8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6

General

Target

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe
Size

1.1MB
MD5

b6f7688dbea7ce998d0f9e24fd80fd90
SHA1

aa7d4816e75d51047ebd26cfdce75825fa961e74
SHA256

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6
SHA512

a48a0a08eff919e643349081251bc14b04886d8817c2bb3571d43b23066d39b58a3a4ab8f042b5ad6b43b9051743a8ffa939d2eae77c41cbe50f71b7aa89989f
SSDEEP

24576:V1Y9LkOtxdnK6RATGHUPQxdJEDDBeI94dJgZsHaN+NY4HtIKkmoOXoM:KkQdnK6RASHUPYEDDBL4dJgy6NetHkmt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0002ce4d76ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{484FE419-6B69-11ED-B8D8-7218A89707DE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f1c24476ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f000000000200000000001066000000010000200000002c57617149ed516e6fcc29d51884c534a0ec0251f3640b0b8a517a661160c2a0000000000e8000000002000020000000f18b2d5fc7f38c136fd6307775d7c13f3ee845053cc96f6e9e7d7d9886d5ceb520000000b4ff0c5b50a9a907a3cc1a0c9c32d13684c36daab25d728c3b00e899ae56c44b40000000ce68dcdd571ddaf6764f5b5b692e380d9ff3a14bb94c36b3a6ba54891cb5d8846cb2456d7d1407de477bde7d83a88371cb440e2157f9b25aa0bb6ea85a85fb46	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375998565"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f000000000200000000001066000000010000200000000e63429e5a2bd9f73b2d0800375567da0ea9096dd8a82062a89a57ff2f2f68ea000000000e80000000020000200000004017f78d4f1b6840ca27a0a4d39a1c0559cfafa0207e5a1b84e2f746754bff29200000004a47374ce2171a4017916b97723084c1cbc97b852f9f810052c9f9b61584a5a9400000001be404ed5a063c94b5142642e5c5170cefca200da068ac964e9b6a531cc5fd0ad9db8d3ccfc11949b4b4df07976b480e409e8f2802aeb20dd08b305a687ea3e8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2160 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3848 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3848 iexplore.exe
3848 iexplore.exe
4420 IEXPLORE.EXE
4420 IEXPLORE.EXE
4420 IEXPLORE.EXE
4420 IEXPLORE.EXE

pid	process
2160	PING.EXE

pid	process
3848	iexplore.exe

pid	process
3848	iexplore.exe
3848	iexplore.exe
4420	IEXPLORE.EXE
4420	IEXPLORE.EXE
4420	IEXPLORE.EXE
4420	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exeiexplore.execmd.exe

description	pid	process	target process
PID 3964 wrote to memory of 3848	3964	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	iexplore.exe
PID 3964 wrote to memory of 3848	3964	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	iexplore.exe
PID 3848 wrote to memory of 4420	3848	iexplore.exe	IEXPLORE.EXE
PID 3848 wrote to memory of 4420	3848	iexplore.exe	IEXPLORE.EXE
PID 3848 wrote to memory of 4420	3848	iexplore.exe	IEXPLORE.EXE
PID 3964 wrote to memory of 4428	3964	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 3964 wrote to memory of 4428	3964	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 3964 wrote to memory of 4428	3964	8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe	cmd.exe
PID 4428 wrote to memory of 2160	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 2160	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 2160	4428	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe
"C:\Users\Admin\AppData\Local\Temp\8fa6fb2fa9d812181369f34c41c7cb13232ae426e22aaef771524695adb12fe6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qq.com
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3848 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Downloads\msdtcvtr.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\PING.EXE
ping -n 4 127.0.0.1
3⤵
- Runs ping.exe
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Downloads\msdtcvtr.bat
Filesize
139B

MD5
d076c903eba0184fef09cc5ae14f80e8

SHA1
bbc8a9e1dbc9e8d2dda569bcfa617ce436e55716

SHA256
e1e5383d45988006d15e46cbba7956f9ba5ae1b9fedab322c18aa0e262bfc74c

SHA512
af1a7ce4811d55364d6dd7bae946af390818817e1687be186c4fbdff56679f95ff67f28ad332b3e1cd287fe1519c83fd3cbb12dbaa692ab094811476aa20d5b3

Download Submit
memory/2160-140-0x0000000000000000-mapping.dmp

Download
memory/3964-132-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3964-133-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3964-134-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3964-135-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3964-136-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3964-138-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/4428-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads