8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6

General

Target

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe
Size

1.1MB
MD5

b6f7688dbea7ce998d0f9e24fd80fd90
SHA1

aa7d4816e75d51047ebd26cfdce75825fa961e74
SHA256

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6
SHA512

a48a0a08eff919e643349081251bc14b04886d8817c2bb3571d43b23066d39b58a3a4ab8f042b5ad6b43b9051743a8ffa939d2eae77c41cbe50f71b7aa89989f
SSDEEP

24576:V1Y9LkOtxdnK6RATGHUPQxdJEDDBeI94dJgZsHaN+NY4HtIKkmoOXoM:KkQdnK6RASHUPYEDDBL4dJgy6NetHkmt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1708	cmd.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "80"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "183"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "326"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "237"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "40"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "183"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "120"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "237"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "2417"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "387626"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "20"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "140"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "301"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "301"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48304B01-6B69-11ED-B4DB-D2F8C2B78FDE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "326"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2417"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "80"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "183"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "301"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "120"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "80"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "2417"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "387626"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "140"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.qq.com\ = "140"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2024 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

772 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

772 iexplore.exe
772 iexplore.exe
516 IEXPLORE.EXE
516 IEXPLORE.EXE
516 IEXPLORE.EXE
516 IEXPLORE.EXE

pid	process
2024	PING.EXE

pid	process
772	iexplore.exe

pid	process
772	iexplore.exe
772	iexplore.exe
516	IEXPLORE.EXE
516	IEXPLORE.EXE
516	IEXPLORE.EXE
516	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exeiexplore.execmd.exe

description	pid	process	target process
PID 1932 wrote to memory of 772	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	iexplore.exe
PID 1932 wrote to memory of 772	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	iexplore.exe
PID 1932 wrote to memory of 772	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	iexplore.exe
PID 1932 wrote to memory of 772	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	iexplore.exe
PID 772 wrote to memory of 516	772	iexplore.exe	IEXPLORE.EXE
PID 772 wrote to memory of 516	772	iexplore.exe	IEXPLORE.EXE
PID 772 wrote to memory of 516	772	iexplore.exe	IEXPLORE.EXE
PID 772 wrote to memory of 516	772	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1708	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 1932 wrote to memory of 1708	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 1932 wrote to memory of 1708	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 1932 wrote to memory of 1708	1932	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 1708 wrote to memory of 2024	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 2024	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 2024	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 2024	1708	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe
"C:\Users\Admin\AppData\Local\Temp\8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qq.com
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:516

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Downloads\msdtcvtr.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\PING.EXE
ping -n 4 127.0.0.1
3⤵
- Runs ping.exe
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Downloads\msdtcvtr.bat
Filesize
139B

MD5
d076c903eba0184fef09cc5ae14f80e8

SHA1
bbc8a9e1dbc9e8d2dda569bcfa617ce436e55716

SHA256
e1e5383d45988006d15e46cbba7956f9ba5ae1b9fedab322c18aa0e262bfc74c

SHA512
af1a7ce4811d55364d6dd7bae946af390818817e1687be186c4fbdff56679f95ff67f28ad332b3e1cd287fe1519c83fd3cbb12dbaa692ab094811476aa20d5b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9b8290b70d7e7ca560370d6cefa4522d

SHA1
575a217483a68045215ee9681d2a35f9cd6e578c

SHA256
87c0611a691eda5d1adfb2ac4183757a5a70da351e4d53a0a31dbafb9ca7703c

SHA512
732ef910eac5f697280b5737755251c054bfb9084cc7988a1b18f51177a5b9b5ad9c1139208aac57c162716592f920e0cd51e2bb12b0c68c9ff7b1fa5dc04b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1wzfztv\imagestore.dat
Filesize
3KB

MD5
e0fdb331b0a2d2b1b67b55552b38e943

SHA1
35cf8c637a9ef7527274b1bdced69d9454d6e2e4

SHA256
66c9f19c86a0f2e178cc04cde23d0546b503efb2ce6e1c5c14550a3dcd3f6b36

SHA512
bf5cf1b7e266fe6ba75dd5dee0606bedd559ca5c4e52cdc2d1883b6adeda2faaaa8f9b9854d5d6e61ddb6171354703f1e882520db0ae5c6ef9b9d5a7068da102

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CFO07H09.txt
Filesize
608B

MD5
8d86246fcf40ef393236666cfb9ba968

SHA1
4ad5aeeba57f59de14682c6b68162be3490bc4c1

SHA256
a788aaa7382b2316618b8ba792fcf0697b81f03e2480dea8261ead27c2df4419

SHA512
d529954b499f655fc72b416591c66d39e8b5a1cc83b07fdbe4b992279e2b7d2dc5a6ec4a76364b2e3afc25087fe35d86c974f1fe16b88ba4bc99a71e71a75847

Download Submit
memory/1708-61-0x0000000000000000-mapping.dmp

Download
memory/1932-57-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1932-60-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/1932-59-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1932-62-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1932-58-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1932-54-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1932-56-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/1932-55-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download
memory/2024-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing