85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757

Analysis

max time kernel
51s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe
Size

732KB
MD5

84bc05e699128ec6a3f824ac961a47d0
SHA1

c12ba51f80a17265072ef64290aa069a44682a27
SHA256

85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757
SHA512

b18f6368a265b31369c8d3075d6ed2fef5c28f954b1e0d7c0833baf10d03b7809c469135cb1b2c5ea6ba53e55d3253b499a6c10575471c8b470eca4ad062cb94
SSDEEP

12288:hfrXVhdHtm+EFS0H2uUQ37hkWOKWm3GZQfW7mpbsBqeqHJjQ:hjFhdHtv8P2HQ37hLGZQfg8bsB8JjQ

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4928	115br_pdf_31.exe
1444	115br.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe

Loads dropped DLL 1 IoCs

pid	Process
4928	115br_pdf_31.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\115\browser\skin\default\pluginbar_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\search_choose.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\status_newpage.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\¸ßÁÁ.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\s_ico_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\css\config.css	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\css\reset.css	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\IcoCache\www.google.com.hk_favicon.ico	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\115br.exe	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\button_menu_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\frame_right.PNG	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\status_loading.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\status_nonetuser.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\filtrate.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\c_line.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\button_restore.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\move_tab.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\side_top_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\tab_item.png	115br_pdf_31.exe
File opened for modification	C:\Program Files (x86)\115\browser\DownLoad.xml	115br.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_13.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_18.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\status_download.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\»»·ô.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\start.html	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\115.gif	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\c_btn.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\c_left.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\s_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\addr_safe.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\page.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\scrollbar_thumb.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\status_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\bitmap_nodes.bmp	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\edit_left.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\progress_bg.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\tool_showmenu.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\s_add.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\side_top_close.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\404error.html	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\s_form.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_14.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\uninst.exe	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\change_skin.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\side_favorite.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\status_nosound.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\c_plug.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\s_top.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\tab_background.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\frame_left.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\tab_left.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\s_test_204_127.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_7.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\js\suggest.js	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\loading.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\no_trace.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\ÏÂ.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\ani_webfav.gif	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_15.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_10.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\html\static\images\mouse\MouseGesture_11.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\IcoCache\114la.com_favicon.ico	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\download_close.png	115br_pdf_31.exe
File created	C:\Program Files (x86)\115\browser\skin\default\tab_right.png	115br_pdf_31.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022f75-135.dat	nsis_installer_1
behavioral2/files/0x0006000000022f75-135.dat	nsis_installer_2
behavioral2/files/0x0006000000022f75-136.dat	nsis_installer_1
behavioral2/files/0x0006000000022f75-136.dat	nsis_installer_2
behavioral2/files/0x000600000002302f-141.dat	nsis_installer_1
behavioral2/files/0x000600000002302f-141.dat	nsis_installer_2

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "115Browser"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtm\ = "htmlfile"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\115Browser\command	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\115Browser\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\115Browser	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\115Browser\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\115Browser\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\115Browser	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\115Browser\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\115Browser\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "open"	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\115Browser\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "115Browser"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\115Browser	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtm\Content Type = "text/html"	115br.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.html\ = "htmlfile"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\115Browser	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "115Browser"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "115Browser"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\ = "htmlfile"	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\Content Type = "text/html"	115br.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.htm\ = "htmlfile"	115br.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open	115br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\115Browser\command\ = "\"C:\\Program Files (x86)\\115\\browser\\115br.exe\" \"%1\""	115br.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1444	115br.exe
Token: SeIncBasePriorityPrivilege	1444	115br.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
400	85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe
4928	115br_pdf_31.exe
1444	115br.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4928	400	85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe	82
PID 400 wrote to memory of 4928	400	85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe	82
PID 400 wrote to memory of 4928	400	85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe	82
PID 4928 wrote to memory of 1444	4928	115br_pdf_31.exe	84
PID 4928 wrote to memory of 1444	4928	115br_pdf_31.exe	84
PID 4928 wrote to memory of 1444	4928	115br_pdf_31.exe	84

C:\Users\Admin\AppData\Local\Temp\85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe
"C:\Users\Admin\AppData\Local\Temp\85a2172264b2486eeb9cb4a4dd388fb7889a2a4242953220e7bfd6d9fcbd6757.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\115br_pdf_31.exe
  "C:\Users\Admin\AppData\Local\Temp\115br_pdf_31.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Program Files (x86)\115\browser\115br.exe
    "C:\Program Files (x86)\115\browser\115br.exe" SetDef115Bro
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\115\browser\115br.exe

