227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Size

736KB
MD5

6528c3c8a13408336f6d52727b0b7a53
SHA1

16fb57f0c7c0dd2d85eff25114b5b8093fd0d085
SHA256

227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d
SHA512

31a459d148dd88b5d4da069871f85c358563e975d82c8e4b890c292f809004f4500a61d7562e91071f0adaed44f115baa96a89eae2d4f41f1bb44a1cb8b93a41
SSDEEP

12288:gpQFKc84EnyLz1emmZ+kEOc4dYchfL7pNWZQZrJe2WhmbP:gpQAcnLzY7EP6PhfLziQMhhmbP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Version Vector	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open\command	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\open\command	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\ÊôÐÔ(&R)	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\ÊôÐÔ(&R)\Command	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\ShellFolder	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\DefaultIcon	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\InprocServer32\InprocServer32 = "Apartment"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\ÊôÐÔ(&R)	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell\open	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\lnkfile	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\ShellFolder\Attributes = "0"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.1188.com/?227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\ = "Internet Explorer"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shellex	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\InprocServer32	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78507}\shell	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 4988	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	82
PID 5092 wrote to memory of 4988	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	82
PID 5092 wrote to memory of 4988	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	82
PID 5092 wrote to memory of 4688	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	84
PID 5092 wrote to memory of 4688	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	84
PID 5092 wrote to memory of 4688	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	84
PID 5092 wrote to memory of 3300	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	86
PID 5092 wrote to memory of 3300	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	86
PID 5092 wrote to memory of 3300	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	86
PID 5092 wrote to memory of 912	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	88
PID 5092 wrote to memory of 912	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	88
PID 5092 wrote to memory of 912	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	88
PID 4988 wrote to memory of 2812	4988	cmd.exe	90
PID 4988 wrote to memory of 2812	4988	cmd.exe	90
PID 4988 wrote to memory of 2812	4988	cmd.exe	90
PID 5092 wrote to memory of 1148	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	92
PID 5092 wrote to memory of 1148	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	92
PID 5092 wrote to memory of 1148	5092	227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe	92
PID 4988 wrote to memory of 4268	4988	cmd.exe	91
PID 4988 wrote to memory of 4268	4988	cmd.exe	91
PID 4988 wrote to memory of 4268	4988	cmd.exe	91
PID 4688 wrote to memory of 4784	4688	cmd.exe	94
PID 4688 wrote to memory of 4784	4688	cmd.exe	94
PID 4688 wrote to memory of 4784	4688	cmd.exe	94
PID 4688 wrote to memory of 4064	4688	cmd.exe	96
PID 4688 wrote to memory of 4064	4688	cmd.exe	96
PID 4688 wrote to memory of 4064	4688	cmd.exe	96
PID 912 wrote to memory of 3980	912	cmd.exe	95
PID 912 wrote to memory of 3980	912	cmd.exe	95
PID 912 wrote to memory of 3980	912	cmd.exe	95
PID 912 wrote to memory of 5068	912	cmd.exe	97
PID 912 wrote to memory of 5068	912	cmd.exe	97
PID 912 wrote to memory of 5068	912	cmd.exe	97
PID 3300 wrote to memory of 228	3300	cmd.exe	98
PID 3300 wrote to memory of 228	3300	cmd.exe	98
PID 3300 wrote to memory of 228	3300	cmd.exe	98
PID 3300 wrote to memory of 100	3300	cmd.exe	99
PID 3300 wrote to memory of 100	3300	cmd.exe	99
PID 3300 wrote to memory of 100	3300	cmd.exe	99
PID 1148 wrote to memory of 2452	1148	cmd.exe	100
PID 1148 wrote to memory of 2452	1148	cmd.exe	100
PID 1148 wrote to memory of 2452	1148	cmd.exe	100
PID 1148 wrote to memory of 2804	1148	cmd.exe	101
PID 1148 wrote to memory of 2804	1148	cmd.exe	101
PID 1148 wrote to memory of 2804	1148	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe
"C:\Users\Admin\AppData\Local\Temp\227fbd8589ba588cad7a510f80de01700feaa200a6fe51f8da3f64fd05c5c32d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun20.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun60.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun99.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    PID:100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun31.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun73.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe

