98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc

Analysis

max time kernel
133s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe
Size

2.8MB
MD5

855b4a24b02877876fceb40c117a85a7
SHA1

b92d65521818a589da5838571189278ffbe190e4
SHA256

98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc
SHA512

1d3214765604efb172e05699d45b0beb9a4bcaaf1d1e049efe018fb1d0d09397e97707232fc9308eab00eda46a5bfd2ef37883b130c4f8d5a6679b56660ffe47

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 4 IoCs

Processes:

irsetup.exeExplorer++.exeExplorer++.exeExplorer++.exe

pid process

3684 irsetup.exe
3772 Explorer++.exe
3068 Explorer++.exe
488 Explorer++.exe

pid	process
3684	irsetup.exe
3772	Explorer++.exe
3068	Explorer++.exe
488	Explorer++.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exeirsetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	irsetup.exe

Loads dropped DLL 5 IoCs

Processes:

irsetup.exerundll32.exerundll32.exe

pid process

3684 irsetup.exe
3532 rundll32.exe
4540 rundll32.exe
744
744
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer++.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer++.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3684	irsetup.exe
3532	rundll32.exe
4540	rundll32.exe
744
744

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer++.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer++.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Explorer++.exe = "11000"	Explorer++.exe

Modifies registry class 7 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer++\\ExplorerModule.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\Implemented Categories	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\ = "ExplorerEx++"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Explorer++.exe

pid	process
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe
3772	Explorer++.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

irsetup.exeExplorer++.exeExplorer++.exerundll32.exe

pid process

3684 irsetup.exe
3684 irsetup.exe
3684 irsetup.exe
3772 Explorer++.exe
3068 Explorer++.exe
4540 rundll32.exe

pid	process
3684	irsetup.exe
3684	irsetup.exe
3684	irsetup.exe
3772	Explorer++.exe
3068	Explorer++.exe
4540	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exeirsetup.exerundll32.exe

description	pid	process	target process
PID 1264 wrote to memory of 3684	1264	98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe	irsetup.exe
PID 1264 wrote to memory of 3684	1264	98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe	irsetup.exe
PID 1264 wrote to memory of 3684	1264	98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe	irsetup.exe
PID 3684 wrote to memory of 3772	3684	irsetup.exe	Explorer++.exe
PID 3684 wrote to memory of 3772	3684	irsetup.exe	Explorer++.exe
PID 3684 wrote to memory of 3772	3684	irsetup.exe	Explorer++.exe
PID 3684 wrote to memory of 3068	3684	irsetup.exe	Explorer++.exe
PID 3684 wrote to memory of 3068	3684	irsetup.exe	Explorer++.exe
PID 3684 wrote to memory of 3068	3684	irsetup.exe	Explorer++.exe
PID 3684 wrote to memory of 3532	3684	irsetup.exe	rundll32.exe
PID 3684 wrote to memory of 3532	3684	irsetup.exe	rundll32.exe
PID 3684 wrote to memory of 3532	3684	irsetup.exe	rundll32.exe
PID 3532 wrote to memory of 4540	3532	rundll32.exe	rundll32.exe
PID 3532 wrote to memory of 4540	3532	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe
"C:\Users\Admin\AppData\Local\Temp\98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1807394 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2632097139-1792035885-811742494-1000"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
"C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe" -in
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
"C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe" -brun
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s ExplorerModule.dll InitDataEx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s ExplorerModule.dll InitDataEx
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
-brun
1⤵
- Executes dropped EXE
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
Filesize
1.9MB

MD5
ade7578d9e28dd7eef5f43aa1de8d9b5

SHA1
6b5bf4d42527767bf8c85f3756cae16f80685507

SHA256
d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91

SHA512
9617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
Filesize
1.9MB

MD5
ade7578d9e28dd7eef5f43aa1de8d9b5

SHA1
6b5bf4d42527767bf8c85f3756cae16f80685507

SHA256
d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91

SHA512
9617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
Filesize
1.9MB

MD5
ade7578d9e28dd7eef5f43aa1de8d9b5

SHA1
6b5bf4d42527767bf8c85f3756cae16f80685507

SHA256
d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91

SHA512
9617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe
Filesize
1.9MB

MD5
ade7578d9e28dd7eef5f43aa1de8d9b5

SHA1
6b5bf4d42527767bf8c85f3756cae16f80685507

SHA256
d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91

SHA512
9617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.ini
Filesize
45B

MD5
ea0e191382c342f37fed75b3d6241d24

SHA1
3f28dfc009194d624e282ff178e415ef1f81b13a

SHA256
a7579c49522e82e47065fb94081608b115fb745faf34a099b6e77bcbdcd13b8d

SHA512
71f1b4cbbf9530bc647c7046f4f0f5b263cf75be99959e74ff58774ffe38eb5ba91820f8546aee72012ec76ad559f366a8db3cd22cb3acaa2ddd780e216eef87

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dll
Filesize
364KB

MD5
f7d8e13f1cf97e9fd50e026ff6f79925

SHA1
24a09660e53a6374b6abada75990d557da2a9af4

SHA256
369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b

SHA512
4973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dll
Filesize
364KB

MD5
f7d8e13f1cf97e9fd50e026ff6f79925

SHA1
24a09660e53a6374b6abada75990d557da2a9af4

SHA256
369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b

SHA512
4973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dll
Filesize
364KB

MD5
f7d8e13f1cf97e9fd50e026ff6f79925

SHA1
24a09660e53a6374b6abada75990d557da2a9af4

SHA256
369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b

SHA512
4973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dll
Filesize
364KB

MD5
f7d8e13f1cf97e9fd50e026ff6f79925

SHA1
24a09660e53a6374b6abada75990d557da2a9af4

SHA256
369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b

SHA512
4973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dll
Filesize
364KB

MD5
f7d8e13f1cf97e9fd50e026ff6f79925

SHA1
24a09660e53a6374b6abada75990d557da2a9af4

SHA256
369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b

SHA512
4973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036

Download Submit
memory/3068-139-0x0000000000000000-mapping.dmp

Download
memory/3532-141-0x0000000000000000-mapping.dmp

Download
memory/3684-130-0x0000000000000000-mapping.dmp

Download
memory/3772-135-0x0000000000000000-mapping.dmp

Download
memory/4540-144-0x0000000000000000-mapping.dmp

Download