe"C:\Users\Admin\AppData\Local\Temp\9b9240a2389a803eb3c93cdc4dfefcdfe22f4f2bbc24fb5eb593c86c1fbea5c8.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9B9240~1.EXE >> NUL2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2124-130-0x0000000000000000-mapping.dmp