Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 04:00
Static task
static1
Behavioral task
behavioral1
Sample
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe
Resource
win10v2004-20220812-en
General
-
Target
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe
-
Size
49KB
-
MD5
042684e97b7cf5b84a3e78daa52aaa50
-
SHA1
e847185be92aa176536b0d6f807c8467bbcce2ab
-
SHA256
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733
-
SHA512
432dd6ae26fa249e7442409f9376e8bb3fcec98e3830212f89387101bcd882d154ef767c570ccc78c523aeaa9d41ee2e186ce7feb8599aa4cffe25c2dbde2669
-
SSDEEP
768:QQPhPRtXHnscj7H5ThHv62cCjvHubO3JS2vPxWf8CPVrlO/To:Q4PRtdj7H59S2nvqKJ3u8+rlO8
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe -
Loads dropped DLL 2 IoCs
Processes:
IEXPLORE.EXEpid process 4988 IEXPLORE.EXE 4988 IEXPLORE.EXE -
Drops file in System32 directory 4 IoCs
Processes:
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exedescription ioc process File created C:\Windows\SysWOW64\WORK.DAT 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe File opened for modification C:\Windows\SysWOW64\WORK.DAT 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe File created C:\Windows\SysWOW64\0042.DLL 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe File opened for modification C:\Windows\SysWOW64\0042.DLL 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "29843680" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998710" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "29843680" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998710" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376135916" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998710" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "70315038" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2CAD68D7-6CA9-11ED-AECB-C2DBB15B3A76} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2200 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2200 iexplore.exe 2200 iexplore.exe 4988 IEXPLORE.EXE 4988 IEXPLORE.EXE 4988 IEXPLORE.EXE 4988 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exeiexplore.exedescription pid process target process PID 4584 wrote to memory of 2200 4584 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe iexplore.exe PID 4584 wrote to memory of 2200 4584 208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe iexplore.exe PID 2200 wrote to memory of 4988 2200 iexplore.exe IEXPLORE.EXE PID 2200 wrote to memory of 4988 2200 iexplore.exe IEXPLORE.EXE PID 2200 wrote to memory of 4988 2200 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe"C:\Users\Admin\AppData\Local\Temp\208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:17410 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5870b615bd1f6e73bcd807d31b8678934
SHA16623daf15f495a66f0738c3c03bdbfd4bc7342d0
SHA256186f4707b61526047271661adc8ffa8357d7a6ac36776d2c3bd1afad6a511fac
SHA512774482b01beea35b1556a531dff40bbde7869225d9dbbde126b825b3bbc342e8529bcbb8f8c367251994ee6b28c41d33b2344bb6d03e82eae04bdee056b23c34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD52e10fcc134f27d420ab008d510029099
SHA1c3f1605296ddb4ac7668dd823ffd757736b3ff1f
SHA25668d3e476ef187a66477b0c54524cae5dfabc6720bf9afe157d89452298b880d2
SHA512a94ebfeafe9adf265c6cf917278cd09d8457f213af8396a16be8f6671bd943b1b2e312698004b43ef1eef895eee4d50f320cd405323bea36b0dade5e336e8926
-
C:\Windows\SysWOW64\0042.DLLFilesize
24KB
MD5b00ce95da335507f5c332dccb84729a3
SHA1dd384ae363f7ceab808245fb9ea36e9b8789c73f
SHA25650182d62385b16dde06a52e3644e3ac2542216ca0a194fd9c9d405622af3a57f
SHA512bd9fcb3a72de4d45d2e2d0c73afd34256d7ad76c721a6b6e98f6bc479d89731a354961886982097c6e2b4886bb140c15656d3de862d1066df5b35c48654b4fe2
-
C:\Windows\SysWOW64\0042.DLLFilesize
24KB
MD5b00ce95da335507f5c332dccb84729a3
SHA1dd384ae363f7ceab808245fb9ea36e9b8789c73f
SHA25650182d62385b16dde06a52e3644e3ac2542216ca0a194fd9c9d405622af3a57f
SHA512bd9fcb3a72de4d45d2e2d0c73afd34256d7ad76c721a6b6e98f6bc479d89731a354961886982097c6e2b4886bb140c15656d3de862d1066df5b35c48654b4fe2
-
C:\Windows\SysWOW64\0042.DLLFilesize
24KB
MD5b00ce95da335507f5c332dccb84729a3
SHA1dd384ae363f7ceab808245fb9ea36e9b8789c73f
SHA25650182d62385b16dde06a52e3644e3ac2542216ca0a194fd9c9d405622af3a57f
SHA512bd9fcb3a72de4d45d2e2d0c73afd34256d7ad76c721a6b6e98f6bc479d89731a354961886982097c6e2b4886bb140c15656d3de862d1066df5b35c48654b4fe2
-
C:\Windows\SysWOW64\work.datFilesize
5KB
MD59f27058d4be3b8cb0d757501b9611d6d
SHA1740a636abb0f8e058408091ea71452298853eca3
SHA25617ebc6a1f0a0729184654f2e434a708a66c17984b15a557bd5af952870c74015
SHA51281071a9db08abb353b4ff33b0ea42655af20610a5438557d50952c3b115a2b114e9956482b407c1efd0126935b8c08ac82d0b6ff265d1a5a1b9aad89c478584a