Analysis
-
max time kernel
133s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:45
Static task
static1
Behavioral task
behavioral1
Sample
98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe
Resource
win10v2004-20220414-en
General
-
Target
98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe
-
Size
2.8MB
-
MD5
855b4a24b02877876fceb40c117a85a7
-
SHA1
b92d65521818a589da5838571189278ffbe190e4
-
SHA256
98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc
-
SHA512
1d3214765604efb172e05699d45b0beb9a4bcaaf1d1e049efe018fb1d0d09397e97707232fc9308eab00eda46a5bfd2ef37883b130c4f8d5a6679b56660ffe47
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
irsetup.exeExplorer++.exeExplorer++.exeExplorer++.exepid process 3684 irsetup.exe 3772 Explorer++.exe 3068 Explorer++.exe 488 Explorer++.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exeirsetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation irsetup.exe -
Loads dropped DLL 5 IoCs
Processes:
irsetup.exerundll32.exerundll32.exepid process 3684 irsetup.exe 3532 rundll32.exe 4540 rundll32.exe 744 744 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Explorer++.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer++.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
Explorer++.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Explorer++.exe = "11000" Explorer++.exe -
Modifies registry class 7 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer++\\ExplorerModule.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\Implemented Categories rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\Implemented Categories\{00021492-0000-0000-C000-000000000046} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C44F4C-843E-4E94-9B3C-E9AE455D95BF}\ = "ExplorerEx++" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Explorer++.exepid process 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe 3772 Explorer++.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
irsetup.exeExplorer++.exeExplorer++.exerundll32.exepid process 3684 irsetup.exe 3684 irsetup.exe 3684 irsetup.exe 3772 Explorer++.exe 3068 Explorer++.exe 4540 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exeirsetup.exerundll32.exedescription pid process target process PID 1264 wrote to memory of 3684 1264 98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe irsetup.exe PID 1264 wrote to memory of 3684 1264 98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe irsetup.exe PID 1264 wrote to memory of 3684 1264 98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe irsetup.exe PID 3684 wrote to memory of 3772 3684 irsetup.exe Explorer++.exe PID 3684 wrote to memory of 3772 3684 irsetup.exe Explorer++.exe PID 3684 wrote to memory of 3772 3684 irsetup.exe Explorer++.exe PID 3684 wrote to memory of 3068 3684 irsetup.exe Explorer++.exe PID 3684 wrote to memory of 3068 3684 irsetup.exe Explorer++.exe PID 3684 wrote to memory of 3068 3684 irsetup.exe Explorer++.exe PID 3684 wrote to memory of 3532 3684 irsetup.exe rundll32.exe PID 3684 wrote to memory of 3532 3684 irsetup.exe rundll32.exe PID 3684 wrote to memory of 3532 3684 irsetup.exe rundll32.exe PID 3532 wrote to memory of 4540 3532 rundll32.exe rundll32.exe PID 3532 wrote to memory of 4540 3532 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe"C:\Users\Admin\AppData\Local\Temp\98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1807394 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\98b8a12a67678dc171add497f7eb4167fa64aa51ec332db3890a8939056434fc.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2632097139-1792035885-811742494-1000"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe"C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe" -in3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe"C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe" -brun3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" /s ExplorerModule.dll InitDataEx3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" /s ExplorerModule.dll InitDataEx4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exe-brun1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD57eb6266334c70e3ffa235d2571614734
SHA1de003214a0034ca3dbe9ed35f482f2aaa235c5d7
SHA2560249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f
SHA512f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD57eb6266334c70e3ffa235d2571614734
SHA1de003214a0034ca3dbe9ed35f482f2aaa235c5d7
SHA2560249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f
SHA512f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exeFilesize
1.9MB
MD5ade7578d9e28dd7eef5f43aa1de8d9b5
SHA16b5bf4d42527767bf8c85f3756cae16f80685507
SHA256d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91
SHA5129617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exeFilesize
1.9MB
MD5ade7578d9e28dd7eef5f43aa1de8d9b5
SHA16b5bf4d42527767bf8c85f3756cae16f80685507
SHA256d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91
SHA5129617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exeFilesize
1.9MB
MD5ade7578d9e28dd7eef5f43aa1de8d9b5
SHA16b5bf4d42527767bf8c85f3756cae16f80685507
SHA256d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91
SHA5129617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.exeFilesize
1.9MB
MD5ade7578d9e28dd7eef5f43aa1de8d9b5
SHA16b5bf4d42527767bf8c85f3756cae16f80685507
SHA256d0fe9cd86e761881eacd186d2fab954b76c876c9299ed2e817011228fad36b91
SHA5129617a863bc33ce3056f7886eaad2d59fa0b17c1d505a9b05061ca12944e7d7aeadc57c8d65051b8354c16a723e78f1a8a2929195c5bc0a032f7f0f64f886ea94
-
C:\Users\Admin\AppData\Roaming\Explorer++\Explorer++.iniFilesize
45B
MD5ea0e191382c342f37fed75b3d6241d24
SHA13f28dfc009194d624e282ff178e415ef1f81b13a
SHA256a7579c49522e82e47065fb94081608b115fb745faf34a099b6e77bcbdcd13b8d
SHA51271f1b4cbbf9530bc647c7046f4f0f5b263cf75be99959e74ff58774ffe38eb5ba91820f8546aee72012ec76ad559f366a8db3cd22cb3acaa2ddd780e216eef87
-
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dllFilesize
364KB
MD5f7d8e13f1cf97e9fd50e026ff6f79925
SHA124a09660e53a6374b6abada75990d557da2a9af4
SHA256369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b
SHA5124973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036
-
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dllFilesize
364KB
MD5f7d8e13f1cf97e9fd50e026ff6f79925
SHA124a09660e53a6374b6abada75990d557da2a9af4
SHA256369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b
SHA5124973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036
-
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dllFilesize
364KB
MD5f7d8e13f1cf97e9fd50e026ff6f79925
SHA124a09660e53a6374b6abada75990d557da2a9af4
SHA256369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b
SHA5124973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036
-
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dllFilesize
364KB
MD5f7d8e13f1cf97e9fd50e026ff6f79925
SHA124a09660e53a6374b6abada75990d557da2a9af4
SHA256369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b
SHA5124973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036
-
C:\Users\Admin\AppData\Roaming\Explorer++\ExplorerModule.dllFilesize
364KB
MD5f7d8e13f1cf97e9fd50e026ff6f79925
SHA124a09660e53a6374b6abada75990d557da2a9af4
SHA256369c1faa4b6c67b34b9d2ad3c006cd6cddc996c72e30160c771e6821fdafd78b
SHA5124973e74d9e067d24fc7bbccfb5de732d5b077a41a012ef6f69f1381e446ac651e20b4a49d5bdad89f8b66600d43f34d4ae714a972e2a7e26ccb4de23a7371036
-
memory/3068-139-0x0000000000000000-mapping.dmp
-
memory/3532-141-0x0000000000000000-mapping.dmp
-
memory/3684-130-0x0000000000000000-mapping.dmp
-
memory/3772-135-0x0000000000000000-mapping.dmp
-
memory/4540-144-0x0000000000000000-mapping.dmp