Filesize
814KB

MD5
5e5f63cd0ca3ee94c61a2db20ce33fc9

SHA1
c90ea9645c7cc1ad7553675a7ecdf880b1fb4621

SHA256
219280ffebd3d771102fc3a7f26529e5e9161366e3a5de2f8943d81dda7756bf

SHA512
b36df698f1cbe52df754db9fcfba7e6811b6fc74f44a89378ce29356630f66a10d526402e9d133f8ab608bb614e2214945c0b732b4db3d0cad3d3665e062edcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun20.bat

Filesize
130B

MD5
989ddc48479fca961d1deceabcf4a535

SHA1
fee2fdd5d425f1b5fbb490f5cddfd09b34942bf5

SHA256
26dbe6e151758410b34d5db4cdc2c4565c8484eb6acbd3e8d133623c08a256af

SHA512
ff56b98b8b406f6e5e59d3efa55bdc9c8b17ccb268ae80c2aacabc1b37870f5908016fcc1c55f05a16643716dce293aba442ec0afacf25a144da90d1fb40bc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun31.bat

Filesize
142B

MD5
de4d1de797a02c49f52de44ab64f85a4

SHA1
8732f32a26ca896f8dc7cf5364edfe4667e918c7

SHA256
67ffac484b1287c9ccdf3dbc220cd1964fb266311bb9055a3f0e2c5c0b030c5b

SHA512
8bf42a0abff1fa82e3a45e03e688e08f72ff730519bd87f01a71a41ba0156740f8b5be2c46bc18e62ab4de3f5e9f89dc21250314486057a00a65ba922a98ffe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun60.bat

Filesize
142B

MD5
7078f47d57179e8f73f75bd7da013c32

SHA1
b74d562fbde45263fb9d205f859d1e56977cd0fc

SHA256
f9473841802e0f60717957944b14f00aa5cd118c132a62fc80ec1ba539ff8345

SHA512
2090fe6642a080dbc06b7580f5e85fea00bfa1a0c3fe1f5aca28b84e29f719111be6bf4e9de205b02230857cd13b73c8f62983fb4c054b8a0c3c90eff9d9aede

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun73.bat

Filesize
191B

MD5
9e0f4492fc93450834546fd9b4c4566d

SHA1
6066548b3588f497bc764903ebb828947fe89072

SHA256
04489a140bb05976fada65f5fd5b40effc5e0d94789c095c3b83b8eeeb8f01e7

SHA512
e42561c374bf3365a4e090025e2d0e9e7b1af7a99a139502664974f0ef972129a9296a0f58e89f4eac2e81bf2f27c791d42f01a80686b4c3cadf6e506b969faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun99.bat

Filesize
130B

MD5
62d09bb8e0410adb4fbfb82b53cf50fd

SHA1
881d2b926d6c756e61830a3426de2b935a11d77c

SHA256
eff369c9e14f3c4932b6213fadbce09ecada9b620c27ba5d30cbd33df483aec2

SHA512
ab76b85e3431efdfcce59ca18888949b0455fe754deab5378cdbf0eb0845bf90c23cd9c4839b84bb50aadb97b643c97d68aeae5254a06f27085785e502b46d06

Download Submit
C:\Users\Admin\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
c97f74cd96217e6af0ef1acf0ff58818

SHA1
a6d1b533ffc36d2117b9e73b2f7713cd8ef7e968

SHA256
6bed080ed06933ff5b7c07271bedd49fddae32c899481551c7e119efc4efbf3a

SHA512
5fbd334ef9b5beab833d325a3a8bc28fcfdbcf2b31ed646931c77eeca9ae3111ae082df8fa0b38f5269872fd6989f91baac4f109eeaae4083bae906e1b1c5562

Download Submit