Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe
Resource
win10v2004-20220901-en
General
-
Target
64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe
-
Size
30KB
-
MD5
72fc2816c0706df8b4cf6d6527705400
-
SHA1
94bc7e140d064d679ddbeafc9fc1b07243fa2731
-
SHA256
64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389
-
SHA512
74704dc890cca37dcbf60057a4370c3590131f36117cab92c51ad95e8dec193f6f9bb102584be63b1506c8e5328eb1075f930dd845d2c8a9a88f9b324fadb9d6
-
SSDEEP
768:bLt9cVrFuxrzrldoAk26gGue3wU+H8ZCD:bJcRyrldpx3Gu2SH8ZCD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe -
Modifies WinLogon 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjcr32 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjcr32\Asynchronous = "1" 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjcr32\DllName = "winjcr32.dll" 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjcr32\Impersonate = "0" 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjcr32\Startup = "EvtStartup" 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjcr32\Shutdown = "EvtShutdown" 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\winjcr32.dll 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe File opened for modification C:\Windows\SysWOW64\winjcr32.dll 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991665" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3346247670" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3346247670" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3488123396" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3488123396" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991665" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373110439" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991665" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991665" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F278B757-5124-11ED-A0EE-E6AF42CF752C} = "0" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 204 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 204 iexplore.exe 204 iexplore.exe 3092 IEXPLORE.EXE 3092 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4548 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 83 PID 2428 wrote to memory of 4548 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 83 PID 2428 wrote to memory of 4548 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 83 PID 4548 wrote to memory of 204 4548 cmd.exe 85 PID 4548 wrote to memory of 204 4548 cmd.exe 85 PID 204 wrote to memory of 3092 204 iexplore.exe 87 PID 204 wrote to memory of 3092 204 iexplore.exe 87 PID 204 wrote to memory of 3092 204 iexplore.exe 87 PID 2428 wrote to memory of 204 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 85 PID 2428 wrote to memory of 204 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 85 PID 2428 wrote to memory of 204 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 85 PID 2428 wrote to memory of 204 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 85 PID 2428 wrote to memory of 204 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 85 PID 2428 wrote to memory of 204 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 85 PID 2428 wrote to memory of 1320 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 88 PID 2428 wrote to memory of 1320 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 88 PID 2428 wrote to memory of 1320 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 88 PID 2428 wrote to memory of 1584 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 90 PID 2428 wrote to memory of 1584 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 90 PID 2428 wrote to memory of 1584 2428 64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe"C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3092
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gosB124.bat"2⤵PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.bat"2⤵PID:1584
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.bat
Filesize361B
MD5e20478d2f9706857c8ac68db7e1a4c0a
SHA1ebed4cd0b53eaa1e83a49ed134f3fcbe9b18218b
SHA25667100b03f75bf2d47502543130490c4637fa19539d850978e446ae754c3de4b9
SHA512f8d7bb416098d743d1662fa6a7ce4bc3f6c4d556b10a37ea79661bd98794208ad1d7018d49691e7cdd7daa2d1ccafd42b5f52efa5ffa03182411784c9825028b
-
Filesize
190B
MD5d5aa909febed58df9567011579e4977d
SHA1f1866a380521131044f26c16404033d6252fde5b
SHA256d4bfc234688e0880b2621b3eac81597e8616d7ca7832b35f3cb5f6bb5ce6f176
SHA512da80c4d19db5f1750f58c4c35dfc490cc258e3498fa84dc51a4d233b15043911009576b0734337f495c899e92c85faec1ec43fb366ca75a749ba1b1072a895c9
-
Filesize
21KB
MD53ce3efca63544003a973d95a16470d8c
SHA12a2b1df082f0aabe3f6323a79f480be85866c2a6
SHA25640d20cad46c93366ea0308b90ad225f5ba5120c809bac8a7890be46a8c5ce91f
SHA5122aca4be55db254cbd12dd321e24510be83dd6931d0844e544b410a21f303ce4dcaeece85f7a9ebdfbc1ddb8c6109877345912986bab71f22a2f9a03c832138f2
-
Filesize
21KB
MD53ce3efca63544003a973d95a16470d8c
SHA12a2b1df082f0aabe3f6323a79f480be85866c2a6
SHA25640d20cad46c93366ea0308b90ad225f5ba5120c809bac8a7890be46a8c5ce91f
SHA5122aca4be55db254cbd12dd321e24510be83dd6931d0844e544b410a21f303ce4dcaeece85f7a9ebdfbc1ddb8c6109877345912986bab71f22a2f9a03c832138f2