154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

Analysis

max time kernel
151s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe
Size

132KB
MD5

789a7c1914f703c8343b8ece91c3a830
SHA1

fc5e2b8079f7a340d437a00652edce1ef851bfae
SHA256

154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2
SHA512

f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627
SSDEEP

1536:wURjsYDtXptH5NwCes0GUEQZwaKH3xm4KZtLsi4mJMo6C:zfx0FKqubP

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1132	Windefend.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windefend.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\SysWOW64\\Windefend.exe"	Windefend.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windefend.exe	154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe
File opened for modification	C:\Windows\SysWOW64\Windefend.exe	154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "304403006"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "264872805"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "264872805"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "304403006"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989679"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372257145"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989679"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{35AF56D8-4962-11ED-B696-E62D9FD3CB0B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989679"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989679"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	Windefend.exe
1132	Windefend.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	Windefend.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3412	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3412	iexplore.exe
3412	iexplore.exe
4372	IEXPLORE.EXE
4372	IEXPLORE.EXE
4372	IEXPLORE.EXE
4372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 1132	3344	154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe	82
PID 3344 wrote to memory of 1132	3344	154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe	82
PID 3344 wrote to memory of 1132	3344	154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe	82
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 1132 wrote to memory of 3412	1132	Windefend.exe	83
PID 3412 wrote to memory of 4372	3412	iexplore.exe	85
PID 3412 wrote to memory of 4372	3412	iexplore.exe	85
PID 3412 wrote to memory of 4372	3412	iexplore.exe	85

C:\Users\Admin\AppData\Local\Temp\154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe
"C:\Users\Admin\AppData\Local\Temp\154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\Windefend.exe
  "C:\Windows\system32\Windefend.exe" rem "C:\Users\Admin\AppData\Local\Temp\154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3412 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7de3527d962389a61a0825bebf9031b7

SHA1
ffc04b363ec1d3976e454446827d36813002a9b7

SHA256
63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

SHA512
57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
dbec9d9b0e50095ade54aa20800a1a4f

SHA1
da45c86405808f2ed736e6a54769541735ccc3dd

SHA256
a5c1757b5f3aa6f868905e562c68b0e0e446fcfdacb23d0b3d28f2c1c5cb68f4

SHA512
19ca027fdc3fbc94c99d78c8602659f855d1e152475cc5d12eef1e325c6c2760652b128f8df6f2e1f57f1ae56b68f64062c7f0d3446457cf21e75808d64a7f62

Download Submit
C:\Windows\SysWOW64\Windefend.exe

Filesize
132KB

MD5
789a7c1914f703c8343b8ece91c3a830

SHA1
fc5e2b8079f7a340d437a00652edce1ef851bfae

SHA256
154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

SHA512
f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

Download Submit
C:\Windows\SysWOW64\Windefend.exe

Filesize
132KB

MD5
789a7c1914f703c8343b8ece91c3a830

SHA1
fc5e2b8079f7a340d437a00652edce1ef851bfae

SHA256
154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

SHA512
f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

Download Submit
memory/1132-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1132-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3344-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download