e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
Size

1.2MB
MD5

826cd86150d2f35611763b27accb2655
SHA1

b9fe9769f84454027870a5c55cd5da940930c3a7
SHA256

e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c
SHA512

9d7e4e5dba523f9926dae639d4fa308a079484c74b39d95092801c36bce6c488b21092d12bb593e07d1c2fd6c81b14bd9ffa2080ed51a30a2ef0dfa893f8dee4
SSDEEP

24576:CNLivgmahF/BC77uoYXzLCdQZNPKjGRiIRovzay7kC99Urs6N:siYmahFW7uoYj2da18sLReLXw

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2128	9789195732344078.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001c00000001d9f9-133.dat	upx
behavioral2/files/0x001c00000001d9f9-134.dat	upx
behavioral2/memory/2128-135-0x00000000006B0000-0x000000000072B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	9789195732344078.exe
2128	9789195732344078.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Player = "C:\\Windows\\flashplayer.exe"	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\flashplayer.exe	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
File opened for modification	C:\Windows\flashplayer.exe	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	9789195732344078.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	9789195732344078.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	9789195732344078.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	9789195732344078.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	9789195732344078.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	9789195732344078.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2128	9789195732344078.exe
2128	9789195732344078.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2128	1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe	81
PID 1796 wrote to memory of 2128	1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe	81
PID 1796 wrote to memory of 2128	1796	e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe	81

C:\Users\Admin\AppData\Local\Temp\e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe
"C:\Users\Admin\AppData\Local\Temp\e4973668c78665dc1dfc1bb38ffbcea69c6d051aaa84a81b719702962fc9940c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\9789195732344078.exe
  "C:\Users\Admin\AppData\Local\Temp\9789195732344078.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\AIH.16f58a3195030b60d31ac6306159fc7086b7091e\downloader.dll

Filesize
499KB

MD5
f344661d2abeef40bee5664e40531788

SHA1
d6abebda5991fea5cd6b563f25834fa618f9698b

SHA256
1999d4ab5e4634fa251ac9211868612d56dd6dccd944f768e03e3b2cca46e676

SHA512
10a5a362de57a52abfa9aad3f26a448475ff55b4a0ed17b24b8eb87431bbd717c62148c89648c322e216826aeb4510ab7b92ec12b596409f62dff19bb08dbb19

Download Submit
C:\ProgramData\Adobe\AIH.16f58a3195030b60d31ac6306159fc7086b7091e\launcher.dll

Filesize
176KB

MD5
7fb2833d5e07c0038bab670e775ba68b

SHA1
ece600a5a668131523651259c022c5b7108dc391

SHA256
b30db99082e9483f40aa2df35749c26f3a846ba1002e57c57f73fb2959e97191

SHA512
af13c92f76c984b9f834c7e8e14da1e3bb467ca93e3b7be831f5b9ff32b2d8e5069ba30b1196b58d16cfd1e8bfd98e4971e94df0e5a53ccef7d759aa6c1f9a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\9789195732344078.exe

Filesize
994KB

MD5
d57e10a046da9f71b96ba9f4cd50c6cc

SHA1
c78d989345a4175b19130a83b6643b93bc8e1148

SHA256
8d3ee72543420f8049ada5f65e390052fad1a892a4101af815dbd2ee155aa028

SHA512
6e8d4047fb6e106147f1672e40b6696347fe67ea5c832ad15ba36b01ce92f1fafa7953cf1b010c6003b42e7248fe39ea40309b0e9f1819a91009b6a409271e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\9789195732344078.exe

Filesize
994KB

MD5
d57e10a046da9f71b96ba9f4cd50c6cc

SHA1
c78d989345a4175b19130a83b6643b93bc8e1148

SHA256
8d3ee72543420f8049ada5f65e390052fad1a892a4101af815dbd2ee155aa028

SHA512
6e8d4047fb6e106147f1672e40b6696347fe67ea5c832ad15ba36b01ce92f1fafa7953cf1b010c6003b42e7248fe39ea40309b0e9f1819a91009b6a409271e22

Download Submit
memory/2128-132-0x0000000000000000-mapping.dmp

Download
memory/2128-135-0x00000000006B0000-0x000000000072B000-memory.dmp

Filesize
492KB

Download