79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c

General

Target

79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe
Size

31KB
MD5

5634c26547f99381e5c869ca8eeb2a6d
SHA1

8f845c886e2ac2d832bbec8ca8dd2b7c0fa63215
SHA256

79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c
SHA512

2b61b1decb1026d92d16a3710222074fddb703570b2a32b3f20585c70104adfb5846f39cfc0470e686d09c5ab10b1cf653a849c094e6bf7022b1b277388808b1
SSDEEP

384:4FZeGeDcU/LexZBAspsIoLCVRlNewBytgzZ9n0YmbsR3DC5qeidoDyomqto7I6ut:4F/BmGZBQWlBC6GAVDC5cdoDyYtYuVS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winmzk32.dll	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe
File opened for modification	C:\Windows\SysWOW64\winmzk32.dll	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985320"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9CC73C2E-385B-11ED-B696-5A10AEE59B4B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1959960125"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1959960125"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985320"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370385153"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1820	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1820	iexplore.exe
1820	iexplore.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1556	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	81
PID 1492 wrote to memory of 1556	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	81
PID 1492 wrote to memory of 1556	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	81
PID 1556 wrote to memory of 1820	1556	cmd.exe	83
PID 1556 wrote to memory of 1820	1556	cmd.exe	83
PID 1820 wrote to memory of 1376	1820	iexplore.exe	85
PID 1820 wrote to memory of 1376	1820	iexplore.exe	85
PID 1820 wrote to memory of 1376	1820	iexplore.exe	85
PID 1492 wrote to memory of 1820	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	83
PID 1492 wrote to memory of 1820	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	83
PID 1492 wrote to memory of 1820	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	83
PID 1492 wrote to memory of 1820	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	83
PID 1492 wrote to memory of 1820	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	83
PID 1492 wrote to memory of 1820	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	83
PID 1492 wrote to memory of 4608	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	86
PID 1492 wrote to memory of 4608	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	86
PID 1492 wrote to memory of 4608	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	86
PID 1492 wrote to memory of 1656	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	89
PID 1492 wrote to memory of 1656	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	89
PID 1492 wrote to memory of 1656	1492	79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe	89

C:\Users\Admin\AppData\Local\Temp\79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe
"C:\Users\Admin\AppData\Local\Temp\79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gos866B.bat"
  2⤵
  PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.bat"
  2⤵
  PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79e41ff9b8d7130c0c3fe5454ac96be4b18e25150419ac3eb943d052c850f92c.bat

Filesize
361B

MD5
2de2bb68037c6bc8b2f0c8dab296df36

SHA1
bcc3a26758a60d3f388d32193feea0e7b51a1f23

SHA256
b49e24032254d8c4b915e44aaa2a7311274240b736d4226132f6f931a9942dac

SHA512
3e2755004cb0738239a264931a4c080c7bd04619a73a318fed8f4c1c9c651b392dbb31643ce72436faa238144842d243935e7d209738906b93d1d800da8728b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos866B.bat

Filesize
190B

MD5
8fc4d59f75ec49adeba4ba2226a04f34

SHA1
de52ce7e9bd6cd655590110798a0eb226c084a42

SHA256
c67597b06c3540cc952c73f1821ca450ac7f76a0ecc3c7d26b5e4518d4ad5468

SHA512
f6c8aab876459b2938da507f69a00fd265f67d7453355dd665905914e35f6de25a49f0d5ac3151e2f5bd006638e10d5caad307ff5e230c319bcd544d4d7bafa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos866B.tmp

Filesize
21KB

MD5
17eb7c3bc1a7e906d4c80de247298de5

SHA1
b3c05ae4e4654ae4a7c9888acbcf0bed59068339

SHA256
22cc324f824a38631ac4a1dcf3dd64e4a92695e17c535c450d18ea8dff2f6dd5

SHA512
9e63734db68635df4c1201f35d76cabb6f1cf33d0fa43653e46da4cc93f1bc4c0e225d1819185753cb8e78cdf459ffb5d21bbcd5e3213e709bb7ef184d879996

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos866B.tmp

Filesize
21KB

MD5
17eb7c3bc1a7e906d4c80de247298de5

SHA1
b3c05ae4e4654ae4a7c9888acbcf0bed59068339

SHA256
22cc324f824a38631ac4a1dcf3dd64e4a92695e17c535c450d18ea8dff2f6dd5

SHA512
9e63734db68635df4c1201f35d76cabb6f1cf33d0fa43653e46da4cc93f1bc4c0e225d1819185753cb8e78cdf459ffb5d21bbcd5e3213e709bb7ef184d879996

Download Submit
memory/1492-138-0x0000000000030000-0x0000000000036000-memory.dmp

Filesize
24KB

Download
memory/1492-137-0x0000000002160000-0x0000000002165000-memory.dmp

Filesize
20KB

Download
memory/1492-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1492-142-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1492-141-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1492-135-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1492-133-0x0000000000030000-0x0000000000036000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing