f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
Size

32KB
MD5

017929e12fa75b53b617634541a9c6f9
SHA1

a20c83788bbdd8a3b711e90716bdfa551a4231e2
SHA256

f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65
SHA512

d150f7fdb63aba86c90948379d32482961d75d98954bda1cad8a5628b7558c73d5010c90676ccb1c509400e131d5aca4c24d8609ecfce39e75e11908b6c289bf
SSDEEP

768:p3sk30si1NqUulCjSYIFVVKqqzocVVzrAlUn5BDY:CkE97MCjSmTFrG2zM

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\dlnjjdfa = "C:\\Windows\\system\\llzjy080913.exe"	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
File opened (read-only)	\??\f:	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\mzjj32dla.dll	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
File created	C:\Windows\system\mzjj32dla.dll	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
File created	C:\Windows\system\llzjy080913.exe	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
File opened for modification	C:\Windows\system\llzjy080913.exe	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374620734"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995182"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995182"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995182"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5F5D18FE-5EE1-11ED-A0EE-E2272FE8D9C1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "878657261"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "886157398"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "878657261"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
5092	PING.EXE
4412	PING.EXE
308	PING.EXE
4240	PING.EXE
1568	PING.EXE
4692	PING.EXE
4780	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4040	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
Token: SeDebugPrivilege	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
Token: SeDebugPrivilege	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
Token: SeDebugPrivilege	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4040	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4040	iexplore.exe
4040	iexplore.exe
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2976	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	81
PID 5060 wrote to memory of 2976	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	81
PID 5060 wrote to memory of 2976	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	81
PID 2976 wrote to memory of 5092	2976	cmd.exe	83
PID 2976 wrote to memory of 5092	2976	cmd.exe	83
PID 2976 wrote to memory of 5092	2976	cmd.exe	83
PID 2976 wrote to memory of 4412	2976	cmd.exe	87
PID 2976 wrote to memory of 4412	2976	cmd.exe	87
PID 2976 wrote to memory of 4412	2976	cmd.exe	87
PID 2976 wrote to memory of 308	2976	cmd.exe	89
PID 2976 wrote to memory of 308	2976	cmd.exe	89
PID 2976 wrote to memory of 308	2976	cmd.exe	89
PID 5060 wrote to memory of 4040	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	92
PID 5060 wrote to memory of 4040	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	92
PID 2976 wrote to memory of 4240	2976	cmd.exe	93
PID 2976 wrote to memory of 4240	2976	cmd.exe	93
PID 2976 wrote to memory of 4240	2976	cmd.exe	93
PID 4040 wrote to memory of 3456	4040	iexplore.exe	94
PID 4040 wrote to memory of 3456	4040	iexplore.exe	94
PID 4040 wrote to memory of 3456	4040	iexplore.exe	94
PID 2976 wrote to memory of 1568	2976	cmd.exe	95
PID 2976 wrote to memory of 1568	2976	cmd.exe	95
PID 2976 wrote to memory of 1568	2976	cmd.exe	95
PID 2976 wrote to memory of 4692	2976	cmd.exe	96
PID 2976 wrote to memory of 4692	2976	cmd.exe	96
PID 2976 wrote to memory of 4692	2976	cmd.exe	96
PID 5060 wrote to memory of 4040	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	92
PID 5060 wrote to memory of 4344	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	97
PID 5060 wrote to memory of 4344	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	97
PID 5060 wrote to memory of 4344	5060	f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe	97
PID 4344 wrote to memory of 4780	4344	cmd.exe	99
PID 4344 wrote to memory of 4780	4344	cmd.exe	99
PID 4344 wrote to memory of 4780	4344	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe
"C:\Users\Admin\AppData\Local\Temp\f6d9c6e7a29a3254cd86b7fc7d1242383652fa7ded6ee2597111743dea2fbe65.exe"
1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\dfDelmlljy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5092
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4412
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:308
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4240
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1568
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4692
- C:\program files\internet explorer\iexplore.exe
  "C:\program files\internet explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4040 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\dfDelmlljy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5f49b65bdc1713b58ed97d0e9625a968

SHA1
84b74e55478c9abb163aa6629e3fd3b91bed4806

SHA256
a681ab9abc281fd12a7bd06f56e36a21e8ee28b5294815c5e07b781e324a32f9

SHA512
4b502288bef324db8ad33e63c7b6f242ef7954a6fbec3ed012530044c82fee3ad1158febe088bc0deea67ac35646a0a1bd6d961c0f67b11fee584e4f1abd753a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
fc17be2b016270f2d9286e826b1ce408

SHA1
3f248d339eae442204d8f1645ea10223a8a75551

SHA256
63c7fa1aaffe69f271f54025c5ea007854af8ad7e5e766f92a96d3281d636213

SHA512
ec5acbb4aac7fc45b1e733908a9dba23fe22c2fe8a8d4e173dcb5eb17df3bd6130c3e3d3d75ae1d81ed49f9304f1eb6cf0f72246a476a6df724116c6d8fffcb7

Download Submit
C:\dfDelmlljy.bat

Filesize
269B

MD5
c9f6d0ba831b75958d78dfaf5603b0ad

SHA1
dcdb4003c92b66d9e155543ce2a1f0407fa7daa7

SHA256
72e377b15e127ae8080eeba8698041fdf390ed573010609f729686c9bd68c28e

SHA512
fb188d9d0d2812127b5bf468a8638f04d41f35a31b07b99626cbc539dbc69289fc19b18e85872d79e0051651f796f47274df1e83e900857381550fea8db6db32

Download Submit
C:\dfDelmlljy.bat

Filesize
269B

MD5
c9f6d0ba831b75958d78dfaf5603b0ad

SHA1
dcdb4003c92b66d9e155543ce2a1f0407fa7daa7

SHA256
72e377b15e127ae8080eeba8698041fdf390ed573010609f729686c9bd68c28e

SHA512
fb188d9d0d2812127b5bf468a8638f04d41f35a31b07b99626cbc539dbc69289fc19b18e85872d79e0051651f796f47274df1e83e900857381550fea8db6db32

Download Submit