Filesize
920KB

MD5
bbcc427d62ec2f51b905b9597ccd0636

SHA1
a41b427cbb2f9012d998066e2a7ba28f3553cc87

SHA256
7db04a246c57555b91a68f72c9d3099417ac866371dbf8cf60501fd47ba789d9

SHA512
fb3014c8adb8c0f1d164ebf8670eef112795d004d9c5409f2e3c0153638cf7eb0713ce6ed85abbe12c294388dacddfe48683309d372d295b8a567af9c93072c2

Download Submit
C:\Program Files (x86)\115\browser\115br.exe

Filesize
920KB

MD5
bbcc427d62ec2f51b905b9597ccd0636

SHA1
a41b427cbb2f9012d998066e2a7ba28f3553cc87

SHA256
7db04a246c57555b91a68f72c9d3099417ac866371dbf8cf60501fd47ba789d9

SHA512
fb3014c8adb8c0f1d164ebf8670eef112795d004d9c5409f2e3c0153638cf7eb0713ce6ed85abbe12c294388dacddfe48683309d372d295b8a567af9c93072c2

Download Submit
C:\Program Files (x86)\115\browser\Recent.ini

Filesize
208B

MD5
d5c974407da5f3f660bd1d781f723170

SHA1
c0a6225677adb9a70d85dce2a03c3503c19385ca

SHA256
06d4038fde569197ca10e75973457561e9ee5a26b54ccdb1d7424e46c567f19a

SHA512
ff042a86bf8b537e7c2adf645224468f6647488082a4df73f89a338d6eccde491f0df1c4fc950550da39f27b3ac0a1adef036ee704c9b6125de89a9cb4756bc2

Download Submit
C:\Program Files (x86)\115\browser\cfg.ini

Filesize
136B

MD5
d86ab48bceb6346eec7aed9ce37a0b5d

SHA1
4a11c4541480291e9867e239c19afdc27bf0cd12

SHA256
48cab9f0049a125d35942a54b4a1bd1d084f73e5136004bf7430552fec9afb8c

SHA512
c611f95a593465618a554238d36f9d96edc50840bffac979777508cec2d6f159bbba04c2626f53efb8e07c0ecf12ef25c9f58831d4c7bb2c4cdd75576a1608e4

Download Submit
C:\Program Files (x86)\115\browser\setting.ini

Filesize
1KB

MD5
0ba9f36822fbf02b8144128d4b35a019

SHA1
35e14dae533dd38499a1c240c554e11c46dfd2fa

SHA256
53bd4b887ee8a5272b4cec17d638258eec0c6523dd6bcca408e5718966b4f1e4

SHA512
5d1cfc7ca65cca9784e9ef93fa42f9844e82bcfa49f3abf5f88466a22ccdb20813a5721dc417f5e825cf65b821c1f37e08eb88f1395a81387b266942bb5481f7

Download Submit
C:\Program Files (x86)\115\browser\uninst.exe

Filesize
48KB

MD5
4f3dfc7666c44d21eb870d576f2294c8

SHA1
57c07303cdb2274fc0898f273184ec31f6ce23d0

SHA256
3f0658eb0b7649bf04e579bee42de1873207643178273db0294f44c820a39f18

SHA512
0e3a2de65841cc78a0466b41266f9a1429c2fd1346e0a2d830163b309eacffebd5d5069d1a2628549318224d40ca58f5c2e0fee61c8ad2abfdd182ede6aafacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\115br_pdf_31.exe

Filesize
663KB

MD5
e80df9a92f51f4a7060f5ccc7d056914

SHA1
819446da2af8ad8a5150fb854bb74b1b3dfa7ef1

SHA256
ce34d8aa4cacd4556b6d5f162b70bfecde9e94e7a36905188835cb43710184d5

SHA512
f972e8ed5658467b0ea275d33e109c1b0b8a8174f7139b3542538c6e36a599ca5c76519e199570a9cb7c7eb16fd633ed993f8cc974b8a3a489739b8c11a74927

Download Submit
C:\Users\Admin\AppData\Local\Temp\115br_pdf_31.exe

Filesize
663KB

MD5
e80df9a92f51f4a7060f5ccc7d056914

SHA1
819446da2af8ad8a5150fb854bb74b1b3dfa7ef1

SHA256
ce34d8aa4cacd4556b6d5f162b70bfecde9e94e7a36905188835cb43710184d5

SHA512
f972e8ed5658467b0ea275d33e109c1b0b8a8174f7139b3542538c6e36a599ca5c76519e199570a9cb7c7eb16fd633ed993f8cc974b8a3a489739b8c11a74927

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscD95F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit