d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9

General

Target

d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
Size

230KB
MD5

09f6dc93589a81c71625a439206ede00
SHA1

e55f8b5739602c2a31ff825452dbbbf0678e46f6
SHA256

d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9
SHA512

55ee0e9c7ca6a81c4081dc2a7a83855992b361070e6388bf09ee0ded7deba16f9817e34a6534457cc876753d250be51d38f6a54e1aec578f656ad63a527017db
SSDEEP

6144:xgvpgvBO/C/CLOoi8IvUINIFiSkMiEFqWld5V:ogpgCkOoi8uUINFSkMiTWj

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
File created	C:\Windows\System32\drivers\etc\hosts.ics	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4384	taskkill.exe
4908	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RunDll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage	RunDll32.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133123413343504684"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	4736	rundll32.exe
Token: SeDebugPrivilege	4736	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
2132	RunDll32.exe
5004	RunDll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4384	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	81
PID 1284 wrote to memory of 4384	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	81
PID 1284 wrote to memory of 4384	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	81
PID 1284 wrote to memory of 2132	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	83
PID 1284 wrote to memory of 2132	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	83
PID 1284 wrote to memory of 2132	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	83
PID 1284 wrote to memory of 5004	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	84
PID 1284 wrote to memory of 5004	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	84
PID 1284 wrote to memory of 5004	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	84
PID 1284 wrote to memory of 4908	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	85
PID 1284 wrote to memory of 4908	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	85
PID 1284 wrote to memory of 4908	1284	d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe	85
PID 5004 wrote to memory of 4736	5004	RunDll32.exe	93
PID 5004 wrote to memory of 4736	5004	RunDll32.exe	93
PID 5004 wrote to memory of 4736	5004	RunDll32.exe	93
PID 2132 wrote to memory of 384	2132	RunDll32.exe	92
PID 2132 wrote to memory of 384	2132	RunDll32.exe	92
PID 2132 wrote to memory of 384	2132	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe
"C:\Users\Admin\AppData\Local\Temp\d89840e9ffdf7187337862884ca5467937ef9a9f53299a511e971c8ee90e06f9.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im lsas.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Modifies registry class
    PID:384
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im lsas.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads