Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-05-2022 02:26

General

  • Target

    02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe

  • Size

    943KB

  • MD5

    7d76846dc65ecfc757cc5f8ada1bd60d

  • SHA1

    871bf291b91b32f1b3ffadfd7e2c95280310e451

  • SHA256

    02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0

  • SHA512

    66d738cfa72b1127c1ec9618977d5059fce7b514869f1de55831972fa2b3ccf3a0d4399ad8e7d7cecc222ae1a886a2ce6b7de80fd8b257c92c10513a2e339634

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe
    "C:\Users\Admin\AppData\Local\Temp\02e1385fcb034399568d9f34e70537ef4da29c628a1e0abccdcf57571d69caa0.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll" /s
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3408
    • C:\Windows\SysWOW64\gpupdate.exe
      "C:\Windows\System32\gpupdate.exe" /force
      2⤵
        PID:4928
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4292
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
        1⤵
          PID:4808

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll

          Filesize

          85KB

          MD5

          fc2a328b618dd721e4df06af8ae16ab8

          SHA1

          1db4d50870e2984beb237168411555f406f499ba

          SHA256

          24c9b08dd5167ee96e75a94db3e09abdbb682af7e4c70256b5bbc3e5b91d7a6b

          SHA512

          94140c5f5424e128eb9ebc10433ae62459924c25e7499676f38689823a7acfe62a4b3069bb2c3a16daaaba53610f9e3c0b2d147584a6973b92bc4f41f8cd3029

        • C:\Program Files (x86)\MediaPlayerV1\MediaPlayerV1alpha98\ie\MediaPlayerV1alpha98.dll

          Filesize

          85KB

          MD5

          fc2a328b618dd721e4df06af8ae16ab8

          SHA1

          1db4d50870e2984beb237168411555f406f499ba

          SHA256

          24c9b08dd5167ee96e75a94db3e09abdbb682af7e4c70256b5bbc3e5b91d7a6b

          SHA512

          94140c5f5424e128eb9ebc10433ae62459924c25e7499676f38689823a7acfe62a4b3069bb2c3a16daaaba53610f9e3c0b2d147584a6973b92bc4f41f8cd3029

        • C:\Users\Admin\AppData\Local\Temp\nscB4BF.tmp\aminsis.dll

          Filesize

          834KB

          MD5

          14ad04243334645f399639b028f21d17

          SHA1

          7368866dc95621a1407d2105d040da2cc9852ba9

          SHA256

          02d13f28df1314640474ee77cd202a2c0da8e1d609c614f8fdff4451f8ee63fa

          SHA512

          3859b6f6e7e46ba70fa0be24fd2ceadf3db746818f11a09109c7bb678ee4fc08824a0cf15c77df09c3b2bdc2a80067a98130660152f5ee61e4bd501ef5ed1728

        • memory/3408-131-0x0000000000000000-mapping.dmp

        • memory/4928-134-0x0000000000000000-mapping.dmp